RCICD coverage and cost matrix (2026)
RCICD coverage and cost matrix (2026)
Section titled “RCICD coverage and cost matrix (2026)”This document implements the RCICD audit plan: what is covered where, what belongs in CI versus vox ci pre-push, known gaps, and cost hotspots.
Principles
Section titled “Principles”- Merge gate:
.github/workflows/ci.ymlonpull_requestand push tomain. - Shift-left: Prefer
vox ci pre-push(and crate-scoped tests) for deterministic checks developers can run before push; keep environment-heavy work in Actions. - Single bundle:
vox ci ssot-driftrunscheck-docs-ssot,check-codex-ssot,command-compliance, SQL/query guards, operations verify, contracts index, docs-reality-audit verify, exec policy, completion audit (verify path), scientia contracts, and data SSOT guards — seerun_ssot_driftincrates/vox-cli/src/commands/ci/run_body_helpers/docs.rs.
Workflow summary
Section titled “Workflow summary”| Workflow | Trigger (summary) | Role | Cost tier |
|---|---|---|---|
ci.yml | PR + push main | Build, lint, guards, nextest, llvm-cov, audits, integration lanes | High |
docs-quality.yml | Path-filtered PR/main | Doc lint, doctest-md, Starlight build | Medium |
docs-deploy.yml | Path-filtered push main | Site deploy | Medium |
link_checker.yml | PR + push main | External links | Medium |
ssot-drift.yml | PR + push main | Crate version / dashboard SSOT (overlaps theme with ci.yml, not identical steps) | Low–medium |
mutation-pr.yml | Path-filtered PR (vox-compiler, vox-codegen) | cargo mutants | High |
mutation-nightly.yml / bench-nightly.yml / qwen35-native-nightly.yml | Schedule | Nightly quality / perf | High (scheduled) |
mobile-e2e-android.yml | Path-filtered PR/push (apps/vox-mental-tracker/**) | Android emulator E2E | High |
deploy-hetzner.yml | Push main, workflow_dispatch | Coolify deploy + health probes; Gate 1 is minimal ubuntu build only | Low (smoke) + deploy wall time |
| Tag/release workflows | Tags / release | Artifacts | Variable |
For runner labels and exceptions, see runner-contract.md and github-hosted-exceptions.md.
ci.yml job → coverage → local parity
Section titled “ci.yml job → coverage → local parity”| Area | CI location (typical) | Local / test-suite equivalent |
|---|---|---|
| Line endings, manifest, fmt, deny | guards-fast | vox ci pre-push (fast), vox ci manifest, cargo deny |
| Docs/codex SSOT + registry parity | guards-fast → ssot-drift | vox ci ssot-drift or vox ci pre-push --complete |
| Retired symbols | guards-fast | vox ci retired-symbol-check |
Data / telemetry SSOT (inside ssot-drift) + secrets | guards-fast → ssot-drift + later secrets steps | vox ci ssot-drift; vox ci secrets-parity |
| Clippy / rustdoc / drift | lints | cargo clippy, vox ci pre-push --complete |
| Workspace tests + coverage | tests | vox ci pre-push --full, cargo llvm-cov nextest |
Compiler gates (golden strict-parse, @test runner, WebIR) | compiler-gates | See crate tests under vox-compiler, vox-integration-tests |
| Audits (TOESTUB, mens-gate, build-timings, all-features matrix) | audits, matrices | Partial local; GPU/time budgets stay CI |
Coverage gaps addressed in-repo
Section titled “Coverage gaps addressed in-repo”- Recursive golden strict-parse:
golden_examples_strict_parsenow walksexamples/golden/**/*.vox, matchinggolden_vox_test_runner.
Ongoing gaps / debt (monitor)
Section titled “Ongoing gaps / debt (monitor)”- Ignored tests: Inventory in
contracts/reports/test-inventory.v1.json; governance viavox ci ignored-test-age,test-inventory. Large ignored counts hide regressions if ignored-only lanes are skipped. - Mutation scope: PR mutation gate is limited to compiler/codegen paths; other crates rely on unit/integration coverage only.
- GitLab vs GitHub:
.gitlab-ci.ymlvox-ci-guardsuses the sameretired-symbol-checkthenssot-driftbundle as GitHubguards-fast(plus GitLab-only extras such asdata-storage-guard). Full parity with the entireci.ymlmatrix is still not guaranteed — track drift when adding GitHub jobs.
Cost optimizations applied
Section titled “Cost optimizations applied”guards-fast: Removed standalonecheck-codex-ssot,check-docs-ssot, andcommand-compliancebeforessot-drift(they run insiderun_ssot_drift).compiler-gates: Removed redundant firstweb_ir_lower_emit_testnextest invocation; theVOX_WEBIR_VALIDATE=1ignored-only run executes the full ignored set including the former filtered test.mobile-e2e-android.yml: Path filters so macOS emulator jobs run only whenapps/vox-mental-tracker/or the workflow file changes.guards-fast: Removed standalonedata-ssot-guardsafterssot-drift(already invoked at end ofrun_ssot_drift).deploy-hetzner.ymlGate 1: Dropped duplicatecargo fmt/cargo clippy; keptcargo build -p vox-cli --lockedonubuntu-latestonly (merge already validated byci.yml)..gitlab-ci.yml: Replaced separatecheck-codex-ssot,check-docs-ssot,command-compliancewithretired-symbol-check+ssot-driftto match GitHub bundling.
Rollback
Section titled “Rollback”- Re-add explicit
ci command-compliance(and codex/docs steps) inci.ymlifssot-driftis split or reordered without preserving those calls. - Re-add standalone
ci data-ssot-guardsinguards-fastonly ifssot-driftstops callingrun_data_ssot_guards. - Restore
deploy-hetznerfmt/clippy smoke if branch protection no longer requires greenci.ymlbefore merge. - Restore global
on: [push, pull_request]on mobile workflow only if cross-repo coupling requires every PR to exercise Android.