str4d.xyz / atproto-devtool
CLI app for developers prototyping atproto functionality
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

docs: update project context for test-oauth-client

Capture the post-merge identity-blocker-id contract in the labeler
context file. The merge of test-oauth-client introduced
`blocked_by(..., check_id)` skip rows for HTTP / subscription / crypto
"stage not run" lines, and 1f0a973 then made the blocker ID dynamic
(scanning the identity stage output for the first failing check) and
plumbed it into the report stage via
`CreateReportRunOptions::identity_blocker_id`. Document that as a Key
decision and mention the new helper in the pipeline.rs file blurb.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Jack Grigg 4220dcf7 fe8b404a

+22 -2
+22 -2
src/commands/test/labeler/CLAUDE.md
··· 1 1 # test labeler 2 2 3 - Last verified: 2026-04-21 3 + Last verified: 2026-04-26 4 4 5 5 ## Purpose 6 6 ··· 137 137 stage still emit `Skipped` rows with a reason. When a 138 138 whole stage is blocked upstream, the pipeline emits one 139 139 `<stage>::not_run` row per downstream stage with a reason string. 140 + - **Downstream "blocked by" rows name the actual failing identity check**: 141 + when identity fails to populate `IdentityFacts`, the pipeline scans 142 + `identity_output.results` for the first `SpecViolation` / `NetworkError` 143 + row and uses *that* check's ID (e.g. `identity::signing_key_present`, 144 + `identity::labeler_record_fetched`, `identity::labeler_endpoint_is_https`) 145 + as the blocker for every downstream `<stage>::not_run` row and for the 146 + 10 `report::*` Skipped rows. Hardcoding `identity::target_resolved` as 147 + the blocker — the previous behavior — misattributed blocks to a check 148 + that visibly passed in the same report whenever a later identity check 149 + was the real gate. The `LabelerTarget::Endpoint { did: None }` path 150 + (no DID supplied) is the one case where no identity check actually 151 + failed, so downstream stages fall back to non-attributed 152 + "blocked by identity stage" / `identity::target_resolved` phrasing in 153 + that branch via `identity_blocker_id = None`. The blocker ID is 154 + computed once in `pipeline::run_pipeline` and threaded into the report 155 + stage through `CreateReportRunOptions::identity_blocker_id`. 140 156 - **Identity facts gate downstream stages**: HTTP and crypto stages only 141 157 run when identity populated `IdentityFacts`. Subscription can run from 142 158 an explicit endpoint URL without identity (the ··· 232 248 `self_mint_curve`, `report_subject_override`, `self_mint_signer`, 233 249 `pds_credentials`, `pds_xrpc_client` / `pds_xrpc_client_override`, 234 250 `run_id`), `CreateReportTeeKind`, `PdsCredentials`, `parse_target`, 235 - `run_pipeline` orchestration. 251 + `run_pipeline` orchestration. Also owns the 252 + `identity_blocker_check_id` helper that scans the identity stage 253 + output for the first failing check and threads its ID into the 254 + HTTP / subscription / crypto `<stage>::not_run` rows and into 255 + `CreateReportRunOptions::identity_blocker_id`. 236 256 - `identity.rs` — identity stage: DID resolution, labeler record fetch 237 257 (through `atrium-api` types over the `HttpClient` seam), policy 238 258 validation. `IdentityFacts` now also carries