Skip to content

fix(ci): unblock deployment boot smoke and pace eval canary#437

Merged
BigSimmo merged 5 commits into
mainfrom
cursor/fix-ci-boot-smoke-and-eval-canary-57ce
Jul 9, 2026
Merged

fix(ci): unblock deployment boot smoke and pace eval canary#437
BigSimmo merged 5 commits into
mainfrom
cursor/fix-ci-boot-smoke-and-eval-canary-57ce

Conversation

@BigSimmo

@BigSimmo BigSimmo commented Jul 9, 2026

Copy link
Copy Markdown
Owner

Summary

Fixes two standing CI/observability failures on main:

  1. Deployment boot smokeverify fails when RAG_QUERY_HASH_SECRET is not configured as a GitHub secret (fix(ci): require RAG_QUERY_HASH_SECRET for deployment boot smoke #429 required it upfront). Boot smoke only needs to prove production next start + /api/local-project-id; restore a CI-safe placeholder (min 16 chars) while still using the real secret when provided.

  2. Eval Canary — nightly golden retrieval fails on the first forceEmbedding probe (vector-ptsd) after ~22 text-fast-path cases due to OpenAI rate limits / quota exhaustion. Add configurable inter-case pacing and longer provider backoff in the canary workflow.

Changes

  • scripts/deployment-boot-smoke.mjs — drop hash secret from required preflight env; pass placeholder to spawned next start
  • .github/workflows/ci.yml — document optional hash secret override
  • scripts/eval-utils.ts / scripts/eval-retrieval.tspauseBetweenEvalCases() with RAG_EVAL_CASE_DELAY_MS + RAG_EVAL_FORCE_EMBEDDING_DELAY_MS
  • .github/workflows/eval-canary.yml — set pacing/backoff env for nightly runs
  • docs/observability-slos.md — note canary pacing

Verification

  • npm run verify:cheap
  • npm run test -- tests/eval-utils.test.ts
  • npm run check:deployment-readiness (needs clean build without dev server; env preflight confirmed without RAG_QUERY_HASH_SECRET)
  • Eval Canary workflow_dispatch after merge (cannot trigger from agent)

Clinical Governance Preflight

Not applicable — CI/observability plumbing only; no clinical output or retrieval logic changes.

Open in Web Open in Cursor 

- Restore CI-safe RAG_QUERY_HASH_SECRET placeholder in deployment boot smoke
  so verify passes without a dedicated repo secret; real secret still used when set.
- Pace golden retrieval in eval canary with inter-case and force-embedding delays
  plus longer provider backoff to avoid OpenAI 429/quota exhaustion on vector probes.
- Document canary pacing in observability SLOs.

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>
@supabase

supabase Bot commented Jul 9, 2026

Copy link
Copy Markdown

This pull request has been ignored for the connected project sjrfecxgysukkwxsowpy because there are no changes detected in supabase directory. You can change this behaviour in Project Integrations Settings ↗︎.


Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

This PR adds env-driven pacing for eval runs, pauses between retrieval cases, updates eval-canary workflow env vars, adjusts one UI navigation wait, adds tests, and documents the pacing settings.

Changes

Eval Pacing and Retry Configuration

Layer / File(s) Summary
Delay helper functions and tests
scripts/eval-utils.ts, tests/eval-utils.test.ts
New exported functions compute case and embedding delays from env vars and pause between eval cases; a new test validates timing behavior.
Retrieval eval loop integration
scripts/eval-retrieval.ts
The golden case loop now awaits a pause before each case and passes case index plus embedding state into the pacing helper.
Workflow env vars and documentation
.github/workflows/eval-canary.yml, docs/observability-slos.md
The eval-canary workflow adds pacing and provider retry/backoff env vars, and the observability docs describe the new forced-vector case delays.
Universal search navigation wait
tests/ui-universal-search.spec.ts
openComposer now waits for domcontentloaded when navigating to documents mode.

Estimated code review effort: 2 (Simple) | ~10 minutes

Sequence Diagram(s)

sequenceDiagram
  participant eval-retrieval.ts
  participant pauseBetweenEvalCases
  participant sleep
  eval-retrieval.ts->>pauseBetweenEvalCases: { caseIndex, forceEmbedding }
  pauseBetweenEvalCases->>sleep: await computed delay
Loading
🚥 Pre-merge checks | ✅ 4 | ❌ 7

❌ Failed checks (1 warning, 6 inconclusive)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 70.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Generated And Sensitive Files ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Verification Claims ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Risky Git Or Deployment Actions ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Supabase Project And Schema Safety ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Runtime And Package Manager Integrity ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Api Route Failure Handling ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main CI change: unblocking deployment boot smoke and pacing the eval canary.
Description check ✅ Passed The description is on-topic and matches the PR’s CI and observability changes.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch cursor/fix-ci-boot-smoke-and-eval-canary-57ce
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch cursor/fix-ci-boot-smoke-and-eval-canary-57ce

Comment @coderabbitai help to get the list of available commands.

@BigSimmo
BigSimmo marked this pull request as ready for review July 9, 2026 08:26

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 22bf2ed61e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread scripts/deployment-boot-smoke.mjs Outdated
Comment thread scripts/eval-retrieval.ts Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (3)
docs/observability-slos.md (1)

160-163: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Consider documenting the provider retry/backoff env vars too.

This section covers the case/embedding delay vars but omits RAG_EVAL_PROVIDER_RETRY_ATTEMPTS, RAG_EVAL_PROVIDER_RETRY_INITIAL_MS, and RAG_EVAL_PROVIDER_RETRY_MAX_MS added in the same workflow change, which are also part of the rate-limit mitigation described in the PR objectives.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/observability-slos.md` around lines 160 - 163, Update the observability
SLOs documentation to also mention the provider retry/backoff environment
variables alongside the existing delay settings. In the section describing the
nightly rate-limit mitigation, add references to
RAG_EVAL_PROVIDER_RETRY_ATTEMPTS, RAG_EVAL_PROVIDER_RETRY_INITIAL_MS, and
RAG_EVAL_PROVIDER_RETRY_MAX_MS so the docs match the workflow behavior; keep the
wording consistent with the surrounding text in docs/observability-slos.md.
.github/workflows/eval-canary.yml (1)

41-47: 🧹 Nitpick | 🔵 Trivial

Verify job timeout accommodates the new worst-case retry/backoff duration.

Baseline pacing (~2s/case × ~34 cases) plus a worst-case 6-attempt backoff (8s→16s→32s→64s→120s→120s ≈ 6 min per exhausted case) could push total runtime well past prior expectations. Confirm the job's timeout-minutes (if set) leaves adequate headroom, otherwise this fix could trade a rate-limit failure for a timeout failure.

#!/bin/bash
rg -n "timeout-minutes" .github/workflows/eval-canary.yml
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/eval-canary.yml around lines 41 - 47, The eval-canary
workflow pacing changes can increase total runtime beyond the current job
budget. Review the workflow’s timeout setting in eval-canary.yml, especially the
job that uses RAG_EVAL_CASE_DELAY_MS and the RAG_EVAL_PROVIDER_RETRY_* settings,
and raise timeout-minutes if needed so the worst-case retry/backoff plus
baseline case delay still has enough headroom. Keep the existing retry/backoff
configuration intact; only adjust the job timeout if it is too low.
tests/eval-utils.test.ts (1)

102-110: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Tight real-timer margins risk CI flakiness.

The test measures a real ~30ms sleep and asserts <40ms total — only a 10ms margin including test-runner overhead. Under CI load or Node timer jitter, this could intermittently flake. Consider using vi.useFakeTimers() + vi.advanceTimersByTimeAsync() to make the assertion deterministic instead of relying on wall-clock timing.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/eval-utils.test.ts` around lines 102 - 110, The pauseBetweenEvalCases
timing test is relying on real wall-clock delays and has too little margin for
CI jitter. Update the test to use vi.useFakeTimers() and drive the waits with
vi.advanceTimersByTimeAsync() so the assertions around the pause behavior are
deterministic. Keep the coverage in eval-utils.test.ts focused on
pauseBetweenEvalCases and its delay env vars, but remove dependence on
Date.now() for elapsed-time checks.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/deployment-boot-smoke.mjs`:
- Around line 124-130: The RAG query hash secret fallback in the smoke test env
setup still uses nullish coalescing, so an empty string from GitHub Actions will
bypass the placeholder and leave the secret invalid. Update the
`RAG_QUERY_HASH_SECRET` assignment in `deployment-boot-smoke.mjs` to use a
falsy/trimmed check instead of `??`, matching the existing placeholder behavior
for the `SUPABASE_SERVICE_ROLE_KEY` and `OPENAI_API_KEY` entries.

In `@tests/eval-utils.test.ts`:
- Around line 103-104: The test that stubs RAG_EVAL_CASE_DELAY_MS and
RAG_EVAL_FORCE_EMBEDDING_DELAY_MS needs explicit cleanup so those env overrides
do not leak into other tests. Update the relevant test in eval-utils.test.ts to
restore stubbed env vars after it runs by calling vi.unstubAllEnvs() in the test
teardown path, or add equivalent beforeEach/afterEach cleanup around the
affected test block.

---

Nitpick comments:
In @.github/workflows/eval-canary.yml:
- Around line 41-47: The eval-canary workflow pacing changes can increase total
runtime beyond the current job budget. Review the workflow’s timeout setting in
eval-canary.yml, especially the job that uses RAG_EVAL_CASE_DELAY_MS and the
RAG_EVAL_PROVIDER_RETRY_* settings, and raise timeout-minutes if needed so the
worst-case retry/backoff plus baseline case delay still has enough headroom.
Keep the existing retry/backoff configuration intact; only adjust the job
timeout if it is too low.

In `@docs/observability-slos.md`:
- Around line 160-163: Update the observability SLOs documentation to also
mention the provider retry/backoff environment variables alongside the existing
delay settings. In the section describing the nightly rate-limit mitigation, add
references to RAG_EVAL_PROVIDER_RETRY_ATTEMPTS,
RAG_EVAL_PROVIDER_RETRY_INITIAL_MS, and RAG_EVAL_PROVIDER_RETRY_MAX_MS so the
docs match the workflow behavior; keep the wording consistent with the
surrounding text in docs/observability-slos.md.

In `@tests/eval-utils.test.ts`:
- Around line 102-110: The pauseBetweenEvalCases timing test is relying on real
wall-clock delays and has too little margin for CI jitter. Update the test to
use vi.useFakeTimers() and drive the waits with vi.advanceTimersByTimeAsync() so
the assertions around the pause behavior are deterministic. Keep the coverage in
eval-utils.test.ts focused on pauseBetweenEvalCases and its delay env vars, but
remove dependence on Date.now() for elapsed-time checks.
🪄 Autofix (Beta)

❌ Autofix failed (check again to retry)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 795677bc-c6d7-47fb-b2d9-341d2cd7e06e

📥 Commits

Reviewing files that changed from the base of the PR and between 161cab9 and 22bf2ed.

📒 Files selected for processing (7)
  • .github/workflows/ci.yml
  • .github/workflows/eval-canary.yml
  • docs/observability-slos.md
  • scripts/deployment-boot-smoke.mjs
  • scripts/eval-retrieval.ts
  • scripts/eval-utils.ts
  • tests/eval-utils.test.ts

Comment thread scripts/deployment-boot-smoke.mjs
Comment thread tests/eval-utils.test.ts Outdated
@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

❌ Failed to clone repository into sandbox. Please try again.

@BigSimmo
BigSimmo enabled auto-merge (squash) July 9, 2026 08:33

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3f5343d7ec

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread tests/eval-utils.test.ts Outdated
@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

⚠️ Branch updated during autofix.

The branch was updated while autofix was in progress. Please try again.

cursoragent and others added 2 commits July 9, 2026 08:42
Restore RAG_QUERY_HASH_SECRET to deployment boot smoke required env so
main/release CI validates the real repository secret instead of injecting
a placeholder. Apply CLI --force-embedding pacing in eval-retrieval and fix
Prettier formatting on the eval-utils import block.

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>
Use vi.useFakeTimers for deterministic delay assertions and unstub env
overrides in teardown so RAG_EVAL_* delay settings do not leak across tests.

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>
@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

Autofix skipped. No unresolved CodeRabbit review comments with fix instructions found.

auto-merge was automatically disabled July 9, 2026 09:42

Head branch was pushed to by a user without write access

@BigSimmo
BigSimmo merged commit 4863d6c into main Jul 9, 2026
8 checks passed
@BigSimmo
BigSimmo deleted the cursor/fix-ci-boot-smoke-and-eval-canary-57ce branch July 9, 2026 12:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants