fix: harden release packaging and unsafe autofix paths (#1037)

chubes4 · web-flow · commit c2c6d40c0e1f · 2026-03-25T22:09:08.000-05:00
diff --git a/src/core/refactor/auto/policy.rs b/src/core/refactor/auto/policy.rs
@@ -217,6 +217,14 @@ pub fn apply_fix_policy(
         .decompose_plans
         .retain(|p| !policy.exclude.contains(&p.source_finding));
 
+    // Structural decompose writes are still too risky for unattended autofix.
+    // Keep them visible in dry-run output, but do not auto-apply them in write
+    // mode until the engine is proven safe on real branches.
+    if write {
+        summary.dropped_plan_only += result.decompose_plans.len();
+        result.decompose_plans.clear();
+    }
+
     result.total_insertions = summary.visible_insertions + summary.visible_new_files;
     summary
 }
diff --git a/src/core/refactor/auto/summary.rs b/src/core/refactor/auto/summary.rs
@@ -63,6 +63,15 @@ pub fn summarize_audit_fix_result(
         }
     }
 
+    for plan in &fix_result.decompose_plans {
+        if plan.applied {
+            files.insert(plan.file.clone());
+            let rule = format!("{:?}", plan.source_finding).to_lowercase();
+            *rule_counts.entry(rule).or_insert(0) += 1;
+            total_fixes += 1;
+        }
+    }
+
     let rules = rule_counts
         .into_iter()
         .map(|(rule, count)| RuleFixCount { rule, count })
diff --git a/src/core/refactor/plan/generate/test_gen_fixes.rs b/src/core/refactor/plan/generate/test_gen_fixes.rs
@@ -371,27 +371,23 @@ pub(crate) fn generate_test_method_fixes(
             }
         };
 
-        // If the generated test code uses Default::default() fallbacks, the
-        // type wasn't properly resolved and the test is likely meaningless.
-        // Downgrade to PlanOnly so it requires human review instead of auto-applying.
+        // Missing test-method generation is still not trustworthy enough for
+        // unattended CI autofix. Even without obvious unresolved-type fallbacks,
+        // generated methods can still drift semantically from the target source
+        // method or become invalid after branch sync.
         let has_unresolved_types =
             append_code.contains("Default::default()") || append_code.contains("::default()");
-        let safety_tier = if has_unresolved_types {
-            FixSafetyTier::PlanOnly
-        } else {
-            FixSafetyTier::Safe
-        };
 
         let insertions = vec![Insertion {
             kind: InsertionKind::MethodStub,
             finding: AuditFinding::MissingTestMethod,
-            safety_tier,
-            auto_apply: !has_unresolved_types,
-            blocked_reason: if has_unresolved_types {
-                Some("Generated test uses Default::default() fallback — types not resolved, test may be meaningless".to_string())
+            safety_tier: FixSafetyTier::PlanOnly,
+            auto_apply: false,
+            blocked_reason: Some(if has_unresolved_types {
+                "Generated test uses Default::default() fallback — types not resolved, test may be meaningless".to_string()
             } else {
-                None
-            },
+                "Generated test methods require human review before writing".to_string()
+            }),
             preflight: None,
             code: append_code,
             description: format!(
diff --git a/src/core/release/executor.rs b/src/core/release/executor.rs
@@ -9,7 +9,7 @@ use crate::extension::{self, ExtensionManifest};
 use crate::{changelog, version};
 
 use super::types::{ReleaseContext, ReleaseStepType};
-use super::utils::extract_latest_notes;
+use super::utils::{extract_latest_notes, parse_release_artifacts};
 
 pub(crate) struct ReleaseStepExecutor {
     component_id: String,
@@ -277,6 +277,7 @@ impl ReleaseStepExecutor {
 
         let exit_code = response
             .get("exit_code")
+            .or_else(|| response.get("exitCode"))
             .and_then(|v| v.as_i64())
             .unwrap_or(-1);
 
@@ -303,13 +304,13 @@ impl ReleaseStepExecutor {
             return Err(Error::internal_unexpected(detail));
         }
 
-        let artifacts: Vec<super::types::ReleaseArtifact> =
-            serde_json::from_str(stdout).map_err(|e| {
-                Error::internal_json(
-                    e.to_string(),
-                    Some(format!("Failed to parse package artifacts: {}", stdout)),
-                )
-            })?;
+        let raw_artifacts: serde_json::Value = serde_json::from_str(stdout).map_err(|e| {
+            Error::internal_json(
+                e.to_string(),
+                Some(format!("Failed to parse package artifacts: {}", stdout)),
+            )
+        })?;
+        let artifacts = parse_release_artifacts(&raw_artifacts)?;
 
         let mut context = self.context.lock().map_err(|_| {
             Error::internal_unexpected("Failed to lock release context".to_string())
diff --git a/src/core/release/workflow.rs b/src/core/release/workflow.rs
@@ -1,5 +1,6 @@
 use crate::component;
 use crate::deploy::{self, DeployConfig};
+use crate::engine::command;
 use crate::error::{Error, Result};
 use crate::git;
 
@@ -23,6 +24,10 @@ pub fn run_command(input: ReleaseCommandInput) -> Result<(ReleaseCommandResult,
         },
     )?;
 
+    if !input.dry_run {
+        ensure_release_on_default_branch(&component.local_path)?;
+    }
+
     let monorepo = git::MonorepoContext::detect(&component.local_path, &input.component_id);
     let (auto_bump_type, releasable_count) =
         match resolve_bump(&component.local_path, monorepo.as_ref())? {
@@ -288,6 +293,47 @@ fn format_tag(version: &str, monorepo: Option<&git::MonorepoContext>) -> String
     }
 }
 
+fn ensure_release_on_default_branch(local_path: &str) -> Result<()> {
+    let current_branch =
+        command::run_in_optional(local_path, "git", &["symbolic-ref", "--short", "HEAD"])
+            .ok_or_else(|| {
+                Error::validation_invalid_argument(
+                    "release",
+                    "Refusing to release from detached HEAD",
+                    None,
+                    Some(vec![
+                        "Check out the default branch before releasing".to_string()
+                    ]),
+                )
+            })?;
+
+    let default_branch = command::run_in_optional(
+        local_path,
+        "git",
+        &["symbolic-ref", "--short", "refs/remotes/origin/HEAD"],
+    )
+    .map(|value| value.trim().trim_start_matches("origin/").to_string())
+    .filter(|value| !value.is_empty())
+    .unwrap_or_else(|| "main".to_string());
+
+    if current_branch == default_branch {
+        return Ok(());
+    }
+
+    Err(Error::validation_invalid_argument(
+        "release",
+        format!(
+            "Refusing to release from non-default branch '{}' (default: '{}')",
+            current_branch, default_branch
+        ),
+        None,
+        Some(vec![
+            format!("Check out '{}' before releasing", default_branch),
+            "If you only want a preview, use --dry-run".to_string(),
+        ]),
+    ))
+}
+
 fn extract_new_version_from_plan(plan: &ReleasePlan) -> Option<String> {
     plan.steps
         .iter()
