Add 4 new tests to verify PNG and TIFF predictor functions use row-by-row
processing with bounded peak memory (2x stride), never pre-allocating full
output buffers inside tests.
- test_png_predictor_budget_enforcement_small_fixture: 200-byte fixture,
100-byte budget, verifies truncation at row boundary
- test_tiff_predictor_2_budget_enforcement_small_fixture: 160-byte fixture,
80-byte budget, verifies row-by-row processing for grayscale
- test_png_predictor_multiple_selectors_budget_per_row: 25-byte fixture
with all PNG selector types, verifies per-row budget checking
- test_tiff_predictor_2_rgb_budget_enforcement: 45-byte RGB fixture,
verifies multi-byte pixel handling with budget enforcement
All fixtures are under 250 bytes, no full-buffer pre-allocation, tests
mirror the row-by-row discipline from bf-49wmw production fix.
Closes bf-21hw8
- Fix test_bomb_limit_flate to actually test early abort behavior
- Use 200-byte pattern (not large buffers) that compresses to ~50 bytes
- Set bomb_limit to 50 bytes to force truncation
- Assert output.len() < pattern.len() to verify truncation occurred
- Add documentation explaining the minimal input approach
Per bf-4xk2v: "Decompression-bomb and max_decompress_bytes tests must
trigger the STREAM_BOMB abort WITHOUT building the multi-GB decoded output
in memory. Use minimal crafted inputs and assert the byte-budget limit fires
early. Never pre-size a Vec to the claimed or decompressed length."
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Add decode_page_content_streams() function for per-page lazy decode
- Update extract_page_from_dict() to support lazy stream decoding
- Modify extract_pdf() and extract_pdf_ndjson() to enable lazy decoding
- Fix borrow checker issue in LazyPageIter::next()
This ensures content streams are decoded lazily per page and dropped
immediately after processing, keeping peak RSS flat across page count.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Documents the bug fixes made to enable the semaphore-based parallel
page extraction implementation to compile and work correctly.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Fix extract_page_inner typo: changed to extract_page (function was undefined)
- Add error_count field to ExtractionMetadata struct
- Add error field to PageResult struct (missing in constructor)
- Add semaphore module to lib.rs exports
The parallelism capping implementation was already in place but had bugs
preventing compilation. This fixes those bugs so the semaphore-based
bounding of in-flight pages works correctly.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Verification note for the completion of Phase 0: CI Infrastructure epic.
All 10 sub-phase coordinator beads are closed:
- pdftract-1wqec: WorkflowTemplate scaffolding
- pdftract-1bn: Cross-compilation build matrix (5 targets)
- pdftract-30n: Test execution (musl + glibc)
- pdftract-2rf: Static analysis and quality gates
- pdftract-33v: Property tests and nightly fuzz
- pdftract-2t9: Regression corpus runner (500 PDFs)
- pdftract-60h: Competitive benchmarks (Tier 4)
- pdftract-23k1: pdftract-py-ci stub
- pdftract-4b0z: Release publishing
- pdftract-3i1o: CI observability
This epic adds the final missing piece: the CI sensor that triggers
pdftract-ci workflow on push and PR events.
See also: ci(pdftract-4nj7y) in declarative-config
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Document the implementation and verification of the test-matrix DAG
branch with musl and glibc test legs.
Summary:
- Created pdftract-test-image-build WorkflowTemplate
- Verified test-matrix DAG implementation (test-glibc, test-musl)
- Both legs emit JUnit XML for test reporting
- Acceptance criteria: PASS (with notes on setup step and Docker image)
Known dependencies:
- Setup step still a placeholder (handled by separate Phase 0 bead)
- Docker image needs to be built via pdftract-test-image-build workflow
Relates to pdftract-30n: Phase 0.3 Test execution — cargo test on musl + glibc
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Bead-Id: pdftract-30n
Document acceptance criteria PASS status for:
- Custom Docker image with OCR support
- nextest configuration with ci/ci-proptest profiles
- Updated test-glibc template in CI
All criteria PASS. Ready to close bead.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Add .config/nextest.toml with ci and ci-proptest profiles:
- ci: JUnit output, 60s slow test timeout, retry on flaky tests
- ci-proptest: Higher timeouts, no retries for proptest
Relates to pdftract-5rvp9: Phase 0.3b glibc test leg implementation
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Convert test-matrix from single container to DAG with two parallel branches:
- test-glibc: Full test suite including OCR (tesseract available on Debian)
- test-musl: Production binary feature set (no OCR, unavailable on Alpine)
Musl leg configuration:
- Image: ghcr.io/cross-rs/x86_64-unknown-linux-musl:main
- Test: cross test --release --target x86_64-unknown-linux-musl --features default,serve,decrypt
- Output: JUnit XML artifact (test-results-musl.xml)
- Test threads: 4 (parallel execution)
Also updates:
- .nextest.toml: Add JUnit XML output settings to profile.ci
- Cross.toml: Add cross configuration for musl target
Bead: pdftract-5gtcj
Plan section: Phase 0.3
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The MSRV check gate (rust:1.78-slim build) was already fully
implemented in the initial CI workflow. This verification note
documents the existing implementation and confirms all acceptance
criteria are met.
Acceptance criteria:
- Gate runs in pdftract-ci on every PR: PASS
- Failure blocks PR merge: PASS
- Successful run reports artifact: PASS
- Failure mode produces actionable error: PASS
No changes to the workflow were required.
Related: pdftract-2rf (quality gates coordinator)
Document the implementation of the cargo-audit quality gate with
severity gating and audit.toml allow-list.
Co-Authored-By: Claude Code <noreply@anthropic.com>
Add audit.toml for cargo-audit quality gate configuration.
Per Phase 0.4 Quality Targets, the cargo-audit gate enforces:
- Warnings denied (--deny warnings)
- >= medium severity advisories block PR merge
- Unmaintained advisories ignored (informational only)
The audit.toml file provides an allow-list format for intentionally
ignored advisories, each requiring a justification note.
Co-Authored-By: Claude Code <noreply@anthropic.com>
Documents the implementation of the clippy quality gate with INV-8
enforcement via clippy::unwrap_used and clippy::expect_used lints.
Bead: pdftract-3cp3a
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Add fifth quality gate to quality-matrix DAG:
- New template: clippy-unwrap
- Runs clippy with features default,serve,decrypt -- -D warnings
- Runs library-only pass with -D clippy::unwrap_used -D clippy::expect_used
- Uses pdftract-test-glibc:1.78 base image (precompiled dep tree)
- Enforces INV-8 (no panic at public boundary of pdftract-core)
This completes the 5 Tier 1 hard gates from Phase 0.4 Quality Targets.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Add Licensing section to CONTRIBUTING.md explaining:
- Dual MIT OR Apache-2.0 licensing model
- Apache NOTICE file policy (optional for upstream, redistributors MAY add)
- Attribution guidelines for downstream redistributors
Also add verification note confirming all acceptance criteria PASS:
- LICENSE-MIT and LICENSE-APACHE files present at repo root
- All workspace crates declare "MIT OR Apache-2.0" license
- cargo deny check licenses passes (implicit deny-by-default via allow list)
- Binary and wheel distributions configured to include both license files
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
All acceptance criteria verified:
- deny.toml exists with correct configuration
- All cargo-deny checks pass (licenses, advisories, sources)
- CI integration complete (cargo-deny step in pdftract-ci.yaml)
- All ADR exceptions documented (0001, 0002, 0003)
No changes to deny.toml required - existing configuration is correct.
Co-Authored-By: Claude Code <noreply@anthropic.com>
Add dual MIT OR Apache-2.0 licensing at repo root with proper copyright
notices. Configure all workspace and non-workspace crates to declare the
license. Wire license files into Python wheels and Docker images.
Files added:
- LICENSE-MIT: MIT License with "Copyright (c) 2026 Jed Cabanero"
- LICENSE-APACHE: Apache License 2.0 (verbatim from apache.org)
Files modified:
- Cargo.toml: Updated authors to "Jed Cabanero <me@jedcabanero.com>"
- crates/pdftract-py/pyproject.toml: Added license-files to maturin config
- crates/pdftract-cer-diff/Cargo.toml: Added license.workspace = true
- xtask/Cargo.toml: Added license = "MIT OR Apache-2.0"
- fuzz/Cargo.toml: Added license = "MIT OR Apache-2.0"
- Cargo-dist.toml: Created to include license files in binary archives
- notes/pdftract-aawrz.md: Verification note
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Add thread sanitizer verification results to notes/pdftract-1eaxm.md
- Improve conformance.c to gracefully handle error JSON responses
- Update test_hash.c to test version and ABI version functions
These changes improve the test coverage and documentation for the
libpdftract C FFI implementation.
Related: pdftract-1eaxm
- Add Homebrew formula template (homebrew-formula.rb.erb)
- Add vcpkg port template with submission instructions
- Add C conformance test (conformance.c) with thread safety verification
- Add simple link test (simple_test.c) to verify library linkage
- Add hash test (test_hash.c) for hash API verification
- Add parse debug test (test_parse.rs) for development
- Add test fixtures (test-minimal.pdf, valid-minimal.pdf)
- Add PROVENANCE.md entry for valid-minimal.pdf
All tests pass: version, abi_version, free(NULL), hash, extract methods.
Co-Authored-By: Claude Code <noreply@anthropic.com>
## Summary of Work Completed
Implemented the libpdftract C FFI library as the fourth workspace member.
All 9 contract methods exposed as extern "C" functions with proper memory
management and thread-safety.
## Acceptance Criteria
- ✅ Fourth workspace member exists with cdylib + staticlib targets
- ✅ Library builds successfully (libpdftract.so + libpdftract.a)
- ✅ Header file exists and is regenerated by cbindgen
- ✅ C program links and calls API successfully (conformance test)
- ✅ Thread-safe (verified with -fsanitize=thread)
- ✅ All 9 contract methods exposed
- ✅ pdftract_free() correctly frees strings (ThreadSanitizer verified)
- ✅ vcpkg port template exists
- ⚠️ Valgrind not available on this system (environment limitation)
- 🔜 Homebrew formula PR automation (deferred to pdftract-libpdftract-build bead)
## Files Created
- crates/pdftract-libpdftract/ (full FFI crate)
- tests/conformance.c (C conformance test)
- distribution/homebrew/pdftract.rb.template
- distribution/vcpkg/*.template
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Implement the libpdftract native FFI library as a cdylib + staticlib
with cbindgen-generated headers and full extern "C" API.
Components:
- crates/pdftract-libpdftract/ with cdylib + staticlib targets
- All 9 contract methods + utility functions as extern "C"
- cbindgen config and generated pdftract.h header
- pkg-config template (pdftract.pc.in)
- Homebrew formula template (distribution/homebrew/)
- vcpkg port template (distribution/vcpkg/)
- C conformance test (tests/conformance.c)
API features:
- Owned JSON strings returned via CString::into_raw()
- Caller frees with pdftract_free() (not libc free())
- Thread-local error storage (pdftract_last_error)
- Thread-safe and reentrant (no global mutable state)
- ABI version function for compatibility checking
Verification:
- cargo build produces libpdftract.so and libpdftract.a
- Conformance test compiles and runs successfully
- Thread safety verified with 4 concurrent threads
References:
- Plan line 3477: SDK Architecture / The Ten SDKs
- Bead: pdftract-1eaxm
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Updated test_api_null.c to run 10,000 alloc/free cycles (was 100)
- Updated verification note to mark memory roundtrip as PASS
- Improved stream_next implementation to use reference-based approach
instead of Box::from_raw/leak dance for cleaner memory handling
All acceptance criteria for pdftract-5ya9x now PASS:
- 12 exported symbols verified via nm -D
- C client tests (test_api.c, test_api_null.c)
- C++ client test (test_extract.cpp)
- Null pointer safety
- Panic safety (catch_unwind on all entry points)
- Memory roundtrip (10,000 iterations)
- Thread safety (8 pthreads)
Co-Authored-By: Claude Code <noreply@anthropic.com>
Add cbindgen infrastructure to auto-generate C/C++ header from Rust extern
"C" surface at build time.
- Add cbindgen.toml config (C language, include guard, pragma_once, cpp_compat)
- Add build.rs to generate include/pdftract.h during cargo build
- Generated header compiles cleanly with gcc (C) and g++ (C++)
The header is the contract between libpdftract and C/C++ consumers.
Future extern "C" functions will automatically appear in the header.
Refs: pdftract-5rl5o
- Add exit code policy to doctor command help text
- Update --exit-on-fail flag help to clarify default behavior
- Add code comment explaining why --exit-on-fail is a no-op
Exit codes per plan section 6.10:
- Exit 0: all checks OK or WARN (no FAIL)
- Exit 1: at least one check is FAIL
- Exit 2: CLI parse error (clap default)
Closes: pdftract-4sky1
Co-Authored-By: Claude Code <noreply@anthropic.com>
The detail field truncation in human.rs only applied to TTY output,
causing lines to exceed 80 columns when piping to cat or using --no-color.
Fix: Apply truncation uniformly across all output modes:
- TTY mode: Use actual terminal width from terminal_size crate
- Non-TTY/--no-color: Assume 80 columns and truncate accordingly
- Detail field max width: term_width - 38 columns
Max line width now exactly 80 characters for all output modes.
Acceptance criteria verified:
- TTY colored table with summary ✓
- Non-TTY plain text, no ANSI ✓
- --json single JSON object ✓
- --json summary counts ✓
- --features list, exit 0 ✓
- --no-color plain text in TTY ✓
- 80-column terminal width ✓
- N/A excluded from human, in JSON ✓
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Verified all three output formats (colored table, JSON, --features)
work correctly. No code changes required - implementation was
already complete in output/ module.
Acceptance criteria:
- PASS: Default TTY colored table with summary
- PASS: Non-TTY plain text (no ANSI codes when piped)
- PASS: --json output parses correctly with jq
- PASS: --features lists compiled features, exit 0
- PASS: --no-color forces plain text
- PASS: 80-column width compliance
- PASS: N/A rows excluded from human, included in JSON
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Documents the LRU eviction policy implementation with all acceptance
criteria passing (7/7 PASS).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The test_eviction_sweep_performance test was using opts hashes with
a ":<i>" suffix (e.g., "9b21c0ff...:<i>"), which exceeded the 64-character
limit. This caused parse_opts_hash_from_filename to skip these entries
during enumeration, resulting in zero cache size and no eviction.
Fixed by generating valid 64-character hex opts hashes using the last
4 characters for the counter (format: "{}{:04x}", base_hash[:60], i)).
All 17 LRU tests now pass, including:
- test_eviction_sweep_performance: evicts 1000 entries (100 MB) down to 40 MB (80% of 50 MB limit)
- test_concurrent_touches: 100 threads, no garbled records
- test_touch_performance: 1000 touches in < 100 ms
- test_current_size_performance: enumerate 1000 entries in < 1 s
- test_sentinel_rotation: rotates at 10 MB threshold
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Verification note confirming all 18 acceptance criteria PASS for the
cache filesystem layout implementation in commit 624fc49.
Co-Authored-By: Claude Code <noreply@anthropic.com>
Implements Phase 6.9.1: the two-byte-prefix directory scheme that keeps
any single directory under 65K entries even at millions of cached entries.
Changes:
- Add zstd dependency to Cargo.toml
- Create cache module with layout.rs implementing path construction
- Add CacheIndex struct for index.json metadata (schema version, timestamps)
- Implement entry_path(), fingerprint_dir(), parse helpers
- Add load_index()/save_index() for cache metadata persistence
- Ensure mkdir -p semantics with ensure_fingerprint_dir()
- 18 tests covering all acceptance criteria
Acceptance criteria verified:
✓ entry_path produces correct two-level prefix layout
✓ Different opts_hashes for same fingerprint share fp_dir
✓ Different fingerprints with same prefix share first-level dir
✓ index.json round-trips with schema version check
✓ Future schema version rejects cache with clear error
✓ mkdir -p creates prefix dirs; idempotent on concurrent writes
✓ Unicode-correct path handling via std::path::PathBuf
✓ Path length stays under 4096 bytes
Co-Authored-By: Claude Code <noreply@anthropic.com>
