Skip to content

fix(miner): normalize deny-hook paths and block short force-push flag#2886

Merged
gittensory-orb[bot] merged 1 commit into
mainfrom
codex/propose-fix-for-deny-check-cli-vulnerability
Jul 4, 2026
Merged

fix(miner): normalize deny-hook paths and block short force-push flag#2886
gittensory-orb[bot] merged 1 commit into
mainfrom
codex/propose-fix-for-deny-check-cli-vulnerability

Conversation

@JSONbored

Copy link
Copy Markdown
Owner

Motivation

  • The gittensory-miner hooks check CLI exposed deny-hook verdicts as an exit-code gate but path candidates were not normalized, allowing ./.github/workflows/ci.yml to bypass the .github/workflows/** rule.
  • The force-push guard only checked for --force, so short-form flags like -f could be allowed and circumvent the intent to block force-pushes.
  • Make the deny-check decision robust for local harnesses by normalizing path candidates and covering short force-push variants so the CLI is a safe enforcement boundary.

Description

  • Normalize path candidates before glob matching by adding normalizePathCandidate() and including normalized tokens in pathCandidates() so dot-prefixed and backslash variants match the built-in pathPattern rules in packages/gittensory-miner/lib/deny-hooks.js.
  • Add an additional built-in deny rule that looks for push + -f to complement the existing push + --force rule in DEFAULT_DENY_RULES.
  • Add regression tests that cover dot-prefixed workflow paths and git push -f cases in test/unit/miner-deny-hooks.test.ts and extend the CLI test test/unit/miner-cli-deny-check.test.ts to assert runDenyCheck returns a blocking exit code for ./.github/workflows/ci.yml.

Testing

  • Ran unit tests with npx vitest run test/unit/miner-deny-hooks.test.ts test/unit/miner-cli-deny-check.test.ts and all tests passed.
  • Built the miner packaging check with npm run build:miner and it succeeded (node --check validations passed for the modified files).
  • Attempted the full local gate npm run test:ci but actionlint setup failed due to transient network/host-label warnings during GitHub downloads, and npm audit --audit-level=moderate returned 403 Forbidden from the registry, so those two automated checks could not be completed locally.

Codex Task

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 4, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs
gittensory-ui 00ea109 Commit Preview URL

Branch Preview URL
Jul 04 2026, 07:34 AM

@codecov

codecov Bot commented Jul 4, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 96.06%. Comparing base (cb930db) to head (00ea109).
⚠️ Report is 2 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #2886   +/-   ##
=======================================
  Coverage   96.06%   96.06%           
=======================================
  Files         259      259           
  Lines       28655    28655           
  Branches    10428    10428           
=======================================
  Hits        27528    27528           
  Misses        490      490           
  Partials      637      637           
🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@gittensory-orb gittensory-orb Bot added the gittensor:bug Gittensor-scored bug fix — scores a 0.5x multiplier. label Jul 4, 2026
@gittensory-orb

gittensory-orb Bot commented Jul 4, 2026

Copy link
Copy Markdown

Tip

🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩

✅ Gittensory review result - approve/merge recommended

Review updated: 2026-07-04 07:38:31 UTC

4 files · 1 AI reviewer · no blockers · readiness 93/100 · CI green · clean

✅ Suggested Action - Approve/Merge

  • safe to merge

Review summary
The change adds token-aware matching for short force-push flags and reuses the same tokenization for path candidate normalization. The implementation correctly avoids the reported `--follow-tags` false positive while blocking bare and bundled short `-f` forms, and the added type declaration keeps the public rule shape in sync. The path normalization is narrow but coherent with the existing glob behavior and covered for the visible deny-hook paths.

Nits — 4 non-blocking
  • nit: packages/gittensory-miner/lib/deny-hooks.js:42 only strips leading `./`, so confirm you intentionally do not canonicalize case or leading `/` the same way `src/signals/change-guardrail.ts` does for related path matching.
  • nit: packages/gittensory-miner/lib/deny-hooks.js:112 reuses caller-supplied `RegExp` instances directly, so a custom global or sticky `inputTokenPattern` could carry `lastIndex` state across token tests; document that rule patterns should not use `g`/`y` or clone/reset before testing.
  • packages/gittensory-miner/lib/deny-hooks.js:42: consider aligning `normalizePathCandidate()` with the existing guardrail canonicalization helper’s behavior for leading slashes and case-folding, or add a short comment explaining why deny-hook matching deliberately stays case-insensitive via the compiled glob instead.
  • packages/gittensory-miner/lib/deny-hooks.js:112: make token-pattern evaluation state-independent with `rule.inputTokenPattern.lastIndex = 0` before each `.test()` or by constructing a non-global copy before matching custom rules.
Signal Result Evidence
Code review ✅ No blockers 1 reviewer
Linked issue ⚠️ Missing No linked issue or no-issue rationale found.
Related work ✅ No active overlap found No same-issue or scoped active PR overlap found.
Change scope ✅ 20/20 Low review scope from cached public metadata (no linked issue context).
Validation posture ✅ 25/25 PR body includes validation/test evidence.
Contributor workload ✅ 10/10 Author activity: 60 registered-repo PR(s), 51 merged, 437 issue(s).
Contributor context ✅ Confirmed Gittensor contributor JSONbored; Gittensor profile; 60 PR(s), 437 issue(s).
Gate result ✅ Passing No configured blocker found.
Review context
  • Author: JSONbored
  • Role context: owner (maintainer lane)
  • Public audience mode: oss maintainer
  • Lane context: Repository registration is not available in the local Gittensory cache.
  • Public profile languages: Python, TypeScript, JavaScript, Ruby, Go, Kotlin, MDX, Shell
  • Official Gittensor activity: 60 PR(s), 437 issue(s).
  • PR-specific overlap: none found.
Contributor next steps
  • Treat this as maintainer-lane context rather than normal contributor-lane activity.
  • Explain no-issue PR.
  • No action.
  • Link the issue being solved, or explicitly explain why this is a no-issue PR.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

  • Re-run Gittensory review

@gittensory-orb gittensory-orb Bot added the gittensor Gittensor contributor context label Jul 4, 2026
@JSONbored JSONbored self-assigned this Jul 4, 2026
Substring matching on "-f" false-positively blocked git push --follow-tags
(the flag contains "-f" as a substring). Add inputTokenPattern, a rule
constraint that matches a whole whitespace-separated token instead of a
substring, and use it for the short-flag force-push guard.
@JSONbored JSONbored force-pushed the codex/propose-fix-for-deny-check-cli-vulnerability branch from e2b3cc0 to 00ea109 Compare July 4, 2026 07:32

@gittensory-orb gittensory-orb Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gittensory approves — the gate is satisfied and CI is green.

@gittensory-orb gittensory-orb Bot merged commit a1ba2f2 into main Jul 4, 2026
13 checks passed
@gittensory-orb gittensory-orb Bot deleted the codex/propose-fix-for-deny-check-cli-vulnerability branch July 4, 2026 07:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

aardvark codex gittensor:bug Gittensor-scored bug fix — scores a 0.5x multiplier. gittensor Gittensor contributor context

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant