[Schema Consistency] Schema Consistency Check - 2026-04-08

[github-actions[bot]]

Summary

• Inconsistencies Found: 4 new constraint-validation gaps + 6 persistent findings
• Categories Analyzed: Schema constraints, Parser/compiler enforcement, Documentation, Workflows
• Strategy Used: New — "Schema Constraint Validation Gap Check" (day-of-year 98 mod 10 = 8 → new approach)
• Focus: Fields with JSON Schema minimum/maximum/minLength/maxLength/pattern constraints that are accepted by the schema validator but silently bypassed by the Go parser/compiler

---

Critical Issues — Schema Constraint Enforcement Gaps

These fields have numeric or length bounds in main_workflow_schema.json that are not enforced in the Go parser/compiler. A valid-schema workflow is rejected; an invalid-value workflow compiles and runs.

View Constraint Gaps (4 issues)

1. rate-limit.max — Upper Bound Not Enforced

Schema (main_workflow_schema.json): minimum: 1, maximum: 10
Go (pkg/workflow/role_checks.go:56): if data.RateLimit.Max > 0 { max = data.RateLimit.Max } — only checks > 0

A user writing max: 11 or max: 100 compiles successfully and executes, even though the schema caps it at 10. The minimum (1) is also not explicitly enforced — max: 0 silently falls back to DefaultRateLimitMax = 5 rather than returning an error.

2. rate-limit.window — Both Bounds Not Enforced

Schema: minimum: 1, maximum: 180
Go (pkg/workflow/role_checks.go:63): if data.RateLimit.Window > 0 { window = data.RateLimit.Window } — no upper-bound check

• window: 0 → silently uses default 60 instead of erroring (min violation)
• window: 999 → accepted and used as-is (max violation)

3. safe-outputs.max-patch-size — Upper Bound Not Enforced

Schema: minimum: 1, maximum: 10240, default: 1024
Go (pkg/workflow/safe_outputs_config.go:408-430): validates >= 1 (minimum) but not <= 10240 (maximum)

Setting max-patch-size: 99999 compiles and runs without warning. Only the minimum is validated.

4. tracker-id — maxLength Not Validated

Schema: minLength: 8, maxLength: 128, pattern: "^[a-zA-Z0-9_-]+$"
Go (pkg/workflow/frontmatter_extraction_metadata.go:70-103): validates minLength: 8 ✅ and character pattern ✅, but no maxLength: 128 check

A 200-character tracker-id compiles successfully and propagates to all created assets (issues, PRs, discussions) even though the schema rejects it.

---

Documentation Gaps (Persistent)

These were identified in prior runs and remain unresolved.

View Documentation Gaps (3 categories)

Constraint Descriptions Missing in Docs

docs/src/content/docs/reference/frontmatter-full.md documents rate-limit.window with "Maximum: 180 (3 hours)" in a comment (line 5935), which is good. However:

• rate-limit.max maximum of 10 is not mentioned in the docs comment (only max: 1 example is shown, no upper bound stated)
• tracker-id docs (line 38) says "at least 8 characters" but does not mention the 128-character maximum

mcp-servers Section Under-Documented

frontmatter-full.md shows mcp-servers:\n {} with no sub-fields. The schema defines two complete tool types:

• stdio_mcp_tool — fields: type, command, args, container, entrypoint, entrypointArgs, mounts, env, network, registry, version, allowed
• http_mcp_tool — fields: type, url, headers, registry, auth, allowed

Notably, the auth field for HTTP MCP servers (GitHub OIDC: auth.type: github-oidc, auth.audience) is defined in schema and implemented (pkg/types/mcp.go:MCPAuthConfig) but not documented in any reference doc.

Engine Fields in Schema Not Parsed from Frontmatter

$defs.engine_config in the schema defines fields: models, options, runtime-id, display-name, description, auth. These are not extracted by pkg/workflow/engine.go:ExtractEngineConfig(). These may be reserved for engine registry definitions rather than per-workflow frontmatter, but the schema allows them in workflow frontmatter without any handler in the compiler.

---

Persistent Findings from Prior Runs

View Persistent Issues (from strategy cache)

Issue	File	Status
create-code-scanning-alerts (plural) yaml tag in compiler_types.go:462 vs singular in schema/maps	pkg/workflow/compiler_types.go	Persistent
observability.otlp (endpoint, headers) in schema but frontmatter-full.md only shows observability: {}	docs/src/content/docs/reference/frontmatter-full.md	Persistent
keepalive-interval in sandbox.mcp schema section but missing from frontmatter-full.md	docs/src/content/docs/reference/frontmatter-full.md	Persistent
29 safe-outputs tools missing from frontmatter-full.md (actions, dispatch_repository, noop, etc.)	docs/src/content/docs/reference/frontmatter-full.md	Persistent
Feature flags cli-proxy, copilot-requests, mcp-gateway, disable-xpia-prompt not documented	docs/src/content/docs/reference/frontmatter*.md	Persistent

---

Recommendations

1. Add upper-bound validation to rate-limit.max in pkg/workflow/role_checks.go:extractRateLimitConfig() — error if max > 10 (or warn in non-strict mode, error in strict mode). Also validate max < 1 instead of silently falling back to default.

2. Add both bounds to rate-limit.window — error if window < 1 or window > 180. Currently window: 0 silently uses the default and window: 999 runs without warning.

3. Add maxLength: 128 check to extractTrackerID() in pkg/workflow/frontmatter_extraction_metadata.go — analogous to the existing minLength: 8 check at line 90.

4. Add maximum: 10240 check to max-patch-size extraction in pkg/workflow/safe_outputs_config.go — pair with the existing >= 1 check to form a complete range validation.

5. Document mcp-servers sub-fields in frontmatter-full.md — especially the auth field for HTTP MCP servers (auth.type: github-oidc, auth.audience), which is fully implemented but invisible in docs.

6. Document rate-limit.max upper bound (10) in the frontmatter-full.md rate-limit section.

---

Strategy Performance

• Strategy Used: Schema Constraint Validation Gap Check (new — day-of-year mod 10 = 8)
• Findings: 4 new actionable constraint gaps
• Effectiveness: HIGH — found enforcement gaps that could allow out-of-bounds values to propagate at runtime
• Should Reuse: YES — cache updated with this strategy and findings

---

References:

• §24117709991

Generated by Schema Consistency Checker · ● 391K · ◷

• expires on Apr 9, 2026, 4:36 AM UTC

[github-actions[bot]]

🎉 The smoke test agent has returned with a victory lap!

I ran 13 tests, built the entire gh-aw binary from scratch, navigated the web, queried GitHub APIs, analyzed code with Serena, and even left you this delightful comment.

If code quality were a sport, today's run would be a gold medal performance. 🏅

Now if you'll excuse me, I need to go write haiku about CI pipelines. 🎋

Run §24118240783

📰 BREAKING: Report filed by Smoke Copilot · ● 1.8M · ◷

[github-actions[bot]]

This discussion has been marked as outdated by Schema Consistency Checker.

A newer discussion is available at Discussion #25427.