fix(cli): treat untrusted baseline as empty outside gating mode and fail fast in ci

orenlab · orenlab · commit 2df02fd70c50 · 2026-02-08T15:10:23.000+05:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -63,14 +63,14 @@ the HTML report UI, and introduces baseline versioning.
 
 - Baselines are now **versioned** and include a schema version.
 - Mismatched baseline versions **fail fast** and require regeneration.
-- Baseline loading is now strict: invalid schema/types or oversized baseline files
-  fail fast to preserve CI integrity.
 - Added baseline tamper-evident integrity for v1.3+ files (`generator`, `payload_sha256`)
   while keeping legacy baseline behavior as explicit regeneration-required fail-fast.
 - Added configurable size guards (`--max-baseline-size-mb`, `--max-cache-size-mb`):
-  oversized baseline fails fast, oversized cache is ignored with warning.
+  oversized cache is ignored with warning; oversized/invalid/untrusted baseline is ignored
+  outside gating mode and treated as empty baseline.
 - Behavioral hardening (CLI): baseline validation is now an explicit contract
-  (legacy/version/schema/python/integrity/size states) with deterministic fail-fast behavior.
+  (legacy/version/schema/python/integrity/size states). In `--fail-on-new`/`--ci`,
+  untrusted baseline states fail fast with deterministic exit codes.
 
 **Breaking (CI):** baseline version mismatch now fails hard; CI requires baseline regeneration on upgrade.
 
diff --git a/codeclone.baseline.json b/codeclone.baseline.json
@@ -1,12 +1,10 @@
 {
-  "functions": [
-    "15f730bde91427ef6cc7878fd98d8f9d2ca3b57e|20-49"
-  ],
+  "functions": [],
   "blocks": [],
   "python_version": "3.13",
   "baseline_version": "1.3.0",
   "schema_version": 1,
   "generator": "codeclone",
-  "payload_sha256": "ab5bbbe4c098b6aae44202f69c7f26398d4d85ae759ca096418d6fc054571cf1",
-  "created_at": "2026-02-08T09:06:10+00:00"
+  "payload_sha256": "92e80b05c857b796bb452de9e62985a1568874da468bc671998133975c94397a",
+  "created_at": "2026-02-08T09:54:31+00:00"
 }
diff --git a/codeclone/cli.py b/codeclone/cli.py
@@ -81,6 +81,13 @@ def _make_console(*, no_color: bool) -> Console:
     "integrity_failed",
     "too_large",
 }
+_UNTRUSTED_BASELINE_STATUSES = {
+    "invalid",
+    "too_large",
+    "generator_mismatch",
+    "integrity_missing",
+    "integrity_failed",
+}
 
 
 @dataclass(slots=True)
@@ -657,6 +664,7 @@ def process_sequential(with_progress: bool) -> None:
     baseline_loaded = False
     baseline_status = "missing"
     baseline_failure_code: int | None = None
+    baseline_trusted_for_diff = False
 
     if baseline_exists:
         try:
@@ -665,17 +673,22 @@ def process_sequential(with_progress: bool) -> None:
             baseline_status = (
                 e.status if e.status in _VALID_BASELINE_STATUSES else "invalid"
             )
-            if baseline_status == "too_large" or not args.update_baseline:
+            if not args.update_baseline:
                 console.print(ui.fmt_invalid_baseline(e))
-                baseline_failure_code = 2
+                if args.fail_on_new:
+                    baseline_failure_code = 2
+                else:
+                    console.print(ui.WARN_BASELINE_IGNORED)
         else:
             baseline_loaded = True
             baseline_status = "ok"
+            baseline_trusted_for_diff = True
             if not args.update_baseline:
                 if baseline.is_legacy_format():
                     baseline_status = "legacy"
                     console.print(ui.fmt_baseline_version_missing(__version__))
                     baseline_failure_code = 2
+                    baseline_trusted_for_diff = False
                 else:
                     if baseline.baseline_version != __version__:
                         assert baseline.baseline_version is not None
@@ -687,6 +700,7 @@ def process_sequential(with_progress: bool) -> None:
                             )
                         )
                         baseline_failure_code = 2
+                        baseline_trusted_for_diff = False
                     if baseline.schema_version != BASELINE_SCHEMA_VERSION:
                         assert baseline.schema_version is not None
                         if baseline_status == "ok":
@@ -698,6 +712,7 @@ def process_sequential(with_progress: bool) -> None:
                             )
                         )
                         baseline_failure_code = 2
+                        baseline_trusted_for_diff = False
                     if baseline.python_version:
                         current_version = _current_python_version()
                         if baseline.python_version != current_version:
@@ -712,6 +727,7 @@ def process_sequential(with_progress: bool) -> None:
                             if args.fail_on_new:
                                 console.print(ui.ERR_BASELINE_SAME_PYTHON_REQUIRED)
                                 baseline_failure_code = 2
+                                baseline_trusted_for_diff = False
                     if baseline_status == "ok":
                         try:
                             baseline.verify_integrity()
@@ -723,7 +739,14 @@ def process_sequential(with_progress: bool) -> None:
                             )
                             baseline_status = status
                             console.print(ui.fmt_invalid_baseline(e))
-                            baseline_failure_code = 2
+                            baseline_trusted_for_diff = False
+                            if args.fail_on_new:
+                                baseline_failure_code = 2
+                            else:
+                                console.print(ui.WARN_BASELINE_IGNORED)
+            if baseline_status in _UNTRUSTED_BASELINE_STATUSES:
+                baseline_loaded = False
+                baseline_trusted_for_diff = False
     else:
         if not args.update_baseline:
             console.print(ui.fmt_path(ui.WARN_BASELINE_MISSING, baseline_path))
@@ -742,6 +765,7 @@ def process_sequential(with_progress: bool) -> None:
         baseline = new_baseline
         baseline_loaded = True
         baseline_status = "ok"
+        baseline_trusted_for_diff = True
         # When updating, we don't fail on new, we just saved the new state.
         # But we might still want to print the summary.
 
@@ -755,7 +779,10 @@ def process_sequential(with_progress: bool) -> None:
     )
 
     # Diff
-    new_func, new_block = baseline.diff(func_groups, block_groups)
+    baseline_for_diff = (
+        baseline if baseline_trusted_for_diff else Baseline(baseline_path)
+    )
+    new_func, new_block = baseline_for_diff.diff(func_groups, block_groups)
     new_clones_count = len(new_func) + len(new_block)
 
     _print_summary(
diff --git a/codeclone/ui_messages.py b/codeclone/ui_messages.py
@@ -102,6 +102,10 @@
     "[dim]Comparing against an empty baseline. "
     "Use --update-baseline to create it.[/dim]"
 )
+WARN_BASELINE_IGNORED = (
+    "[warning]Baseline is not trusted for this run and will be ignored.[/warning]\n"
+    "[dim]Comparison will proceed against an empty baseline.[/dim]"
+)
 SUCCESS_BASELINE_UPDATED = "✔ Baseline updated: {path}"
 
 FAIL_NEW_TITLE = "[error]FAILED: New code clones detected.[/error]"
diff --git a/tests/test_cli_inprocess.py b/tests/test_cli_inprocess.py
