Skip to content

docs: reconcile widened doc-gate perimeter (DOC-ENV + ACCESSOR-TRUTH)#59

Closed
mjerris wants to merge 1 commit into
mainfrom
docs/reconcile-widened-perimeter
Closed

docs: reconcile widened doc-gate perimeter (DOC-ENV + ACCESSOR-TRUTH)#59
mjerris wants to merge 1 commit into
mainfrom
docs/reconcile-widened-perimeter

Conversation

@mjerris

@mjerris mjerris commented Jul 16, 2026

Copy link
Copy Markdown
Collaborator

Why

porting-sdk #99 widens the doc-gate perimeter — accessor_truth.py + doc_env.py now scan all tracked markdown (not just docs/**). That surfaces real pre-existing doc drift the narrow perimeter missed. #99 can't land green until this port's findings are reconciled.

All changes here are docs-only. No SDK code changed.

DOC-ENV findings → fixes (finding → truth-in-source → fix)

Doc claim Truth in source Fix
SWML_AUTH_USER auth_mixin.py/security_config.py read SWML_BASIC_AUTH_USER renamed to SWML_BASIC_AUTH_USER
SWML_AUTH_PASS code reads SWML_BASIC_AUTH_PASSWORD renamed to SWML_BASIC_AUTH_PASSWORD
SWML_LOG_LEVEL logging_config.py reads SIGNALWIRE_LOG_LEVEL renamed to SIGNALWIRE_LOG_LEVEL
SWML_BASIC_AUTH_PASSWORD_FILE SDK reads no *_FILE var — it reads SWML_BASIC_AUTH_PASSWORD directly removed; docker tutorial reworked to an env_file pattern using the real var

ACCESSOR-TRUTH finding → fix

Doc claim Truth in source Fix
math skill README: "Uses Python's eval() with restricted builtins" skills/math/skill.py never calls eval(); it does ast.parse(mode="eval") + a restricted _safe_eval AST walker rewrote the "Safe Evaluation" section to describe the real AST-based evaluator (stale doc was also a security misdescription)

Flagged — NOT fixed, NOT allowlisted (needs a human decision)

SWML_SCHEMA_PATH and SWML_SCHEMA_MCP_DEBUG still trip DOC-ENV. Both are real and correctly documentedmcp/swml-schema-search/swml_schema_mcp.py reads them (schema-path override + debug-logging toggle), and the doc that names them lives right beside that script (mcp/swml-schema-search/README.md).

The mismatch is a perimeter artifact: the gate's code perimeter is signalwire/signalwire/**/*.py (shippable SDK surface) and deliberately excludes the standalone mcp/ tool, while its doc perimeter is all tracked markdown. Docs and code are both correct.

Per RULES.md (no autonomous allowlisting) I did not add a DOC_ENV_ALLOW.md entry or widen the gate to go green. Candidate resolutions for a maintainer to pick:

  • allowlist the two vars in DOC_ENV_ALLOW.md (they are legitimately doc+code correct, just outside the code perimeter), or
  • extend the python code perimeter to include mcp/**/*.py in doc_env.py (treats the MCP tool as documentable surface).

Verification

  • accessor_truth.py --port pythonclean (exit 0)
  • doc_env.py --port python → only the two flagged MCP vars remain (the perimeter artifact above)
  • docs-only; python test suite unaffected

🤖 Generated with Claude Code

https://claude.ai/code/session_01PqshDQajCmDHD3xPo4CXMC

porting-sdk #99 widens accessor_truth.py + doc_env.py to read ALL tracked
markdown (not just docs/**), surfacing real pre-existing doc drift.

DOC-ENV — correct stale env-var names to the vars the SDK actually reads:
- SWML_AUTH_USER  -> SWML_BASIC_AUTH_USER
- SWML_AUTH_PASS  -> SWML_BASIC_AUTH_PASSWORD
  (auth_mixin.py / security_config.py read SWML_BASIC_AUTH_USER/PASSWORD)
- SWML_LOG_LEVEL  -> SIGNALWIRE_LOG_LEVEL
  (logging_config.py reads SIGNALWIRE_LOG_LEVEL)
- SWML_BASIC_AUTH_PASSWORD_FILE: removed — the SDK never reads a *_FILE var;
  reworked the docker tutorial to use an env_file with the real
  SWML_BASIC_AUTH_USER/PASSWORD the SDK reads directly.

ACCESSOR-TRUTH — math skill README described a phantom `eval()`:
- the skill does NOT use Python's eval(); it parses to an AST and walks it with
  a restricted evaluator (ast.parse(mode="eval") + _safe_eval). Rewrote the
  "Safe Evaluation" section to describe the real AST-based implementation.

Not touched (flagged for human decision, deliberately NOT allowlisted):
SWML_SCHEMA_PATH / SWML_SCHEMA_MCP_DEBUG are documented in
mcp/swml-schema-search/README.md and are genuinely read by the sibling
mcp/swml-schema-search/swml_schema_mcp.py. The doc-gate flags them only because
its code perimeter is signalwire/signalwire/**/*.py (shippable SDK surface) and
excludes the standalone mcp/ tool. Docs and code are both correct; the mismatch
is a perimeter artifact, not doc drift.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01PqshDQajCmDHD3xPo4CXMC
@mjerris

mjerris commented Jul 17, 2026

Copy link
Copy Markdown
Collaborator Author

Consolidated into #58 — one PR per repo for this wave. Closing duplicate.

@mjerris mjerris closed this Jul 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant