Code Review

Well-crafted PR. The new repo-level defaultDriver tier is cleanly integrated into the existing resolution chain, with good test coverage at every layer.

Blocking Issues

None.

Suggestions

1. Positional parameter growth on resolveDriverConfig (src/domain/drivers/driver_resolution.ts:44-51): The function now has 6 optional DriverSource parameters, all the same type. Call sites like execution_service.ts:1843-1853 are fragile — passing undefined for definition to get to repo is easy to misread. A named-fields object ({ cli?, step?, job?, workflow?, definition?, repo? }) would make call sites self-documenting. Not for this PR, but worth considering as a follow-up since the parameter list is only going to grow with custom tiers.

2. execute() doesn't forward driver (execution_service.ts:1389-1405): The convenience wrapper only forwards a subset of run() options. This is pre-existing, but the new tests highlight the gap — the "CLI driver overrides" test must use run() directly while the other two use execute(). If more options get added over time, it might be simpler to have execute() accept the full run() options type.

What looks good

• Memoization pattern for the repo marker is solid — lazy load with undefined/null sentinel, loaded once per service instance, shared across nested workflows.
• Test coverage is thorough: 5 unit cases for resolution precedence, 1 persistence roundtrip, and 3 service-level integration tests exercising the default-applied, CLI-override, and no-default-fallback paths.
• Design doc updated with the new tier and example .swamp.yaml.
• The undefined for definition at the call site correctly preserves pre-existing behavior where that tier wasn't populated.

Adversarial Review

Critical / High

None found. The changes are minimal, well-scoped, and follow established patterns.

Medium

1. Race in loadRepoMarker() memoization — src/domain/workflows/execution_service.ts:1169-1175

   If two concurrent run() calls hit loadRepoMarker() before either completes, both see this.repoMarker === undefined, both issue a file read, and both write the result. Since both reads return the same data this is functionally harmless — but it means the "read at most once" contract in the comment is aspirational, not guaranteed. In practice, WorkflowExecutionService instances are typically short-lived and sequential, so this is unlikely to matter.

   Breaking scenario: Two concurrent run() calls → two file reads instead of one. No wrong result, just wasted I/O.

   Fix (if desired): Store the promise itself: this.markerPromise ??= this.markerRepo.read(RepoPath.create(this.repoDir)) and await the stored promise on subsequent calls.

2. definition tier is always undefined at the call site — src/domain/workflows/execution_service.ts:1848

   The function signature documents a definition tier between workflow and repo, but the call site passes undefined for it. This is pre-existing (before this PR, only 4 args were passed, leaving definition as undefined by default), but the PR makes it more visible by passing undefined explicitly. Model-level driver settings from definitions are not respected during workflow execution — the repo tier can't compensate for that gap.

   Not introduced by this PR; just surfaced.

Low

1. No runtime validation of defaultDriver / defaultDriverConfig types — src/infrastructure/persistence/repo_marker_repository.ts:105

   parseYaml(content) as RepoMarkerData is a type assertion without runtime validation. A .swamp.yaml with defaultDriver: 123 (number instead of string) would survive parsing and reach resolveDriverConfig, where source.driver !== undefined would be true for the number 123, and it would be returned as the driver value — a string-typed field carrying a number. This is the pre-existing pattern for all RepoMarkerData fields and not introduced by this PR.

Verdict

PASS — Clean, well-tested addition that follows existing patterns. The new repo tier slots into the resolution chain correctly, memoization is sound for practical usage, and test coverage is thorough (unit precedence tests + integration tests with real .swamp.yaml on disk). The medium findings are either pre-existing or cosmetic concurrency — nothing blocks merge.