Skip to content

test: restore conformance warning fixture#89

Merged
jmcte merged 8 commits into
mainfrom
codex/issue-58-conformance-fixture
Jul 16, 2026
Merged

test: restore conformance warning fixture#89
jmcte merged 8 commits into
mainfrom
codex/issue-58-conformance-fixture

Conversation

@jmcte

@jmcte jmcte commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Restore the canonical conformance fixture after ownership-sidecar validation began failing closed on newly introduced managed files.
  • Apply and evaluate the same archetype, then remove its expected language marker to preserve the warning-only profile-conflict scenario.
  • Integrate the resolved publisher key, ISO 4217 spending threshold, and explicit repository-class migration/exception defaults from merged stack PR feat: resolve publisher and class deviations #90.
  • Integrate plan-first material notifications, verified hard-stop approvals, and expiring-exception delivery from merged stack PR feat: deliver governed material notifications #91.
  • Fail the configured webhook destination closed until the secure transport follow-up lands, keeping this PR below the 800-line review threshold without restoring the rejected SSRF path.

Governing Issue

Refs #55
Closes #56
Refs #58

Validation

  • Relevant local checks passed
  • Agent-authored changes passed autoreview against the intended PR diff with no accepted/actionable findings
  • Autoreview command and result: /Users/johnteneyckjr./.codex/skills/autoreview/scripts/autoreview --mode local --parallel-tests "npm run check && npm run build && git diff --check" — clean, no accepted/actionable findings; patch correct (0.96)
  • Required PR checks are expected to satisfy CI Gate
  • Skipped checks are explained below

Local checks on commit 2bf5b77 (tree-identical to reviewed commit 2627828):

  • npm run check — 20 test files, 113 tests passed
  • npm run build — passed
  • git diff --check — passed
  • PR governance accounting — 732 counted production lines, below the 800-line threshold
  • No local checks were skipped.

Bootstrap Governance

  • Changes are scoped to the linked issues
  • Contributor or PR guidance changes are reflected in CONTRIBUTING.md, .github/PULL_REQUEST_TEMPLATE.md, and docs/bootstrap/onboarding.md when applicable
  • PR author enabled auto-merge where GitHub allows it, or GitHub plan-limit evidence/unavailable reason is recorded and the fallback merge-readiness policy applies
  • No real secrets, runtime auth, or machine-local env files are committed

Material change: no
ADR: not required

Merge Automation

  • PR author enabled auto-merge with gh pr merge --auto --squash, or the reason it is unavailable/unsafe is noted below

Squash auto-merge is enabled; protected main still requires independent approval.

Notes

Keep the canonical conformance fixture aligned with ownership-sidecar enforcement while preserving distinct warning exit semantics. Refs #58.

Signed-off-by: Your Name <you@example.com>
@athena-omt athena-omt added status:needs-review PR is ready for Athena review. state:waiting-checks Waiting for CI/check status to settle. state:draft Draft PR; no review/repair execution yet. review:athena Athena review governance requested. labels Jul 16, 2026
@jmcte jmcte marked this pull request as ready for review July 16, 2026 11:05
@jmcte jmcte enabled auto-merge (squash) July 16, 2026 11:05
@athena-omt athena-omt removed the state:draft Draft PR; no review/repair execution yet. label Jul 16, 2026
Add publisher-neutral spending thresholds and require valid scoped exceptions when a repository cannot yet declare a canonical class. Closes #56.

Signed-off-by: Your Name <you@example.com>
Co-authored-by: Your Name <you@example.com>
@athena-omt athena-omt removed the state:waiting-checks Waiting for CI/check status to settle. label Jul 16, 2026
Add plan-first GitHub and webhook delivery, verified maintainer approvals for hard stops, and expiring-exception notification execution. Closes #55.

Signed-off-by: Your Name <you@example.com>
Co-authored-by: Your Name <you@example.com>

@athena-omt athena-omt left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Request changes

src/notifications.ts:538 only validates that the configured webhook URL uses https: before fetch sends the notification. This accepts destinations such as https://127.0.0.1, IPv6 loopback, link-local, and private-network hosts. Because delivery runs with the executor's network access and secrets context, an untrusted manifest/environment selection can turn this into an SSRF primitive.

Please restrict webhook delivery to an approved destination policy and reject loopback, link-local, private/reserved IP ranges, including hostnames after DNS resolution. Add focused regression coverage for direct IP and DNS-resolved private-host cases.

Reviewed fresh live head 23787fa0b026334dc6a5121516a5ece8d26c7fc4: branch is current with main, all live checks pass, auto-merge is enabled, and there are no existing reviews or unresolved threads to duplicate. Focused exact-head validation passed: notification, manifest, and conformance tests plus TypeScript typecheck.

@athena-omt athena-omt added state:needs-repair PR needs repair before review can proceed. state:waiting-checks Waiting for CI/check status to settle. and removed status:needs-review PR is ready for Athena review. review:athena Athena review governance requested. labels Jul 16, 2026
Require an executor-owned exact-host allowlist, reject non-public literal and DNS-resolved addresses, and pin validated addresses with bounded failover under one delivery deadline. Addresses the security review on #89.

Signed-off-by: Your Name <you@example.com>
@jmcte

jmcte commented Jul 16, 2026

Copy link
Copy Markdown
Contributor Author

Addressed the requested webhook SSRF hardening on current head 17fe368.

Changes:

  • require the fixed executor-owned BOOTSTRAP_NOTIFICATION_WEBHOOK_ALLOWED_HOSTS exact-host allowlist;
  • accept only HTTPS port 443 without URL credentials;
  • reject loopback, link-local, private, multicast, documentation, and reserved IPv4/IPv6 literals and every DNS answer;
  • pin the validated address in the built-in TLS transport to prevent DNS rebinding;
  • cover DNS resolution and all address attempts with one 10-second deadline, with bounded failover;
  • handle response-stream errors as failed delivery instead of allowing an unhandled process error.

Focused regressions cover direct IPv4/IPv6 destinations, IPv4-mapped loopback, mixed public/private DNS answers, reserved IPv6 documentation ranges, missing allowlist approval, and stalled DNS resolution.

Validation:

  • npm test -- --run tests/notifications.test.ts — 19 passed
  • npm run check — 20 files, 118 tests passed
  • npm run build — passed
  • git diff --check — passed
  • /Users/johnteneyckjr./.codex/skills/autoreview/scripts/autoreview --mode local — clean, no accepted/actionable findings; patch correct (0.90)

@athena-omt, please re-review the updated head when ready.

@jmcte jmcte requested a review from athena-omt July 16, 2026 17:43
@athena-omt athena-omt added status:needs-review PR is ready for Athena review. review:athena Athena review governance requested. and removed state:needs-repair PR needs repair before review can proceed. labels Jul 16, 2026

@athena-omt athena-omt left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Request changes

The prior webhook SSRF blocker is addressed at 17fe368: delivery now requires an executor-owned exact-host allowlist, rejects non-public literal and DNS-resolved addresses, and pins validated addresses. Local npm run check passes (20 files, 118 tests).

However, this PR cannot merge while required CI is failing. Validate PR Governance reports PRS-PR-SIZE-001: the PR has 975 counted production lines, exceeding the 800-line review threshold. Please split the stacked production changes into reviewable PRs (or otherwise reduce the counted diff), then rerun CI and request a fresh review.

@athena-omt athena-omt added state:needs-repair PR needs repair before review can proceed. and removed status:needs-review PR is ready for Athena review. review:athena Athena review governance requested. labels Jul 16, 2026
Keep notification planning, governing-record delivery, and hard-stop verification in this review lane while failing the configured webhook destination closed. The secure network transport moves to a smaller stacked follow-up so both pull requests satisfy the review-size policy.

Signed-off-by: Your Name <you@example.com>
@athena-omt athena-omt added status:needs-review PR is ready for Athena review. review:athena Athena review governance requested. and removed state:needs-repair PR needs repair before review can proceed. labels Jul 16, 2026

@athena-omt athena-omt left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Request changes

Current head deliberately disables configured-webhook delivery and returns a blocking result in src/notifications.ts. That is fail-closed, but #55 requires notifications to be written to both the governing issue/PR and configured mechanism. This PR still says Closes #55, and the notifications deliver CLI description still says it writes both destinations.

Please either restore the secure webhook transport in this PR, or change the PR linkage to Refs #55, link the secure-transport follow-up, and correct the CLI wording so #55 is not closed until its configured-mechanism acceptance criterion is met.

@athena-omt athena-omt added state:needs-repair PR needs repair before review can proceed. and removed status:needs-review PR is ready for Athena review. review:athena Athena review governance requested. labels Jul 16, 2026
@jmcte

jmcte commented Jul 16, 2026

Copy link
Copy Markdown
Contributor Author

Addressed the PRS-PR-SIZE-001 request on current head 2627828.

Validation for #89:

  • npm run check — 20 files, 113 tests passed
  • npm run build — passed
  • git diff --check — passed
  • autoreview — clean, patch correct (0.96)

Validation for #92:

  • npm run check — 20 files, 118 tests passed
  • npm run build — passed
  • focused notifications — 19 tests passed
  • autoreview — final rerun clean, patch correct (0.88)

The merge order is #89 first, then #92. #89 now closes #56 and references #55; #92 closes #55.

@athena-omt, please re-review #89 and the focused follow-up #92 when ready.

@jmcte jmcte requested a review from athena-omt July 16, 2026 18:20
Require an executor-owned exact-host allowlist, reject non-public literal and DNS-resolved destinations, and pin validated addresses during HTTPS delivery. Bound resolution and address failover under one deadline and fail closed on transport errors.

Signed-off-by: Your Name <you@example.com>
Co-authored-by: Your Name <you@example.com>
@athena-omt athena-omt added status:needs-review PR is ready for Athena review. review:athena Athena review governance requested. and removed state:needs-repair PR needs repair before review can proceed. labels Jul 16, 2026
This reverts commit 77a486e.

Signed-off-by: Your Name <you@example.com>
@jmcte

jmcte commented Jul 16, 2026

Copy link
Copy Markdown
Contributor Author

Correction to the stacked-PR execution: GitHub immediately auto-merged #92 into the unprotected #89 integration branch. That re-expanded #89 and would have recreated PRS-PR-SIZE-001.

I reverted that integration merge in 2bf5b77. The current #89 tree is byte-for-byte identical to reviewed commit 2627828:

  • 732 counted production lines
  • webhook transmission disabled and fail-closed
  • npm run check — 20 files, 113 tests passed
  • npm run build — passed
  • git diff --check — passed

Issue #55 remains assigned to the secure transport follow-up. I will recreate that 258-line change against main only after #89 lands, and will not arm auto-merge while the follow-up base is an integration branch.

@athena-omt, please review current exact head 2bf5b77 for #89.

@athena-omt athena-omt removed the state:waiting-checks Waiting for CI/check status to settle. label Jul 16, 2026

@athena-omt athena-omt left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Request changes

The PR correctly changes #55 to Refs, but the CLI still promises configured-webhook delivery. src/notifications.ts:498-504 unconditionally reports that configured-webhook delivery is disabled, while src/cli.ts:308 and src/cli.ts:323 say these commands write to the configured webhook.

Please either restore the secure transport or correct both CLI descriptions to state that configured-webhook delivery is currently disabled/fail-closed, with regression coverage for the displayed CLI help. This keeps the operator contract accurate until the secure-transport follow-up lands.

@athena-omt athena-omt added state:needs-repair PR needs repair before review can proceed. and removed status:needs-review PR is ready for Athena review. review:athena Athena review governance requested. labels Jul 16, 2026
Signed-off-by: daedalus-omt <268206840+daedalus-omt@users.noreply.github.com>
@athena-omt athena-omt added status:needs-review PR is ready for Athena review. review:athena Athena review governance requested. and removed state:needs-repair PR needs repair before review can proceed. labels Jul 16, 2026

@athena-omt athena-omt left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approve\n\nRe-reviewed exact live head .\n\nThe prior operator-contract blocker is resolved: both notification CLI descriptions now explicitly state that configured-webhook delivery is currently disabled, matching the fail-closed runtime behavior. New covers both help surfaces. I also executed both exact-head help commands on Athena and confirmed the disabled-delivery wording is rendered.\n\nFresh PR state: branch is current with ; all required checks are successful; squash auto-merge remains enabled. Existing Athena reviews were inspected; this approval supersedes the prior change requests without manually dismissing them.\n\nResidual risk: configured webhook delivery intentionally remains unavailable until the separately scoped secure-transport follow-up is reviewed and merged.

@jmcte jmcte merged commit fc12033 into main Jul 16, 2026
9 checks passed
@jmcte jmcte deleted the codex/issue-58-conformance-fixture branch July 16, 2026 21:13
@athena-omt athena-omt removed status:needs-review PR is ready for Athena review. review:athena Athena review governance requested. labels Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Resolve repository classes, maturity, publisher defaults, and language profiles

3 participants