feat: enhance CI and smoke testing with checksum verification and modular job structure

[amichne]

This pull request refactors the CI workflow to improve build and test separation, artifact handling, and platform coverage. It introduces a portable distribution artifact, splits jobs for better clarity and caching, and enhances smoke testing for the CLI. Additionally, it updates the installer metadata to include a SHA256 digest and improves CLI smoke tests to verify file edits after applying refactors.

CI Workflow Refactoring and Artifact Handling:

• The main build job is renamed to build-and-test, with improved separation between building/testing the main project, the IntelliJ plugin, and CLI smoke tests. The workflow now builds a portable distribution artifact for use in downstream jobs, and replaces graalvm/setup-graalvm with actions/setup-java using the Temurin distribution. [1] [2] [3]
• Adds a new job test-intellij-plugin for building and verifying the IntelliJ plugin, and splits smoke testing into a separate smoke-kast-cli job for both Ubuntu and macOS runners, improving platform coverage and job clarity.
• Updates the eval-agent-routing job to depend on the new smoke-kast-cli job and uses the portable distribution artifact, ensuring the correct binary is tested. [1] [2]

Installer and Metadata Improvements:

• The installer script now computes and embeds a SHA256 digest of the asset into the release metadata, improving traceability and security of distributed artifacts.

CLI Smoke Test Enhancements:

• The CLI smoke test script is extended to build and apply a refactor edits request, then verifies that the expected changes are present in the source files after applying the edits, providing stronger validation of the CLI's refactoring capabilities.

Summary by CodeRabbit

• Tests

  • CLI smoke tests now apply and verify refactor operations end-to-end.
  • Improved installer checksum verification in smoke testing.

• Chores

  • Reorganized CI into targeted build, plugin test, and smoke stages for better coverage.
  • CI now respects externally provided runtime binary when running evals.

• Documentation

  • Added roadmap-style doc describing proposed higher-level shell workflows and limitations.

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes update CI and smoke tooling: add SHA-256 digest to installer metadata, expand CLI smoke tests to apply and verify edits in workspace files, refactor the GitHub Actions workflow into multi-job stages with artifact handling and Java toolchain changes, and add related docs and test adjustments.

Changes

Cohort / File(s)	Summary
Installer Metadata .github/scripts/smoke-installer.sh	Compute SHA-256 of the portable ZIP and populate assets[0].digest in the generated release.json as sha256:<digest>.
CLI Smoke / Apply-Edits .github/scripts/smoke-kast-cli.sh	Builds an ApplyEditsQuery payload, writes apply-edits-request.json, runs kast apply-edits, parses apply-edits.json, asserts edits applied, and verifies source changes in Greeter.kt, Use.kt, and SecondaryUse.kt.
CI Workflow .github/workflows/ci.yml	Replace single cli-smoke job with build-and-test, test-intellij-plugin, and smoke-kast-cli jobs; upload OS-scoped artifacts; update eval-agent-routing to depend on smoke-kast-cli; switch Java setup from GraalVM action to actions/setup-java (Temurin Java 21).
Docs / RFC .agents/wiki/sources/whats-missing.md, response.md	Add a new design doc proposing compound JSON-RPC workflows and a workspace/files endpoint; add response.md with CI & smoke review and recommendations.
Tests (backend-standalone) backend-standalone/src/test/kotlin/.../CacheManagerTest.kt	Make tests resilient to missing cache files by conditional reads, introduce shared debounceDelayMillis, and assert observed payloads include both old and new values.
Eval harness evals/harness/run-evals.sh	Allow KAST_BIN to be overridden externally by honoring existing KAST_BIN env var before defaulting to the repo build path.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Poem

🐰 I found a zip and counted bits of gold,
I chased some edits till the stories told,
Jobs split and shuffled, artifacts in line,
Java swapped its hat — the pipeline's fine,
Hop, nibble, ship — the CI carrots shine!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: enhancing CI/smoke testing with checksum verification and modular job structure, which aligns with the primary modifications across workflow, installer, and test scripts.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/robust-ci-addition

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/scripts/smoke-installer.sh:
- Around line 85-100: Add a negative tamper test to the smoke-installer
workflow: after computing the real digest (variable digest) and building
payload, create a second test case that either corrupts the asset (modify
asset_path bytes) or sets a bogus digest (e.g., tampered_digest) in the payload,
then run the installer (install.sh) against that tampered metadata and assert it
fails and does not create the target install tree; specifically, reuse
metadata_path and asset_path variables but produce a payload where
"assets[0].digest" is the wrong sha256 and verify install.sh exits non‑zero and
the target install directory is absent before exiting.

In @.github/workflows/ci.yml:
- Around line 40-47: The CI job "Test and build portable distribution" dropped
running the kast CLI unit tests; update the build-and-test step to include the
Gradle task :kast-cli:test in the multi-line run block so the CLI module tests
execute (i.e., alongside :kast:test, :kast:portableDistZip, etc., add
:kast-cli:test) to ensure module-level CLI regressions are caught.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9544d03c-6016-42d6-8f0b-38285c256190

📥 Commits

Reviewing files that changed from the base of the PR and between a70c501 and eea3c82.

📒 Files selected for processing (3)

• .github/scripts/smoke-installer.sh
• .github/scripts/smoke-kast-cli.sh
• .github/workflows/ci.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

This still doesn't prove checksum enforcement.

The digest is computed from the same ZIP the installer later consumes, so this path stays green even if install.sh ignores assets[0].digest completely. Please add a negative case that tampers with the digest or asset and asserts the install fails before creating the target install tree.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/scripts/smoke-installer.sh around lines 85 - 100, Add a negative
tamper test to the smoke-installer workflow: after computing the real digest
(variable digest) and building payload, create a second test case that either
corrupts the asset (modify asset_path bytes) or sets a bogus digest (e.g.,
tampered_digest) in the payload, then run the installer (install.sh) against
that tampered metadata and assert it fails and does not create the target
install tree; specifically, reuse metadata_path and asset_path variables but
produce a payload where "assets[0].digest" is the wrong sha256 and verify
install.sh exits non‑zero and the target install directory is absent before
exiting.

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

evals/harness/run-evals.sh (1)

264-269: ⚠️ Potential issue | 🟡 Minor

Fail fast when an explicit KAST_BIN override is invalid.

On Line 264, an invalid overridden KAST_BIN still triggers a local build but keeps using the bad path. Prefer distinguishing an explicit override from default fallback and erroring early for a bad override.

Proposed hardening

-KAST_BIN="${KAST_BIN:-$REPO_ROOT/kast/build/install/kast/bin/kast}"
-if [[ ! -x "$KAST_BIN" ]]; then
+DEFAULT_KAST_BIN="$REPO_ROOT/kast/build/install/kast/bin/kast"
+KAST_BIN="${KAST_BIN:-$DEFAULT_KAST_BIN}"
+if [[ ! -x "$KAST_BIN" ]]; then
+  if [[ "$KAST_BIN" != "$DEFAULT_KAST_BIN" ]]; then
+    die "KAST_BIN override is not executable: $KAST_BIN"
+  fi
   log_step "Building kast (installDist)…"
   (cd "$REPO_ROOT" && ./gradlew :kast:installDist --no-daemon --quiet) || die "kast build failed"
+  KAST_BIN="$DEFAULT_KAST_BIN"
+  [[ -x "$KAST_BIN" ]] || die "kast binary not found after build: $KAST_BIN"
   log_success "kast built"
 fi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@evals/harness/run-evals.sh` around lines 264 - 269, The script currently
treats an invalid KAST_BIN the same whether it was explicitly overridden or
defaulted; change the logic in the block that checks KAST_BIN so that if the
environment variable KAST_BIN was explicitly set (detect via test -n
"${KAST_BIN+x}" or comparing to the default computed from REPO_ROOT) and the
path is not executable, immediately die with a clear error via die "..." instead
of attempting to build; only attempt the local build (cd "$REPO_ROOT" &&
./gradlew :kast:installDist ...) when KAST_BIN was not explicitly provided and
the default path "$REPO_ROOT/kast/build/install/kast/bin/kast" is
missing/unexecutable, preserving log_step/log_success behavior for the build
case.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.agents/wiki/sources/whats-missing.md:
- Line 18: The markdown row for `imports/optimize` contains unresolved fragment
links like `(`#4-cite-0`)` (and other `#4-cite-*` anchors referenced elsewhere) so
fix by either adding matching anchor targets in the document (e.g., HTML anchor
IDs or markdown headings matching `4-cite-0`, `4-cite-1`, etc.) or replacing
each `[4-cite-X](`#4-cite-X`)` reference with a valid existing link or citation
reference; update all occurrences of the `#4-cite-*` fragments (including the
other reported instances) to ensure each link points to a defined anchor or a
correct external/internal URL and verify navigation works for `imports/optimize`
and related table entries.
- Line 18: The table row "| `imports/optimize` | Clean up imports after edits |
Edit plan for unused/missing imports | [4-cite-0](`#4-cite-0`)" has four cells
while the header defines three; edit the row so it has exactly three cells by
moving the citation out of the row or merging it into one cell (e.g., "|
`imports/optimize` | Clean up imports after edits | Edit plan for unused/missing
imports [4-cite-0](`#4-cite-0`) |"), ensuring the table header and all rows have
the same number of pipe-separated columns.

In `@response.md`:
- Around line 69-78: The markdown has unlabeled fenced code blocks (triggering
MD040) — change the opening fences for the two blocks shown: the block that
starts with ":analysis-api:test" and the ASCII graph block that starts with "┌─
test-analysis-api" to include a language identifier (e.g., replace ``` with
```text) so both fenced blocks are labeled and satisfy markdownlint; update both
occurrences referenced in response.md.
- Around line 1-119: response.md appears to be an accidental ad-hoc review
artifact and should be removed or relocated into durable documentation; either
delete response.md from the repo or convert it into a scoped, versioned
RFC/design doc under a proper docs or rfcs directory (e.g., MOVE content to
docs/architecture/kast-smoke-rfc.md), give it a clear title, summary, and
actionable sections, and update any references (CI job names like ci.yml,
release.yml and module names kast, kast-cli, backend-standalone, analysis-api)
to be concise and maintainable so it doesn't become stale in-tree.

---

Outside diff comments:
In `@evals/harness/run-evals.sh`:
- Around line 264-269: The script currently treats an invalid KAST_BIN the same
whether it was explicitly overridden or defaulted; change the logic in the block
that checks KAST_BIN so that if the environment variable KAST_BIN was explicitly
set (detect via test -n "${KAST_BIN+x}" or comparing to the default computed
from REPO_ROOT) and the path is not executable, immediately die with a clear
error via die "..." instead of attempting to build; only attempt the local build
(cd "$REPO_ROOT" && ./gradlew :kast:installDist ...) when KAST_BIN was not
explicitly provided and the default path
"$REPO_ROOT/kast/build/install/kast/bin/kast" is missing/unexecutable,
preserving log_step/log_success behavior for the build case.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 47e24662-0a2e-42cf-b844-283c275891e1

📥 Commits

Reviewing files that changed from the base of the PR and between eea3c82 and 89b449e.

📒 Files selected for processing (5)

• .agents/wiki/sources/whats-missing.md
• .github/workflows/ci.yml
• backend-standalone/src/test/kotlin/io/github/amichne/kast/standalone/CacheManagerTest.kt
• evals/harness/run-evals.sh
• response.md

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/ci.yml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Repair broken citation fragment links.

These (#4-cite-*) anchors don’t resolve in this file, so readers can’t navigate to evidence references. Define matching anchors in the document or replace with valid links.

Also applies to: 67-67, 71-71, 107-107, 110-110, 111-111, 159-159, 161-161, 165-165, 167-167, 220-220, 222-222

🧰 Tools

🪛 markdownlint-cli2 (0.22.0)

[warning] 18-18: Link fragments should be valid

(MD051, link-fragments)

---

[warning] 18-18: Table pipe style
Expected: leading_and_trailing; Actual: leading_only; Missing trailing pipe

(MD055, table-pipe-style)

---

[warning] 18-18: Table column count
Expected: 3; Actual: 4; Too many cells, extra data will be missing

(MD056, table-column-count)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/wiki/sources/whats-missing.md at line 18, The markdown row for
`imports/optimize` contains unresolved fragment links like `(`#4-cite-0`)` (and
other `#4-cite-*` anchors referenced elsewhere) so fix by either adding matching
anchor targets in the document (e.g., HTML anchor IDs or markdown headings
matching `4-cite-0`, `4-cite-1`, etc.) or replacing each `[4-cite-X](`#4-cite-X`)`
reference with a valid existing link or citation reference; update all
occurrences of the `#4-cite-*` fragments (including the other reported
instances) to ensure each link points to a defined anchor or a correct
external/internal URL and verify navigation works for `imports/optimize` and
related table entries.

---

⚠️ Potential issue | 🟡 Minor

Fix malformed table row on Line 18.

The row has 4 cells while the header defines 3 columns, so markdown renderers/lints will drop or misplace content. Keep the citation outside the table row (or move it into one of the 3 cells).

🧰 Tools

🪛 markdownlint-cli2 (0.22.0)

[warning] 18-18: Link fragments should be valid

(MD051, link-fragments)

---

[warning] 18-18: Table pipe style
Expected: leading_and_trailing; Actual: leading_only; Missing trailing pipe

(MD055, table-pipe-style)

---

[warning] 18-18: Table column count
Expected: 3; Actual: 4; Too many cells, extra data will be missing

(MD056, table-column-count)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/wiki/sources/whats-missing.md at line 18, The table row "|
`imports/optimize` | Clean up imports after edits | Edit plan for unused/missing
imports | [4-cite-0](`#4-cite-0`)" has four cells while the header defines three;
edit the row so it has exactly three cells by moving the citation out of the row
or merging it into one cell (e.g., "| `imports/optimize` | Clean up imports
after edits | Edit plan for unused/missing imports [4-cite-0](`#4-cite-0`) |"),
ensuring the table header and all rows have the same number of pipe-separated
columns.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

This file looks like an accidental review artifact, not durable repo documentation.

The content is written as an ad-hoc conversational review and is likely to go stale quickly in-tree. Recommend removing it from the repo (or replacing it with a scoped, objective design/RFC doc if that was the intent).

🧰 Tools

🪛 markdownlint-cli2 (0.22.0)

[warning] 69-69: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

[warning] 82-82: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@response.md` around lines 1 - 119, response.md appears to be an accidental
ad-hoc review artifact and should be removed or relocated into durable
documentation; either delete response.md from the repo or convert it into a
scoped, versioned RFC/design doc under a proper docs or rfcs directory (e.g.,
MOVE content to docs/architecture/kast-smoke-rfc.md), give it a clear title,
summary, and actionable sections, and update any references (CI job names like
ci.yml, release.yml and module names kast, kast-cli, backend-standalone,
analysis-api) to be concise and maintainable so it doesn't become stale in-tree.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add language identifiers to fenced code blocks to satisfy markdownlint.

Line 69 and Line 82 use unlabeled fenced blocks, which triggers MD040.

Proposed markdownlint fix

-```
+```text
 :analysis-api:test
 :analysis-server:test
 :backend-standalone:test
 :backend-intellij:test
 :backend-intellij:buildPlugin
 :backend-intellij:verifyPluginStructure
 :kast:test
 :kast:portableDistZip

@@
- +text
┌─ test-analysis-api ─────────┐
│ ├─> smoke-kast-cli
├─ test-analysis-server ──────┤
│ │
├─ build-intellij-plugin ─────┘

└─ eval-agent-routing (needs: smoke-kast-cli)

Also applies to: 82-90

🧰 Tools

🪛 markdownlint-cli2 (0.22.0)

[warning] 69-69: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@response.md` around lines 69 - 78, The markdown has unlabeled fenced code
blocks (triggering MD040) — change the opening fences for the two blocks shown:
the block that starts with ":analysis-api:test" and the ASCII graph block that
starts with "┌─ test-analysis-api" to include a language identifier (e.g.,
replace ``` with ```text) so both fenced blocks are labeled and satisfy
markdownlint; update both occurrences referenced in response.md.

[devin-ai-integration]

Devin Review found 1 new potential issue.

View 7 additional findings in Devin Review.

[devin-ai-integration]

🔴 JVM-only build breaks smoke-installer.sh: installer expects native binary absent from distribution

The CI build step now uses -PjvmOnly (line 42), which produces a portable distribution without bin/kast (the native binary is only included when jvmOnly property is absent — see kast/build.gradle.kts:87-92). However, the downstream "Smoke installer" step (line 136) runs smoke-installer.sh, which invokes install.sh without --jvm-only. Since install.sh defaults jvm_only="false" (install.sh:424), it checks [[ -f "${release_dir}/bin/kast" ]] at install.sh:653 and dies with "Installed archive did not contain the kast native binary". Even if that check were bypassed, smoke-installer.sh:125 independently asserts [[ -x "${installed_root}/bin/kast" ]]. Both checks fail because the JVM-only zip never contains bin/kast.

The two failing assertions

install.sh:652-653 (reached first):

if [[ "$jvm_only" != "true" ]]; then
  [[ -f "${release_dir}/bin/kast" ]] || die "Installed archive did not contain the kast native binary"

smoke-installer.sh:125 (would also fail):

[[ -x "${installed_root}/bin/kast" ]] || die "Installed kast native binary is missing from ${installed_root}/bin"

Prompt for agents

The build step uses -PjvmOnly to skip native compilation (since GraalVM was replaced with Temurin), but the smoke-installer.sh test still expects a non-JVM-only distribution. There are two places that need fixing:

1. smoke-installer.sh line 117: The /bin/bash -c invocation of install.sh needs --jvm-only appended, e.g.: /bin/bash -c "$installer_content" -- --jvm-only

2. smoke-installer.sh line 125: The assertion [[ -x "${installed_root}/bin/kast" ]] needs to be removed or made conditional on whether the distribution is JVM-only.

Alternatively, if the intent is to test the full native path in CI, revert to GraalVM setup and remove -PjvmOnly. But given the deliberate switch to Temurin, the smoke-installer.sh should be updated to match the JVM-only distribution.

---

Was this helpful? React with 👍 or 👎 to provide feedback.