chore(audit): add docs/wire-shape scanner + 2026-05-29 sweep#451
Conversation
New offline-rerunnable tool that parses Yandex Direct docs HTML, extracts the request JSON-schema, and compares with V4_METHOD_CONTRACTS.example_param and RESOURCE_MAPPING_V5. Closes the methodological gap that allowed the v4 Currency regression (root-caused in #125, fixed by #450) — that PR happened because verification was done against dg-v4/reference/ pages instead of dg-v4/live/ ones. Tooling ------- - scripts/audit_wire_shape.py — modes: --v4, --v5, --reports, --all. Uses a 3-retry × 5-second-pause captcha guard reusing the same markers as direct_cli.reports_coverage.fetch_reports_spec. Persistent captcha is recorded as `captcha-after-retries` rather than aborting the run. - tests/test_audit_wire_shape.py — 9 offline golden tests covering request-section extraction, schema parsing, response-side leak prevention, Live 4 hint detection, example_param key walk, captcha marker detection, and v5 per-method URL derivation. Sweep artefacts (2026-05-29) ---------------------------- - docs/audits/PROJECT_WIRE_SHAPE_AUDIT_2026-05-29.md — 174 findings across 32 v4 methods, ~112 v5 operations, 1 reports surface. - docs/audits/wire_shape.json — same data, machine-readable. Reproducibility --------------- python scripts/audit_wire_shape.py --all \ --json docs/audits/wire_shape.json \ --markdown docs/audits/PROJECT_WIRE_SHAPE_AUDIT_2026-05-29.md Summary writeup with severity-classified findings posted as a comment to issue #111 (link in the comment body). This PR adds the auditing capability and the dated report only. Individual contract / payload-builder fixes for the HIGH-severity gaps (GetEventsLog contract missing 11 fields, CreateNewForecast missing 3+ fields, GetBannersTags missing CampaignIDS) are deliberately deferred to follow-up PRs — one per gap, per the project's "1 issue = 1 PR" rule. Audit trail: #111 (comment) Co-Authored-By: Claude Opus 4.7 <[email protected]>
|
@claude review. Focus on critical issues: bugs, security vulnerabilities, logical errors, data loss risks, performance problems. Do NOT nitpick style, naming conventions, minor formatting, or subjective preferences — only flag issues that could break functionality or cause real harm in production. |
|
Claude finished @axisrow's task in 3m 33s —— View job PR Review: docs/wire-shape scannerReviewed 🔴 1.
|
… URL Review fixes for #451: - _v5_per_method_url chopped the trailing path segment unconditionally, so single-segment docs bases (vcards, smartadtargets, dynamictextadtargets, dynamicfeedadtargets) lost their resource name and resolved to `…/ru/get` — silently mis-auditing 4 v5 groups at 404/captcha URLs. Now the tail is chopped only when it duplicates its parent segment; single-segment bases append the method to the full base. - The test that locked in the buggy `…/ru/get` output is corrected and a vcards regression-guard case is added. - REPORTS_SPEC_URL now imports REPORTS_SPEC_URLS["spec"] from the registry instead of duplicating the literal, per CLAUDE.md "No URL literals outside the registry". Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
|
Триаж ревью (проверено по реальному коду): 🔴 Находка 1 (FIX — исправлено в 801324c): баг подтверждён. 🟡 Находка 3 (частично FIX — исправлено в 801324c): 🟠 Находка 2 (SKIP / follow-up): риск реальный (regex Локально: |
|
@claude review. Focus on critical issues: bugs, security vulnerabilities, logical errors, data loss risks, performance problems. Do NOT nitpick style, naming conventions, minor formatting, or subjective preferences — only flag issues that could break functionality or cause real harm in production. |
|
Claude finished @axisrow's task in 1m 9s —— View job Re-review: docs/wire-shape scanner (post-
|
The FINDING_NOTES_REFERENCE_URL check fired whenever the contract notes cited dg-v4/reference/ and url_used stayed live_url — but a captcha'd live page also leaves url_used == live_url, so the finding asserted "live exists, drop reference" on a page that was never actually read (15/16 v4 methods were captcha-blocked in the 2026-05-29 run). Require fetched.status == "ok" so the finding only fires when the live schema was genuinely verified. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
…t fields (#456) Closes the docs-drift gaps from the 2026-05-29 wire-shape audit (#451). Additive change — only new optional flags; existing flags unchanged. - v4events get-events-log (#452): adds --last-event-only, --with-text-description (Yes/No), --logins, and a nested Filter object via --filter-campaign-ids / --filter-banner-ids / --filter-phrase-ids / --filter-account-ids / --filter-event-type. Filter keys mirror the WSDL (CampaignIDS/BannerIDS/ PhraseIDS/AccountIDS/EventType); EventType is validated against the documented 9-value enum before any API call. - v4forecast create (#453): adds --categories, --auction-bids (Yes/No) and --common-minus-words. Categories is accepted but ignored by the API per docs. All field names verified against official dg-v4/live docs (Docs-verified 2026-05-29); audit_wire_shape.py --v4 reports 0 findings for both methods. Contracts (example_param/notes/login_placement) updated, dry-run tests assert exact request bodies, README examples added. Refs #452 #453 Co-authored-by: axisrow <[email protected]> Co-authored-by: Claude Opus 4.8 <[email protected]>
Summary
scripts/audit_wire_shape.py— offline-rerunnable scanner that parses Yandex Direct docs HTML, extracts the request JSON-schema, and compares withV4_METHOD_CONTRACTS.example_paramandRESOURCE_MAPPING_V5. Closes the methodological gap that allowed the v4Currencyregression (root-caused in Add typed V4 Live finance and shared-account commands #125, fixed by fix(v4)!: restore --currency for live finance methods (regression from #441/#442/#443) #450).tests/test_audit_wire_shape.py— 9 offline golden tests for the parser (no network).docs/audits/PROJECT_WIRE_SHAPE_AUDIT_2026-05-29.md(174 findings) anddocs/audits/wire_shape.json.Tooling
Modes:
--v4/--v5/--reports/--all. Reuses captcha + thin-body guards fromdirect_cli.reports_coverage.fetch_reports_spec. Three retries × 5 s pause; persistent captcha is recorded ascaptcha-after-retriesrather than aborting.Findings categories:
docs_field_missing_in_code— JSON-schema key present in docs, absent fromexample_param.code_field_missing_in_docs—example_paramkey not seen in parsed docs schema (manual review needed).required_field_missing_in_payload_module— Live 4 changelog marker «Входной параметр X стал обязательным», butexample_paramlacks X.notes_points_at_reference_url—contract.notescitesdg-v4/reference/whiledg-v4/live/exists.live4_marker_absent— live page reachable but lacks the Live 4 changelog block.docs_unreachable— captcha / 404 / network error.v5_schema_seen/v5_schema_not_extracted— positive coverage / unparseable group page.2026-05-29 results (high level)
High-severity gaps surfaced:
GetEventsLog—example_parammissing 11 fields (AccountIDS,BannerIDS,CampaignIDS,EventType,Filter,LastEventOnly,Limit,Logins,Offset,PhraseIDS,WithTextDescription).CreateNewForecast— missingAuctionBids,Categories,CommonMinusWords.GetBannersTags— missingCampaignIDS.TransferMoney/PayCampaigns/CreateInvoice—Currency(already fixed in fix(v4)!: restore --currency for live finance methods (regression from #441/#442/#443) #450).Full severity-classified writeup posted as a comment to #111: #111 (comment)
Out of scope
Individual contract / payload-builder fixes for the HIGH-severity gaps are deliberately deferred to follow-up PRs — one per gap, per the project's "1 issue = 1 PR" rule. This PR ships the auditing capability + the dated report only.
Test plan
pytest tests/test_audit_wire_shape.py— 9 offline golden tests pass.python scripts/audit_wire_shape.py --all— produces the dated report; exit 1 on findings is by design.