Tsqoba (წ) TSQOBA

Why some checks are cheaper before patch apply than in CI

On the runtime’s owned patch lane, some bad repairs are cheap to classify before they land and expensive once they become accepted local style.

Last checked 2026-04-10

Why some checks are cheaper before patch apply than in CI

A repository can use CI, local hooks, and a runtime-owned write path at the same time. This note is about the third case: when the runtime owns patch apply and can stop some cheap local mistakes before they enter the tree.

The current point is narrow. Some bad repairs are cheaper to stop before patch apply than after they reach CI. That matters for the class of mistakes the runtime can classify cheaply from one file plus repository policy: direct repo-config access, panic shortcuts in shared Rust code, sleep-based timing in tests, serial escape hatches, and similar local patterns.

The narrow class where timing matters

In brownfield repositories, accepted code is not passive storage. It becomes the closest instruction for the next edit. Reviewers, later authors, and agents all learn from what already landed.

When a shortcut enters the tree, later work tends to copy it because it is local, concrete, and already accepted once. A late CI failure may still be correct, but it arrives after the pattern has already been written, explained, and partially normalized.

That is why timing matters here. If the mistake is cheap to classify and cheap to redirect, earlier rejection changes the next move before the shortcut becomes local precedent.

What the current lane does

On the current Musha patch lane, Sadave runs fs.write.pre before patch apply. If the hook blocks one targeted file, the patch does not land and the workspace stays unchanged.

RUST
// simplified current order on Musha's patch lane
run_fs_write_pre_hooks(..., &req.action).await?;
let result = apply_patch_in_dir(...);

The check is deliberately smaller than the full patch verdict. The hook derives targeted files from the patch action, sorts them deterministically, and runs quick file analysis against candidate bytes plus base-workspace context.

The patch verdict is still whole-patch: if one targeted file blocks, the patch does not land. That is a narrow job on a path the runtime already owns. It is not trying to do whole-repo architecture review before every patch.

One current block is enough

A current repo-config bypass example is enough to show why earlier rejection helps. The proposed change built an ad-hoc path to .tsqoba/tsqoba.toml outside the adapter that owns repo config.

DIFF
*** Begin Patch
*** Add File: tsqoba/crates/tsqoba_cli/src/current_run_bundle_direct_config_bypass.rs
+fn current_run_bundle_direct_config_bypass() {
+    let _direct = std::path::PathBuf::from(".").join(".tsqoba/tsqoba.toml");
+}
*** End Patch

On the current patch lane, that write is blocked before patch apply under RUST-SEMGREP-TSQOBA-TOML-DIRECT-ACCESS-001. The workspace stays unchanged, and the reject keeps a typed hook report instead of a vague red footer.

That changes the social path as well as the technical one. The shortcut never becomes accepted local precedent, and the author does not have to unwind it later.

Where later checks still belong

Not every bad change fits this lane. Some checks need broader execution context, more time, or a full run. Those belong later, and Tsqoba already uses later checks and replay surfaces where that is the right tool.

The useful current point is smaller. When a mistake is file-local, cheap to classify, and costly once accepted, earlier rejection on an owned patch lane is often cheaper than later cleanup in CI.

Contents
  1. The narrow class where timing matters
  2. What the current lane does
  3. One current block is enough
  4. Where later checks still belong