Deep Review: 20260519-154901-pr-4995

This proof-of-concept makes Windows a valid os: value and adds an autounattend.xml generator alongside the existing cloud-config.yaml path. The diff is small (8 files, +77 −4) and the structural choices (a separate exported GenerateAutounattendXML, embedded template, dedicated filename constant) are clean.

The headline finding is C1: the regression test TestValidateMultipleErrors was edited to drop the OS-validation error from its expected output, but the test YAML still uses lowercase os: windows and nothing in the load → resolve → validate pipeline canonicalises it. go test ./pkg/limayaml -run TestValidateMultipleErrors fails as committed and will block CI.

The autounattend template itself has several Windows-specific gaps that are worth fixing before the boot wiring lands: a hardcoded processorArchitecture="amd64" that breaks ARM64 Windows guests (I1), no XML escaping for text/template-substituted user-controlled fields (I2), an SSH-key block embedded inside an XML comment which forbids -- (I3), an IANA timezone fed directly into a Windows-TZ-ID-only field (I4), and a computer name derived from a Lima identifier (up to 76 chars + lima- prefix) that can exceed the 15-char Windows ComputerName cap (I5).

Structure: 1 critical, 5 important, 6 suggestions, 3 design observations.

1. C1 is a working test failure — go test ./pkg/limayaml -run TestValidateMultipleErrors fails as committed.
2. No positive coverage for os: Windows — the validator switch accepts canonical Windows, but no test exercises that path. Add one.
3. No XML well-formedness test — TestAutounattendTemplate (template_test.go:172) does substring matching only. A test that parses the output with encoding/xml would catch I2 (escaping) and I3 (comment-block --).
4. No architecture matrix — the template hardcodes amd64 (I1); a table-driven test covering aarch64 would have caught it.
5. No coverage for the dispatch — no test confirms that GenerateCloudConfig on os: Windows writes autounattend.xml and skips cloud-config.yaml.
6. No Windows-specific constraints test — IANA TZ → Windows TZ mapping (I4), ComputerName length cap (I5), and the SSH-key comment escape (I3) all have no test coverage.

• New exported symbols GenerateAutounattendXML, ExecuteTemplateAutounattendXML, and the AutounattendXML filename constant lack godoc (S4).
• The internals documentation (docs/internals.md) still lists cloud-config.yaml as the only generated instance reference file. The user-facing config docs describe timezone as zoneinfo-based, which conflicts with what the Windows path emits today (I4).
• The PR adds a new user-visible OS value but no template, schema doc, or website page advertises it. If templates/ or docs/ would advertise Windows support, those need follow-up before the POC matures.

Single commit, scope matches the title. DCO sign-off present. No fixup commits.

• PR description: "The template is intentionally minimal (hostname/owner plus SSH keys placeholder) to demonstrate the end-to-end path without changing QEMU boot wiring yet." Consistent with the diff — no driver wiring, no SSH provisioning, no unattend pass beyond oobeSystem. The downstream GenerateISO9660 divergence (second design observation above) is a known consequence of this scope.
• Inline comment (autounattend.xml.tmpl:12): <!-- Lima SSH keys (placeholder, consumed by later Windows provisioning):. Explicitly flags that the keys are not yet wired.

Claude ¶

Claude was the only agent to actually run go test against the modified assertion and confirm the failure as a CI blocker — that's what makes C1 a Critical rather than an Important finding. It also surfaced the strongest design observation (hand-rolled XML invites a long tail of bugs, suggest a spec-aware generator) and the strongest godoc/comment-quality follow-ups. Severity calibration was sharp throughout: it correctly tagged the IANA-TZ issue at Suggestion when it later turned out the default codepath populates it (so a re-rating to Important is justified), and it did not inflate the redundant-validation finding (S3) the way Gemma did.

Codex ¶

Codex contributed the only unique find that materially raises the merge bar: I5 (ComputerName length cap vs. Lima identifier length). It also independently caught the test failure (I1 in its report), the hardcoded amd64, the XML-escaping risk, and the IANA-TZ mismatch — and it correctly named the conflict with templates/default.yaml:414-415's documented zoneinfo semantics. The one calibration miss: it rated the test failure as Important when it's a CI blocker. Otherwise tight, citation-rich, and low on noise.

Gemini ¶

Gemini found the same headline issues (hardcoded amd64, XML escaping) and contributed two unique angles: I3 (SSH-key comments with -- breaking the XML comment block) and the Joliet-extension miss (S5 in the consolidated report, demoted from Important to Suggestion because Windows guests don't yet consume cidata.iso). It missed the test failure: it noticed the assertion was edited (its I5) but reported only "coverage was lost," not "the test now fails." A git blame/go test step would have promoted that finding two severities; Gemini's known no-git blame posture cost it here.

Qwen ¶

Qwen failed on its first attempt — opencode auto-rejected its initial read because the prompt was sent with the worktree at its unresolved /var/folders/... path, while opencode canonicalised --dir to /private/var/folders/.... After a launch-helper fix that resolves the worktree path with filepath.EvalSymlinks (and a preamble update that anchors __WORKTREE__ literally in the in-tree-only sentence), Qwen produced a real review. The contribution was modest: it duplicated the redundant-validation suggestion (S3) and the XML-escape Important (I2), and seconded the design observation about GenerateISO9660 running unconditionally for Windows. Its only unique find was S6 (NewOS lacks the "freebsd" arm) — small but legitimate, and a miss for every other agent. Calibration was mixed: it mis-rated the XML-escape risk as Suggestion ("likelihood is low"), missing that User.Comment is explicitly unvalidated; and claimed TestValidateMultipleErrors "now passes" without running it, confirming the same execution gap as Gemini and Gemma.

Gemma ¶

Gemma's findings (redundant ValidateTemplateArgs call, unnecessary os.RemoveAll before WriteFile, missing docstrings) are all real but minor — the kind of items a Suggestion-tier reviewer should turn up. Two calibration issues:

1. It flagged os.RemoveAll as unnecessary, missing that the existing file is written with mode 0o444 — WriteFile's open+truncate fails on a read-only file, so the remove is load-bearing. False positive.
2. It noted "case-insensitive handling in NewOS" as a strength. NewOS is case-sensitive; it only matches "windows" or "Windows" because both are explicitly listed (and that listing happens to be the dead code Claude flagged in S1). Misread.

It also missed every Windows-correctness issue (XML escaping, hardcoded amd64, IANA TZ, ComputerName cap) and the critical test failure. Coverage misses: it marked autounattend.xml.tmpl, lima_yaml.go, validate.go, and validate_test.go as "Reviewed, no issues" while each contains at least one Important or Critical issue from the consolidated report.

Summary ¶

Claude and Codex did the heavy lifting. Either one alone would have produced an actionable review; together they covered the entire PR including the CI blocker and the unique ComputerName cap. Gemini added two further angles for free. Qwen (after the permission-system fix-up) contributed one unique find (S6 FreeBSD case) and seconded three existing findings — calibration is comparable to Gemma's. Gemma's findings are real but small, and two were calibration misses; it's a useful third opinion on the trivial-to-medium tier but should not be relied on for severity calls.

Reconciliation ¶

• Codex I1 (lowercase windows test failure): Important → Critical (C1). Reason: failing test blocks CI on merge.
• Claude S3 (TimeZone IANA mismatch): Suggestion → Important (I4). Reason: FillDefault populates the value from the host by default, so the bad output is the default codepath rather than an edge case.
• Gemini I4 (Joliet for Windows): Important → Suggestion (S5). Reason: Windows guests do not yet consume cidata.iso; pre-emptive fix only.
• Gemma I1 (redundant ValidateTemplateArgs): Important → Suggestion (S3). Reason: behaviour is harmless and matches the existing GenerateCloudConfig pattern.
• Gemma S1 (unnecessary os.RemoveAll): dropped as false positive. Reason: target file is 0o444; WriteFile's O_TRUNC fails without the prior remove.
• Qwen I2 (redundant ValidateTemplateArgs): Important → Suggestion (S3). Reason: same as Gemma's downgrade — harmless, matches existing pattern.
• Qwen S1 (XML escaping): Suggestion → Important (I2). Reason: Qwen judged "likelihood is low" but User is documented as not validated, so user-controlled fields routinely reach the template path.

Skill improvements ¶

• Execute affected tests when an agent finds an assertion edit. When a finding cites an edited expected-error string, an asserted output, or a deleted-then-restored test case, the agent should attempt to run that test before classifying the finding. The difference between "this test no longer covers X" (low severity) and "this test fails on main" (CI blocker) is one go test / pytest / equivalent invocation away, and confusing the two miscalibrates the verdict on the entire PR. Reviewers who can read code but skip executing it produce systematically softer findings on test edits.
• Treat YAML/JSON enum acceptance as a normalisation question, not a constant-list question. When a code change adds a value to a switch over string constants that originate from user-supplied YAML, the reviewer must trace the path from "raw YAML field" to "switch input" and verify case/format normalisation, not just confirm the new arm exists. The default mental model — "if it's in the switch, it works" — misses cases where the YAML loader returns the input verbatim and the constant differs in capitalisation, spacing, or punctuation. Flag any new enum addition that has no corresponding normalisation step as a Critical (failing acceptance test) or Important (silent rejection of the documented spelling), not a Suggestion.
• For any change that adds an item to an existing enumeration, audit symmetry across the codebase. Enumerations include string-constant lists, switch arms, dispatch tables, validation cases, type registries, normalisation maps, and parallel constant blocks. A new arm in one place often implies a missing arm in three others — case normalisation, default initialisation, formatter output, doc rendering, error reporting. Before approving such a change, grep every reference to the enumeration's existing items and confirm the new item is wired in everywhere the others are; flag each asymmetry as a separate finding (severity matches what breaks when the asymmetric path executes). Models that read the diff in isolation routinely miss this because the diff itself looks complete; the gap lives in the files the diff does not touch.

Repo context updates ¶

• Lima's ResolveOS/ResolveArch do not canonicalise user input. pkg/limayaml/defaults.go:1019-1031 returns the user's string verbatim whenever it is non-empty and non-"default". The capitalised constants (Linux, Darwin, FreeBSD, Windows) only match because users conventionally write them capitalised; lowercase spellings produce validation errors despite being human-equivalent. Any PR that touches os: or arch: validation should be checked against both the canonical and lowercase spellings.