v0.9.0 compliance: full upgrade against core/go reference

[Snider]

Brings this repo to verdict: COMPLIANT against the v0.9.0 audit.

🤖 Generated with Claude Code + Codex
Co-Authored-By: Codex noreply@openai.com
Co-Authored-By: Virgil virgil@lethean.io

Summary by CodeRabbit

Release Notes

• New Features

  • Enhanced validation for port configurations within acceptable ranges.

• Improvements

  • Expanded documentation across configuration structures and helper functions for improved clarity.
  • Updated dependencies to streamline package structure and reduce redundancy.

• Tests

  • Comprehensive test suites added for RAG chunking, ingestion, collections, keyword queries, embedding, and vector storage functionality to improve code reliability.

[coderabbitai]

📝 Walkthrough

Walkthrough

Comprehensive test suite additions for RAG system components with validation of chunking, ingestion, keyword queries, Qdrant, and Ollama integration. Import pathway refactored from dappco.re/go/core to dappco.re/go. Documentation enhancements and validation improvements added throughout.

Changes

Cohort / File(s)	Summary
RAG Test Suites ax7_chunk_core_test.go, ax7_ingest_collections_test.go, ax7_keyword_query_test.go, ax7_ollama_test.go, ax7_qdrant_test.go	New comprehensive unit tests validating chunking utilities, ingestion/collection operations, keyword search pipeline, Ollama embedder client, and Qdrant vector store integration with good/bad/ugly scenario coverage.
Core RAG Imports & Documentation chunk.go, chunk_test.go, ingest.go, ingest_test.go, keyword.go, mock_test.go, ollama.go, query.go, query_test.go, vectorstore.go	Import switch from dappco.re/go/core to dappco.re/go across files. Struct field documentation enhanced (ChunkConfig, Chunk, IngestConfig, IngestStats, KeywordResult, OllamaConfig, QueryConfig, QueryResult, Vector, CollectionInfo). Port validation added to OllamaClient.
Qdrant Client Refactoring qdrant.go	Replaces concrete *qdrant.Client field with internal interface type. Adds api() helper for nil-check. All operations obtain client via api(). Port range validation (1–65535) added. SkipCompatibilityCheck: true configured. Expanded documentation for QdrantConfig, Point, SearchResult.
RAG Helpers & Dependency Injection helpers.go, helpers_test.go, collections_test.go, endpoint.go, qdrant_integration_test.go, integration_test.go, rfc_features_test.go	Import pathway updates from dappco.re/go/core to dappco.re/go. Dependency injection factories (newDefaultQdrantClient, newDefaultOllamaClient) introduced in helpers.go for test stub support. Internal interfaces constrain injected client methods.
CLI Commands & Compatibility Layer cmd/rag/ax7_commands_test.go, cmd/rag/cmd_collections.go, cmd/rag/cmd_ingest.go, cmd/rag/cmd_query.go, cmd/rag/cmd_rag.go	New test suite for AddRAGSubcommands. Import updates and doc comments added to command implementations. New compatibility CLI package introduced at internal/compat/cli/ with cobra re-exports, argument validators, and style types.
CLI Compatibility Package internal/compat/cli/go.mod, internal/compat/cli/pkg/cli/cli.go, internal/compat/cli/pkg/cli/ax7_cli_test.go	New CLI compatibility module with cobra primitives re-exported as aliases. Helpers ExactArgs and MaximumNArgs for positional argument validation. NewGroup constructor for parent commands. Lightweight Style type with render method. Comprehensive test coverage.
Dependency Management go.mod, benchmark_test.go, benchmark_gpu_test.go, test_helpers_test.go	Adds direct dependency on dappco.re/go v0.9.0, removes dappco.re/go/core from direct requires (kept as indirect). Replaces CLI, i18n, inference, log modules to github.com/dappcore equivalents. Prunes terminal UI transitive dependencies. Benchmark imports updated. Test helper functions documented.
Documentation specs/forge.lthn.ai/core/go-rag.md	Minor spelling correction: "initialised" (British English).

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarises the main change: upgrading the repository to v0.9.0 compliance, which aligns with the substantial refactoring from core/go/core to core/go throughout the codebase.
Docstring Coverage	✅ Passed	Docstring coverage is 83.78% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.4)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
3 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

qdrant.go (1)

474-488: ⚠️ Potential issue | 🟠 Major

Preserve the legacy index payload key when decoding chunk metadata.

Line 479 only inspects chunk_index, but this struct now documents Index as a compatibility alias. Any collection populated with the older index field will lose chunk metadata in Search(), which in turn changes chunk-aware ranking and deduplication for existing data.

Suggested change

 func payloadChunkIndex(payload map[string]any) (int, bool) {
 	if payload == nil {
 		return 0, false
 	}
-	switch v := payload["chunk_index"].(type) {
-	case int:
-		return v, true
-	case int64:
-		return int(v), true
-	case float64:
-		return int(v), true
-	default:
-		return 0, false
+	for _, key := range []string{"chunk_index", "index"} {
+		switch v := payload[key].(type) {
+		case int:
+			return v, true
+		case int64:
+			return int(v), true
+		case float64:
+			return int(v), true
+		}
 	}
+	return 0, false
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@qdrant.go` around lines 474 - 488, The payloadChunkIndex function only reads
"chunk_index" and drops legacy "index" values; update payloadChunkIndex to also
check payload["index"] (after or before payload["chunk_index"] as desired for
precedence) and convert int/int64/float64 the same way so collections using the
older "index" key retain their chunk metadata; ensure you still return (int,
bool) and reuse the same type-switch logic (int, int64, float64) for the "index"
key and prefer the explicit "chunk_index" if you want newer data to win.

🧹 Nitpick comments (3)

rfc_features_test.go (1)

91-104: Optional: strengthen parsing robustness with negative/edge-case tests.

TestEndpointConfigParsing only covers two valid endpoint formats. Consider adding a few additional unit tests for likely failure modes (e.g., missing port, invalid scheme, malformed host/URL, unsupported scheme) to lock in error handling and prevent regressions.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@rfc_features_test.go` around lines 91 - 104, Add negative and edge-case
assertions to TestEndpointConfigParsing to exercise qdrantConfigFromEndpoint and
ollamaConfigFromEndpoint failure paths: add subtests for missing port (e.g.,
"https://example.com"), invalid scheme (e.g., "ftp://host:1234"), malformed
URL/host (e.g., "http://:1234" or "http:///"), and unsupported/empty scheme, and
assert that err is non-nil and configuration values are not set or defaulted as
expected; use the same helper assertions (assertNoError/assertTrue/assertEqual)
but invert them for expected failures to lock in error handling and prevent
regressions.

ax7_keyword_query_test.go (1)

424-437: Check err before consuming seq.

Line 429 returns both seq and err, but the loop starts at Line 432 before the test asserts success at Line 435. If QuerySeq() regresses and returns an error, this test can fail with a noisier iterator problem instead of the underlying assertion.

Suggested change

 	seq, err := QuerySeq(core.Background(), store, newMockEmbedder(2), "query", QueryConfig{Collection: "docs", Limit: 5, Threshold: 0.1})
+	core.AssertNoError(t, err)
 
 	var results []QueryResult
 	for result := range seq {
 		results = append(results, result)
 	}
-	core.AssertNoError(t, err)
 	core.AssertLen(t, results, 1)
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ax7_keyword_query_test.go` around lines 424 - 437, Test checks consume the
seq channel before verifying err; move the error check so QuerySeq's err is
asserted before iterating. In TestAX7_QuerySeq_Good check the returned err from
QuerySeq (variable err) with core.AssertNoError(t, err) immediately after the
call to QuerySeq (or return/fail on non-nil) and only then range over seq;
reference TestAX7_QuerySeq_Good, QuerySeq, seq, and err to locate and update the
test.

ax7_ingest_collections_test.go (1)

87-96: Assert the returned error before ranging the iterator.

Line 89 captures (seq, err), but Line 91 consumes seq before Line 95 checks err. If ListCollectionsSeq() starts failing here, the test can mask the real regression with a less useful iterator failure. Move core.AssertNoError(t, err) above the loop.

Suggested change

 func TestAX7_ListCollectionsSeq_Ugly(t *core.T) {
 	store := newMockVectorStore()
 	seq, err := ListCollectionsSeq(core.Background(), store)
+	core.AssertNoError(t, err)
 	count := 0
 	for range seq {
 		count++
 	}
 
-	core.AssertNoError(t, err)
 	core.AssertEqual(t, 0, count)
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ax7_ingest_collections_test.go` around lines 87 - 96, The test
TestAX7_ListCollectionsSeq_Ugly consumes the iterator seq before verifying the
call to ListCollectionsSeq succeeded; move the assertion core.AssertNoError(t,
err) immediately after the call to ListCollectionsSeq(core.Background(), store)
(before iterating over seq) so the test fails on the actual error from
ListCollectionsSeq rather than on iterator behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@cmd/rag/ax7_commands_test.go`:
- Around line 3-34: Replace usage of the external test harness (core.T and
core.Assert* calls) with stdlib testing.T and the local helpers from
test_helpers_test.go: change the test signatures to use (t *testing.T), import
"testing" instead of core, and replace
core.AssertLen/core.AssertEqual/core.AssertPanics/core.AssertTrue/core.AssertNotNil
with the corresponding local helpers (e.g., assertLen, assertEqual, assertPanics
or use assertTrue/assertNotNil equivalents provided). Keep calls to
AddRAGSubcommands, ragCmd and cli.NewGroup unchanged so the tests still verify
the same behavior.

In `@go.mod`:
- Around line 15-37: The go.mod indirect dependencies
github.com/buger/jsonparser and google.golang.org/grpc are pinned to vulnerable
versions (jsonparser v1.1.1 and grpc v1.79.2); update these modules to patched
releases (upgrade github.com/buger/jsonparser to a version that addresses
GHSA-6g7g-w4f8-9c9x / GO-2026-4514 and google.golang.org/grpc to a version that
fixes GHSA-p77j-4mvh-x3m3 / GO-2026-4762), then run your module update/cleanup
(go get to the patched versions and go mod tidy) and verify tests/builds to
ensure no regressions; locate occurrences by the module paths
github.com/buger/jsonparser and google.golang.org/grpc in the diff.

---

Outside diff comments:
In `@qdrant.go`:
- Around line 474-488: The payloadChunkIndex function only reads "chunk_index"
and drops legacy "index" values; update payloadChunkIndex to also check
payload["index"] (after or before payload["chunk_index"] as desired for
precedence) and convert int/int64/float64 the same way so collections using the
older "index" key retain their chunk metadata; ensure you still return (int,
bool) and reuse the same type-switch logic (int, int64, float64) for the "index"
key and prefer the explicit "chunk_index" if you want newer data to win.

---

Nitpick comments:
In `@ax7_ingest_collections_test.go`:
- Around line 87-96: The test TestAX7_ListCollectionsSeq_Ugly consumes the
iterator seq before verifying the call to ListCollectionsSeq succeeded; move the
assertion core.AssertNoError(t, err) immediately after the call to
ListCollectionsSeq(core.Background(), store) (before iterating over seq) so the
test fails on the actual error from ListCollectionsSeq rather than on iterator
behavior.

In `@ax7_keyword_query_test.go`:
- Around line 424-437: Test checks consume the seq channel before verifying err;
move the error check so QuerySeq's err is asserted before iterating. In
TestAX7_QuerySeq_Good check the returned err from QuerySeq (variable err) with
core.AssertNoError(t, err) immediately after the call to QuerySeq (or
return/fail on non-nil) and only then range over seq; reference
TestAX7_QuerySeq_Good, QuerySeq, seq, and err to locate and update the test.

In `@rfc_features_test.go`:
- Around line 91-104: Add negative and edge-case assertions to
TestEndpointConfigParsing to exercise qdrantConfigFromEndpoint and
ollamaConfigFromEndpoint failure paths: add subtests for missing port (e.g.,
"https://example.com"), invalid scheme (e.g., "ftp://host:1234"), malformed
URL/host (e.g., "http://:1234" or "http:///"), and unsupported/empty scheme, and
assert that err is non-nil and configuration values are not set or defaulted as
expected; use the same helper assertions (assertNoError/assertTrue/assertEqual)
but invert them for expected failures to lock in error handling and prevent
regressions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 89b9d71f-81cc-4a6b-971a-359287e60861

📥 Commits

Reviewing files that changed from the base of the PR and between 3cc5da5 and 0aa49a4.

⛔ Files ignored due to path filters (2)

• go.sum is excluded by !**/*.sum
• internal/compat/cli/go.sum is excluded by !**/*.sum

📒 Files selected for processing (36)

• ax7_chunk_core_test.go
• ax7_ingest_collections_test.go
• ax7_keyword_query_test.go
• ax7_ollama_test.go
• ax7_qdrant_test.go
• benchmark_gpu_test.go
• benchmark_test.go
• chunk.go
• chunk_test.go
• cmd/rag/ax7_commands_test.go
• cmd/rag/cmd_collections.go
• cmd/rag/cmd_ingest.go
• cmd/rag/cmd_query.go
• cmd/rag/cmd_rag.go
• collections_test.go
• endpoint.go
• go.mod
• helpers.go
• helpers_test.go
• ingest.go
• ingest_test.go
• integration_test.go
• internal/compat/cli/go.mod
• internal/compat/cli/pkg/cli/ax7_cli_test.go
• internal/compat/cli/pkg/cli/cli.go
• keyword.go
• mock_test.go
• ollama.go
• qdrant.go
• qdrant_integration_test.go
• query.go
• query_test.go
• rfc_features_test.go
• specs/forge.lthn.ai/core/go-rag.md
• test_helpers_test.go
• vectorstore.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify non-stdlib test signatures/usages in test files.
rg -nP --type=go '^func\s+Test\w+\(t\s+\*core\.T\)' -g '*_test.go'
rg -nP --type=go '\bcore\.(Assert|Require)\w+\(' -g '*_test.go'

Repository: dAppCore/go-rag

Length of output: 45105

---

Switch all AX7 tests to stdlib testing with local assertion helpers from test_helpers_test.go.

The test functions at lines 8, 16, and 27 use *core.T and core.Assert* calls from the dappco.re/go package, violating the project guideline requiring stdlib testing only. This pattern appears across all AX7 test files (e.g., ax7_ollama_test.go, ax7_qdrant_test.go, ax7_chunk_core_test.go, ax7_keyword_query_test.go, ax7_ingest_collections_test.go). Refactor to use *testing.T with stdlib checks or the local helpers (assertNoError, assertEqual, assertLen, assertContains, etc.) defined in test_helpers_test.go.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@cmd/rag/ax7_commands_test.go` around lines 3 - 34, Replace usage of the
external test harness (core.T and core.Assert* calls) with stdlib testing.T and
the local helpers from test_helpers_test.go: change the test signatures to use
(t *testing.T), import "testing" instead of core, and replace
core.AssertLen/core.AssertEqual/core.AssertPanics/core.AssertTrue/core.AssertNotNil
with the corresponding local helpers (e.g., assertLen, assertEqual, assertPanics
or use assertTrue/assertNotNil equivalents provided). Keep calls to
AddRAGSubcommands, ragCmd and cli.NewGroup unchanged so the tests still verify
the same behavior.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

query_osv () {
  local pkg="$1"
  local ver="$2"
  curl -sS https://api.osv.dev/v1/query \
    -H 'Content-Type: application/json' \
    -d "{\"package\":{\"name\":\"${pkg}\",\"ecosystem\":\"Go\"},\"version\":\"${ver}\"}" |
    jq -r --arg p "$pkg" --arg v "$ver" '
      "package=\($p) version=\($v)",
      (if (.vulns|length)==0 then "  no vulns returned"
       else (.vulns[] | "  " + .id + " | " + (.summary // "no summary"))
       end)
    '
}

query_osv "github.com/buger/jsonparser" "1.1.1"
query_osv "google.golang.org/grpc" "1.79.2"

Repository: dAppCore/go-rag

Length of output: 499

---

Upgrade vulnerable indirect dependencies before release.

Line 19 and line 35 currently pin versions with known security vulnerabilities (github.com/buger/jsonparser v1.1.1 and google.golang.org/grpc v1.79.2). Both have active advisories: jsonparser has denial-of-service findings (GHSA-6g7g-w4f8-9c9x, GO-2026-4514), and gRPC-Go has an authorisation bypass via missing leading slash in :path (GHSA-p77j-4mvh-x3m3, GO-2026-4762). These should be remediated as a blocker before release.

🧰 Tools

🪛 OSV Scanner (2.3.5)

[HIGH] 19-19: github.com/buger/jsonparser 1.1.1: Denial of service in github.com/buger/jsonparser

(GO-2026-4514)

---

[HIGH] 19-19: github.com/buger/jsonparser 1.1.1: Denial of service in github.com/buger/jsonparser

(GHSA-6g7g-w4f8-9c9x)

---

[CRITICAL] 35-35: google.golang.org/grpc 1.79.2: Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc

(GO-2026-4762)

---

[CRITICAL] 35-35: google.golang.org/grpc 1.79.2: gRPC-Go has an authorization bypass via missing leading slash in :path

(GHSA-p77j-4mvh-x3m3)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 15 - 37, The go.mod indirect dependencies
github.com/buger/jsonparser and google.golang.org/grpc are pinned to vulnerable
versions (jsonparser v1.1.1 and grpc v1.79.2); update these modules to patched
releases (upgrade github.com/buger/jsonparser to a version that addresses
GHSA-6g7g-w4f8-9c9x / GO-2026-4514 and google.golang.org/grpc to a version that
fixes GHSA-p77j-4mvh-x3m3 / GO-2026-4762), then run your module update/cleanup
(go get to the patched versions and go mod tidy) and verify tests/builds to
ensure no regressions; locate occurrences by the module paths
github.com/buger/jsonparser and google.golang.org/grpc in the diff.