jml e758f2ebfb feat(aphoria): implement programmatic extractors for Option<T> semantics

Completes Task #3 of httpclient dogfooding with 100% detection rate (7/7 violations).

## New Extractors

- **OptionBoundsExtractor**: Detects Option<T> fields set to None (unbounded)
- **OptionValueExtractor**: Extracts values from Some(n) for threshold checks

Both extractors use context-aware pattern matching to understand Rust Option<T>
semantics, which declarative extractors cannot handle.

## Implementation

**Files Created**:
- applications/aphoria/src/extractors/option_bounds.rs (257 lines)
- applications/aphoria/src/extractors/option_value.rs (277 lines)
- applications/aphoria/docs/examples/extractors/programmatic-option-semantics.md

**Files Modified**:
- applications/aphoria/src/extractors/mod.rs - Added module declarations
- applications/aphoria/src/extractors/registry.rs - Registered extractors
- applications/aphoria/dogfood/httpclient/.aphoria/claims.toml - Added 4 claims
- applications/aphoria/dogfood/httpclient/TASK-1-SUMMARY.md - Task #3 completion

## Results

| Metric | Value |
|--------|-------|
| Detection Rate | 100% (7/7 violations) |
| Improvement | +29 percentage points (from 71%) |
| New Violations | 2 (max_redirects, max_retries unbounded) |
| Unit Tests | 13 (all passing) |

## Two-Claim Strategy

For each bounded Option<T> field:
1. **configured** claim - Detects None (unbounded)
2. **max_value** claim - Validates Some(n) threshold

Example:
- `max_redirects: None` → CONFLICT (not configured)
- `max_redirects: Some(20)` → CONFLICT (exceeds 10)
- `max_redirects: Some(5)` → PASS

## Enterprise Quality

✓ Proper error handling (no unwrap/expect)
✓ Comprehensive tests (6+7 unit tests)
✓ Full documentation with examples
✓ Reusable for 10+ similar patterns
✓ Screening patterns for performance

## Cachewrap Dogfood

Also includes complete cachewrap dogfood exercise:
- 10 claims for Redis cache wrapper
- Day 1-5 summaries
- Full retrospective and evaluation
- Declarative extractors for all patterns

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-11 06:43:10 +00:00

7.5 KiB

Raw Blame History

Team Progress Log - cachewrap Dogfood Exercise

Timestamp: 2026-02-11 Phase: Days 1-5 Complete Documentation Followed: cachewrap/plan.md, cachewrap/README.md

Day 1: Claims Extraction (2026-02-11 03:45-03:56)

Team Thoughts (from DAY1-SUMMARY.md)

Duration: 11 minutes 17 seconds (0.19 hours)

What they did:

Used /aphoria-suggest skill to discover reusable patterns from httpclient, dbpool, msgqueue corpora
Created 20 claims total: 7 reused (35%), 13 new (65%)
Pattern discovery via semantic matching (not string matching)
Validated cross-domain transfer (HTTP timeout → cache timeout)

Evidence of skill usage:

.aphoria/claims.toml shows created_by = "aphoria-suggest" for all 20 claims ✅
DAY1-SUMMARY.md mentions "Pattern Discovery via LLM" section
Time per claim: 18.2 seconds average (suggests automated workflow)

Questions Raised:

None documented - workflow appeared smooth

Decisions Made:

Reuse 7 patterns from existing corpora (timeout, TLS, retry, async, connections, lifecycle, metrics)
Create 13 new cache-specific patterns (TTL, eviction, key validation, max_size, etc.)
Use "expert" tier for critical safety/security claims, "community" for recommendations

Next Steps Stated:

Day 2: Implement cache library with 10 intentional violations
Embed inline markers during implementation (not retrofit)

Day 2: Implementation (2026-02-11 04:01-04:11)

Team Thoughts (from DAY2-SUMMARY.md)

Duration: 10 minutes 26 seconds (0.17 hours)

What they did:

Created Rust cache wrapper library with redis, tokio, serde dependencies
Embedded 10 violations across config.rs and client.rs
Added inline @aphoria:claim markers for each violation
Wrote 16 tests (3 unit + 13 integration, 9 passing without Redis)
Documented all violations in lib.rs with cross-cutting categories

Violations embedded:

Key injection (no validation)
TLS disabled (verify_tls: false)
Hardcoded password ("secret123")
Missing TTL (SET without EX/PX)
Unbounded size (max_size: None)
Sync blocking (get_connection() in async)
No eviction policy
Zero timeout
No connection pooling
Metrics disabled

Questions Raised:

Should tests exercise violations or prevent them? (Decided: exercise, detection comes from scan)

Decisions Made:

Simple scope (wrapper, not production library) for speed
Violations embedded during implementation (not retrofitted)
Tests validate code works despite violations (violations are config issues)

Next Steps Stated:

Day 3: Run scan, expect low baseline detection, create extractors

Day 3: Scanning & Extractor Creation (2026-02-11 04:20-04:30)

Team Thoughts (from DAY3-SUMMARY.md)

Duration: 9 minutes 17 seconds (0.15 hours)

What they did:

Iteration 1 (FAILED): Created 10 separate .toml files in .aphoria/extractors/ directory
- Assumption: Aphoria loads extractors from separate files
- Result: Extractors not loaded
- Learning: Declarative extractors must be in .aphoria/config.toml
Iteration 2 (PARTIAL): Added extractors to config.toml with concept path mismatch
- Extractor: claim.subject = "timeout" → observation tail config/timeout
- Claim: concept_path = "cache/timeout"
- Result: 0% detection (tail paths don't align)
- Learning: Subject must include full prefix
Iteration 3 (SUCCESS): Fixed concept path alignment
- Changed all subjects to include cache/ prefix
- Result: 50% detection (5/10 violations)
- 10 declarative extractors in config.toml

Violations detected (5):

cache-timeout-001 (zero timeout)
cache-ttl-required-001 (missing TTL)
cache-key-validation-001 (no validation)
cache-max-size-001 (unbounded size)
cache-eviction-policy-001 (no eviction)

Violations missed (5):

cache-tls-validation-001 (TLS disabled) - pattern matches declaration, not Default impl
cache-async-blocking-001 (sync blocking) - pattern escaping issue
cache-max-connections-001 (no pooling) - long pattern regex issue
cache-metrics-enabled-001 (metrics disabled) - similar to TLS issue
cache-hardcoded-password-001 (hardcoded password) - pattern too specific

Questions Raised:

Why 50% instead of ≥90%? (Analyzed: declarative extractor limitations)
Should we refine extractors or move to Day 4? (Decided: move on, validate mechanism)

Decisions Made:

50% detection validates flywheel (0% → 50% proves knowledge compounding)
Declarative extractors have known limitations (function bodies, context)
Programmatic extractors needed for 90%+ (not blocking for Day 3)

Next Steps Stated:

Day 4: Fix all 10 violations progressively, verify with scans
Don't refine extractors (that's Day 5 activity)

Observer Notes:

No evidence of /aphoria-custom-extractor-creator skill usage ⚠️
Team manually edited .aphoria/config.toml (3 iterations)
Fast iteration (1 min per iteration) suggests clear feedback
Pattern: Discovered extractor configuration through trial and error

Day 4: Remediation (2026-02-11 continuation)

Team Thoughts (from DAY4-SUMMARY.md)

Duration: 25 minutes (0.42 hours)

What they did:

Fixed all 10 violations in 4 rounds (Security → Performance → Correctness → Observability)
Updated tests to reflect fixes
Final scan: 1 conflict remaining (false negative due to extractor limitation)

Rounds:

Security (3 fixes): Key validation function, TLS default true, env password
Performance (3 fixes): Default TTL, max_size 1GB, removed blocking_get()
Correctness (3 fixes): LRU eviction, 5s timeout, ConnectionManager pooling
Observability (1 fix): Metrics enabled

Conflict rate improvement: 5 → 1 (-80%)

Questions Raised:

Why does cache-key-validation-001 still conflict? (Analyzed: extractor checks signature, not body)

Decisions Made:

Code is correct despite false negative (validation function exists)
Extractor limitation, not code issue
Refinement for Day 5

Next Steps Stated:

Day 5: Documentation, retrospective, extractor refinement

Day 5: Documentation (2026-02-11 continuation)

Team Thoughts (from DAY5-SUMMARY.md)

Duration: 571 lines comprehensive retrospective

What they did:

Comprehensive metrics analysis
Hypothesis validation (multi-domain flywheel works)
50% detection caveat documented
Enterprise pitch materials prepared

Key insights:

Total time: 1.4 hours (91% faster than target)
Pattern reuse: 35% (exact match to hypothesis)
Detection: 50% (below 90% but validates mechanism)
All violations fixed, production-ready

Lessons learned:

Concept path alignment is critical
Declarative extractors work for simple patterns only
50% is enough to validate flywheel (improvement, not perfection)
Progressive fixing by severity reduces risk

Next Steps Stated:

Share with team for dbpool comparison
Use learnings for next dogfood exercise

Summary

Total Duration: 1.4 hours (Days 1-4), ~2 hours (Days 1-5)

Workflow Used:

✅ Day 1: /aphoria-suggest skill (autonomous)
❌ Day 3: Manual config.toml editing (3 iterations)
ℹ️ Pattern: Partial LLM usage, not continuous

Success Metrics:

Pattern reuse: 35% ✅
Time savings: 91% ✅
Detection rate: 50% ⚠️ (below 90% target)
Violations fixed: 100% ✅

Critical Observation: Team used LLM skills for claim discovery but manual workflow for extractor creation, indicating documentation didn't emphasize continuous LLM requirement across all phases.

7.5 KiB Raw Blame History Unescape Escape

Team Progress Log - cachewrap Dogfood Exercise

Day 1: Claims Extraction (2026-02-11 03:45-03:56)

Team Thoughts (from DAY1-SUMMARY.md)

Day 2: Implementation (2026-02-11 04:01-04:11)

Team Thoughts (from DAY2-SUMMARY.md)

Day 3: Scanning & Extractor Creation (2026-02-11 04:20-04:30)

Team Thoughts (from DAY3-SUMMARY.md)

Day 4: Remediation (2026-02-11 continuation)

Team Thoughts (from DAY4-SUMMARY.md)

Day 5: Documentation (2026-02-11 continuation)

Team Thoughts (from DAY5-SUMMARY.md)

Summary

7.5 KiB

Raw Blame History