ci(sovereign): cargo test --workspace --lib (PMAT-159)

.github/workflows/sovereign-ci.yml

@@ -4,7 +4,7 @@
 # Change once here → applies to all 38 repos instantly.
 #
 # Self-hosted jobs run inside the sovereign-ci container (built by forjar).
 # Each job gets an isolated filesystem — no shared ~/.rustup/, no race conditions.
 # Image: localhost:5000/sovereign-ci:stable (local registry on mac-server)
 # Rebuild: cd infra && make -f machines/intel/Makefile ci-image
 #
@@ -48,7 +48,7 @@
         default: false
         type: boolean
       extra_pkgs:
         description: 'Extra apt packages to install in container (e.g. python3-dev libclang-dev)'
         required: false
         default: ''
         type: string
@@ -62,6 +62,11 @@
         required: false
         default: false
         type: boolean
+      test_workspace:
+        description: 'PMAT-159: test all workspace members with `--workspace --lib` (not just root). Opt-in because workspace members may not build in the sovereign-ci container (e.g. aprender-gpu needs cuBLAS). Pair with test_args exclusions as needed.'
+        required: false
+        default: false
+        type: boolean
 
 # HD-02: Least-privilege token — only escalate where needed
 permissions:
@@ -78,7 +83,7 @@
 jobs:
   test:
     name: test
     runs-on: [self-hosted, clean-room]
     container:
       image: localhost:5000/sovereign-ci:stable@sha256:10486da5daa3786f3264aa0e19fdde007e7ba1eca1d47ba587947946e42bd871
       # Phase 3 §5.3 — sccache rustc cache + /var/log/ci-metrics for F9 stats.
@@ -94,7 +99,7 @@
           persist-credentials: false
       - name: Install extra packages
         if: ${{ inputs.extra_pkgs != '' }}
         run: |
           apt-get update -qq && apt-get install -y -qq ${{ inputs.extra_pkgs }} 2>/dev/null || \
           sudo apt-get update -qq && sudo apt-get install -y -qq ${{ inputs.extra_pkgs }} 2>/dev/null || true
       - name: Checkout sibling repos (path deps)
@@ -142,7 +147,7 @@
           # Note: generated contract macros may have unused variables (provable-contracts#64).
           # This is handled by adding -A unused-variables to the clippy step.
       - name: Generate contract assertions (pv codegen)
         run: |
           # pv is baked into sovereign-ci:stable at /usr/local/cargo/bin/pv
           PV=""
           for candidate in /usr/local/cargo/bin/pv /usr/local/bin/pv; do
@@ -192,20 +197,24 @@
           RUSTC_WRAPPER: ${{ inputs.enable_sccache && 'rustc-sccache' || '' }}
           SCCACHE_DIR: ${{ inputs.enable_sccache && '/sccache' || '' }}
           USE_NEXTEST: ${{ inputs.use_nextest }}
+          TEST_SCOPE: ${{ inputs.test_workspace && '--workspace --lib' || '--lib' }}
         run: |
           # Mark workspace as safe for git operations inside tests (dubious ownership in containers)
           git config --global --add safe.directory "$GITHUB_WORKSPACE"
           # Phase 2 §4.3 — nextest drops ~35% off test-job wall-clock on large suites.
-          # Fallback to cargo test if nextest fails for any reason (e.g. test harness quirks).
+          # PMAT-159 (2026-04-20): `test_workspace: true` opts into `--workspace --lib` so
+          # workspace-member lib tests are exercised. Default stays `--lib` (root only) for
+          # back-compat: many repos have workspace members that don't build in the sovereign-ci
+          # container. Opt-in callers pair this with `test_args` exclusions as needed.
           if [ "$USE_NEXTEST" = "true" ]; then
-            cargo nextest run --lib $TEST_ARGS 2>&1 || \
+            cargo nextest run $TEST_SCOPE $TEST_ARGS 2>&1 || \
             cargo nextest run --lib -p "$REPO_NAME" $TEST_ARGS 2>&1 || \
             { echo "::warning::nextest failed — falling back to cargo test"; \
-              cargo test --lib $TEST_ARGS 2>&1 || \
+              cargo test $TEST_SCOPE $TEST_ARGS 2>&1 || \
               cargo test --lib -p "$REPO_NAME" $TEST_ARGS 2>&1 || \
               { echo "::error::Tests failed — check workspace path dependencies"; exit 1; }; }
           else
-            cargo test --lib $TEST_ARGS 2>&1 || \
+            cargo test $TEST_SCOPE $TEST_ARGS 2>&1 || \
             cargo test --lib -p "$REPO_NAME" $TEST_ARGS 2>&1 || \
             { echo "::error::Tests failed — check workspace path dependencies"; exit 1; }
           fi
@@ -473,10 +482,14 @@
           REPO_NAME: ${{ inputs.repo }}
           RUSTC_WRAPPER: ${{ inputs.enable_sccache && 'rustc-sccache' || '' }}
           SCCACHE_DIR: ${{ inputs.enable_sccache && '/sccache' || '' }}
+          TEST_SCOPE: ${{ inputs.test_workspace && '--workspace --lib' || '--lib' }}
         run: |
           # Mark workspace as safe for git operations inside tests (dubious ownership in containers)
           git config --global --add safe.directory "$GITHUB_WORKSPACE"
-          cargo llvm-cov test --lib --no-cfg-coverage --no-cfg-coverage-nightly --lcov --output-path lcov.info $TEST_ARGS 2>&1 || \
+          # PMAT-159 (2026-04-20): `test_workspace: true` opts into `--workspace --lib` so
+          # coverage reflects all workspace members. Default stays `--lib` (root only) — see
+          # test job comment for back-compat rationale.
+          cargo llvm-cov test $TEST_SCOPE --no-cfg-coverage --no-cfg-coverage-nightly --lcov --output-path lcov.info $TEST_ARGS 2>&1 || \
           cargo llvm-cov test --lib --no-cfg-coverage --no-cfg-coverage-nightly -p "$REPO_NAME" --lcov --output-path lcov.info 2>&1 || \
           { echo "::error::Coverage failed — check workspace path dependencies"; exit 1; }
       - name: Record sccache stats