logs.gokuls.in

• Add wiki_compound MCP tool — single-call knowledge compounding that auto-routes synthesis text to the best matching wiki page (or creates a new topic page). Uses keyword scoring, no LLM call needed.
• Replace contribute_hint strings in wiki_search/wiki_read with structured compound_suggestion objects containing tool name, args template, and source page IDs.
• Add indxr wiki compound CLI command (reads from file or stdin) for autonomous/scripted compounding.
• Extract shared scoring logic from wiki_suggest_contribution into reusable score_synthesis_against_pages and derive_topic_id helpers.

Test plan

• cargo build --features wiki — compiles clean
• cargo build (without wiki) — compiles clean
• cargo clippy --features wiki — no warnings
• cargo fmt --check — formatted
• cargo test --features wiki — all 420 tests pass (413 unit + 7 integration)
• Manual: start MCP server, verify wiki_compound in tools/list
• Manual: compound to existing page, verify content appended
• Manual: compound with no match, verify new topic page created
• Manual: echo "test" | indxr wiki compound - --source-pages architecture

Transforms the wiki from a manually-triggered feature into a self-maintaining knowledge system that compounds automatically.

• Contradiction tracking: Structured Contradiction type in page frontmatter, parsed from LLM update responses via <!-- CONTRADICTIONS --> blocks. Surfaced in wiki_status, wiki_read, wiki_search. Resolvable via wiki_contribute.
• Auto-contribute hints: wiki_search and wiki_read responses include contribution hints when touching multiple pages. New wiki_suggest_contribution tool suggests where to file synthesis (keyword matching, no LLM call).
• New page detection: update_affected now detects uncovered changed files and uses incremental LLM planning to assign them to existing pages or create new ones (capped at 3 per update).
• Auto-update on watch: serve --watch --wiki-auto-update triggers background wiki updates after file changes with a separate 30s debounce. Uses AtomicBool concurrency guard and a background tokio runtime. New McpServerConfig struct replaces the growing param list.

All changes are backward compatible (serde(default) on new fields), feature-gated behind #[cfg(feature = "wiki")], and pass all 413 tests.

Test plan

• cargo build --features wiki compiles
• cargo build (no wiki feature) compiles
• cargo test --features wiki — 406 unit + 7 integration tests pass
• cargo test — 358 tests pass (no wiki)
• cargo clippy --features wiki — clean
• cargo clippy — clean
• cargo fmt --check — clean
• Backward compat: existing wiki pages without contradictions field deserialize with empty Vec
• Manual: indxr serve --watch --wiki-auto-update --wiki-exec <mock> — verify wiki updates after file change
• Manual: generate wiki, add new source file, run wiki update — verify new page created

• wrkflw validate now rejects env: VAR=value (bare strings) at step, job, and top-level — GitHub Actions only accepts mappings for env:
• Expression strings like env: ${{ fromJSON(...) }} are still allowed
• Adds validate_env() helper in the validators crate, wired into validate_steps, validate_jobs, and evaluate_workflow_file

Closes #89

Test plan

• cargo fmt --all — clean
• cargo clippy --all-targets --all-features — clean
• cargo test -p wrkflw-validators — 30 tests pass (6 new)
• cargo test -p wrkflw-evaluator — passes
• Full cargo test — all green
• End-to-end: wrkflw validate rejects env: VAR=value at step, job, and top level
• End-to-end: wrkflw validate accepts proper env: mappings

Adds the missing subsystems needed to emulate real-world GitHub Actions workflows locally: artifact storage, persistent caching, secret expression resolution, inter-job output chaining, and workflow command parsing.

New capabilities

• Artifact upload/download — Local ArtifactStore emulates actions/upload-artifact and actions/download-artifact. Files are copied under a per-run temp directory, preserving relative paths. Path traversal and symlink attacks are blocked.

• Persistent cache — Local CacheStore at ~/.wrkflw/cache/ emulates actions/cache with SHA-256 keyed entries, prefix-based restore-keys matching, LRU eviction at 1 GiB, and atomic save via tmp+rename. Cache persists across workflow runs.

• **secrets.* expressions** — Secrets referenced in job steps are pre-resolved at job start and available via ${{ secrets.NAME }}. The evaluator stays synchronous; async resolution happens once per job.

• **needs.* / jobs.* context** — needs.<job>.outputs.<key> and needs.<job>.result resolve from upstream job results. Outputs are accumulated across dependency batches and filtered to declared needs: dependencies. Matrix jobs warn on non-deterministic output overwrites.

• Step outcome/conclusion — steps.<id>.outcome (raw) and steps.<id>.conclusion (after continue-on-error) track real values. success()/failure()/cancelled() builtins consult actual job state instead of returning hardcoded values.

• Workflow commands — New parser for ::set-output::, ::add-mask::, ::error::, ::warning::, ::notice::, ::debug::, ::group::/::endgroup::, ::save-state::, and ::stop-commands:: from step stdout. ::add-mask:: dynamically registers secrets with the masker.

Correctness and security fixes

• Expression tokenizer operates on &str instead of &[u8], fixing UTF-8 corruption in string literals
• format() uses single-pass replacement to prevent arg content from being consumed by later placeholders
• toJSON() uses serde_json for proper escaping of control characters
• SecretMasker uses fixed *** replacement (matching GHA) instead of leaking first/last characters
• SecretMasker uses RwLock interior mutability so ::add-mask:: can add secrets through shared refs
• Path traversal checks on artifact names, cache paths, download targets, reusable workflow paths, and hashFiles globs
• Symlinks are skipped in artifact/cache directory walks
• INPUT_* env vars are masked in step output logs
• Unparseable if: conditions now evaluate to false (matching GHA) instead of true
• Workflow command decode_value handles %2C (comma) and %3B (semicolon) in addition to the existing encodings

Architecture improvements

• JobServices struct groups secret manager, masker, stores, and resolved context to reduce parameter counts
• StepLoopState deduplicates the step-outcome processing logic between execute_job and execute_matrix_job
• handle_upload_artifact, handle_download_artifact, handle_cache_action extracted from the execute_step monolith
• preprocess_expressions takes a single ExpressionContext instead of 5 separate parameters
• Reusable workflow execution shares parent's secret manager, masker, and artifact/cache stores
• secrets: inherit propagates parent secrets to called workflows

Test plan

• cargo build — compiles clean
• cargo test — all tests pass, 0 failures
• cargo clippy — no warnings
• cargo fmt -- --check — no formatting issues
• New unit tests for workflow_commands, artifacts, cache, format() edge cases, condition parse-error behavior, and process_workflow_commands integration