feat: Better source-aware testing

[bearsyankees]

No description provided.

[greptile-apps]

Greptile Summary

This PR delivers two interconnected features: source-aware diff-scoped testing and shared wiki memory for whitebox agents. Together they give Strix the context and focus needed to conduct high-signal whitebox security reviews in CI/PR workflows.

Key changes:

• Diff-scope resolution (strix/interface/utils.py): ~600 lines of git-aware diff parsing (git diff --name-status -z), merge-base computation, and resolve_diff_scope_context with three modes (auto/diff/full). The auto mode gracefully degrades on shallow repos — addressing a previous review concern — while diff mode hard-fails as expected. New --scope-mode and --diff-base CLI flags surface this to users.
• Notes persistence and get_note (strix/tools/notes/notes_actions.py): A full rewrite adding JSONL event-log persistence for cross-session replay, a wiki category with markdown sidecar files, threading.RLock for multi-agent thread safety, and a new get_note tool. list_notes now returns metadata + content_preview by default; full content requires get_note or include_content=True.
• Whitebox wiki integration (strix/tools/agents_graph/agents_graph_actions.py): Child agents automatically receive the shared repo wiki as injected context at start and append their results on agent_finish. is_whitebox is propagated to all child agents so the skill set and guidance travel with them.
• Whitebox skill files (source_aware_whitebox.md, source_aware_sast.md): Concrete playbooks for semgrep → ast-grep target derivation → gitleaks/trufflehog/trivy FS pass, with wiki update requirements enforced across agents.
• Dockerfile additions: ast-grep, tree-sitter-cli + pre-configured language parsers, and gitleaks. The gitleaks installation dynamically fetches the latest release version, which is worth pinning for reproducible builds.
• Test coverage: Four new test modules covering diff parsing, base-ref resolution, graceful degradation, whitebox flag propagation, wiki injection/update lifecycle, and JSONL replay — all well-isolated via monkeypatching.

Confidence Score: 5/5

• Safe to merge — core logic is correct, thread-safe, and well-tested; findings are non-blocking style improvements.
• The previous concern about auto-mode hard-failing on shallow repos is fully addressed with graceful degradation and a dedicated test. The diff-scope logic, notes persistence/replay, and whitebox wiki integration are all well-reasoned and covered by test suites. Two P2 items remain: a misleading test fixture and a non-reproducible Dockerfile installation, neither of which affects runtime correctness.
• containers/Dockerfile (gitleaks version pinning) and tests/tools/test_agents_graph_whitebox.py (extraneous context fixture)

Important Files Changed

Filename	Overview
strix/interface/utils.py	Adds 600+ lines of diff-scope resolution logic: dataclasses (DiffEntry, RepoDiffScope, DiffScopeResult), git helpers, _parse_name_status_z (NUL-delimited with tab fallback), _classify_diff_entries, build_diff_scope_instruction, and resolve_diff_scope_context. The auto-mode gracefully degrades on ValueError (e.g. shallow repo) rather than hard-failing. Logic is well-structured with proper error handling and test coverage.
strix/tools/notes/notes_actions.py	Major refactor: adds threading.RLock for thread safety, JSONL event log for persistence and cross-session replay, wiki note markdown persistence, get_note and append_note_content functions, include_content flag on list_notes, and content_preview truncation. All public functions are consistently lock-guarded. RLock is used correctly to allow append_note_content to re-acquire when calling update_note internally.
strix/tools/agents_graph/agents_graph_actions.py	Adds whitebox awareness throughout agent lifecycle: _extract_repo_tags and _load_primary_wiki_note for wiki context injection at agent start, _inject_wiki_context_for_whitebox injects the shared repo wiki as a user message, _append_wiki_update_on_finish appends agent results to the wiki on completion. is_whitebox flag is propagated to child agents. Best-effort error handling (broad except) prevents wiki failures from blocking agent completion.
strix/interface/main.py	Adds --scope-mode and --diff-base CLI arguments, calls resolve_diff_scope_context and converts ValueError to a styled error panel + sys.exit(1) for diff/full modes. Injects diff_scope metadata into scan_config and prepends the instruction block to user instructions. Clean integration.
containers/Dockerfile	Adds ast-grep, tree-sitter-cli, and pre-configured tree-sitter language parsers; adds gitleaks via dynamic GitHub API version fetch. The tree-sitter setup (parser cloning + symlinks + config injection) is elaborate but functional. The gitleaks installation dynamically fetches the latest release tag at build time, making builds non-reproducible.
tests/tools/test_agents_graph_whitebox.py	Good coverage for whitebox flag propagation, wiki injection, wiki-on-finish, and repo-tag matching. One misleading test fixture: agent_state.context in test_load_primary_wiki_note_prefers_repo_tag_match includes a whitebox_repo_tags field that _extract_repo_tags never reads; the test passes solely from the task text.
tests/interface/test_diff_scope.py	Good coverage for NUL-delimited parsing, instruction building, base ref resolution priority, and graceful auto-mode degradation. Tests are well-isolated via monkeypatching of git helpers.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: tests/tools/test_agents_graph_whitebox.py
Line: 290-293

Comment:
**Misleading `context` fixture in test**

`_extract_repo_tags` only reads `agent_state.task` (via regex over `/workspace/<name>` and `github.com/.../name` patterns) — it never inspects `agent_state.context`. The test passes because `task="analyze /workspace/appsmith"` alone produces the `repo:appsmith` tag. The `context={"whitebox_repo_tags": ["repo:appsmith"]}` field is never consumed, so readers might incorrectly infer that passing explicit tags through `context` would affect note selection.

Consider removing the `context` key from the `SimpleNamespace` to keep the fixture minimal, or — if explicit tag passing via `context` is planned — implement and test that path.

```suggestion
    agent_state = SimpleNamespace(
        task="analyze /workspace/appsmith",
    )
```

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: containers/Dockerfile
Line: 97-101

Comment:
**Non-reproducible gitleaks installation**

The `TAG` value is resolved at image build time by querying the GitHub releases API without authentication. This has two risks:

1. **Non-reproducibility**: successive builds may pull different gitleaks versions, making it hard to track exactly which version is in production images.
2. **Build fragility**: unauthenticated GitHub API calls are rate-limited (~60 req/hour). On a busy CI runner the `curl | jq .tag_name` could return an error message (or `null`), producing a malformed download URL that fails silently inside `set -eux` — or, because `set -eux` is active, aborts the entire layer.

Consider pinning to a known-good version (the approach already used for other tools in this repo):

```dockerfile
RUN set -eux; \
    GITLEAKS_VERSION="8.21.2"; \
    ARCH="$(uname -m)"; \
    case "$ARCH" in \
        x86_64) GITLEAKS_ARCH="x64" ;; \
        aarch64|arm64) GITLEAKS_ARCH="arm64" ;; \
        *) echo "Unsupported architecture: $ARCH" >&2; exit 1 ;; \
    esac; \
    curl -fsSL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_${GITLEAKS_ARCH}.tar.gz" -o /tmp/gitleaks.tgz; \
    tar -xzf /tmp/gitleaks.tgz -C /tmp; \
    install -m 0755 /tmp/gitleaks /usr/local/bin/gitleaks; \
    rm -f /tmp/gitleaks /tmp/gitleaks.tgz
```

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (5): Last reviewed commit: "grep" | Re-trigger Greptile}

[bearsyankees]

@greptileai

[bearsyankees]

@greptileai

[bearsyankees]

@greptileai

[bearsyankees]

@greptileai