Finalize QLC wiring contract and asset guard

[SeCuReDmE-main-dev]

Summary

• stamp QLC workflow/gateway fixtures with contract_version=qlc-wiring-contract.v2
• repair CI dependency install for cryptography-backed imports
• add final local QLC -> gateway -> FNP-QNN smoke runner
• expand design asset manifest and include logo template v4/v5 assets

Tests

• python -m pytest
• python scripts/qlc_final_wiring_smoke.py
• python -m ffed_qlc.cli inspect-workflow --bundle tests/fixtures/qlc_contract/qlc_workflow_image.json

Risk

Prototype metadata-only wiring; no FQLC1 encryption change.

[qodo-code-review]

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

[gemini-code-assist]

Code Review

This pull request introduces a local smoke test script (qlc_final_wiring_smoke.py) to verify the integration between QLC, the gateway, and FNP-QNN, alongside adding a contract_version field to workflow bundles and gateway submissions for local fixture validation. It also updates the mascot asset manifest with new design assets and documents the asset intake process. The review feedback highlights critical improvement opportunities in the smoke test script, specifically recommending that test client requests and qlc_submit calls be wrapped in try...except blocks to prevent unhandled crashes, and suggesting safer dictionary access for the gateway submission payload.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

There are two issues in _run_fnp_testclient:

1. The bundle["gateway_submission"] dictionary is accessed directly. However, inspect_qlc_workflow_bundle supports both workflow bundles and gateway submissions directly. If a gateway submission is passed, bundle["gateway_submission"] will be missing, causing a KeyError.
2. The TestClient request and JSON parsing are executed outside of the try...except block, which can lead to unhandled crashes if the test client fails or the response is invalid.

Wrapping the entire block in a try...except and safely retrieving mesh_payload resolves both issues.

    try:
        from fastapi.testclient import TestClient
        from api.main import app

        submission = bundle if bundle.get("schema") == "ffed.qlc.gateway_submission.v1" else bundle.get("gateway_submission", {})
        mesh_payload = submission.get("mesh_payload")
        if not mesh_payload:
            return {"success": False, "stage": "fnp_payload", "error": "Missing mesh_payload in bundle"}

        response = TestClient(app).post("/cerebrum/runtime/run", json=mesh_payload)
        if response.status_code != 200:
            return {"success": False, "stage": "fnp_runtime", "status_code": response.status_code, "body": response.text[:240]}
        body = response.json()
        runtime = body.get("runtime") or {}
        qlc_runtime = runtime.get("qlc_runtime") or {}
        return {
            "success": body.get("status") == "ok",
            "simulator_status": body.get("status"),
            "qlc_runtime_schema": qlc_runtime.get("schema"),
            "contract_version": qlc_runtime.get("contract_version"),
            "media_type": qlc_runtime.get("media_type"),
            "swop_level": qlc_runtime.get("swop_level"),
            "mesh_payload_fingerprint_present": bool(qlc_runtime.get("mesh_payload_fingerprint")),
            "raw_payload_embedded": bool(qlc_runtime.get("raw_payload_embedded", True))
        }
    except Exception as exc:
        return {"success": False, "stage": "fnp_execution", "error": _compact_error(exc)}

[gemini-code-assist]

The qlc_submit call is executed outside of the try...except block. If qlc_submit raises any runtime or network-related exceptions (e.g., connection timeout, connection refused), the script will crash with an unhandled exception instead of returning a structured JSON error. Wrapping both the import and the execution inside the try...except block ensures robust error handling.

Suggested change

	try:
	from fnpqnn_gateway_mvp.qlc_submit import qlc_submit
	except Exception as exc:
	return {"success": False, "stage": "gateway_import", "error": _compact_error(exc)}
	return qlc_submit(bundle, simulator_url=simulator_url, dry_run=not real_submit, timeout=5)
	try:
	from fnpqnn_gateway_mvp.qlc_submit import qlc_submit
	return qlc_submit(bundle, simulator_url=simulator_url, dry_run=not real_submit, timeout=5)
	except Exception as exc:
	return {"success": False, "stage": "gateway_execution", "error": _compact_error(exc)}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a7f93d87a0

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Reject missing nested contract stamps

For workflow bundles, the bundle_version or submission_version fallback and conditional mismatch check allow one of the two required stamps to be absent as long as the other is qlc-wiring-contract.v2. That means a workflow whose gateway_submission.contract_version was dropped still inspects as success even though the gateway handoff is the object consumed downstream, so the new drift guard misses one-sided contract drift; require both fields for WORKFLOW_SCHEMA bundles and reserve the fallback only for standalone gateway-submission inputs.

Useful? React with 👍 / 👎.