Skip to content

SECURITY-169-API-37: repair CI/runtime-freeze security guardrails#2919

Merged
fermatmind merged 1 commit into
mainfrom
codex/security-169-api-37-repair-ci-runtime-freeze-security-guardrails
Jul 10, 2026
Merged

SECURITY-169-API-37: repair CI/runtime-freeze security guardrails#2919
fermatmind merged 1 commit into
mainfrom
codex/security-169-api-37-repair-ci-runtime-freeze-security-guardrails

Conversation

@fermatmind

Copy link
Copy Markdown
Owner

What changed

  • Kept required MBTI smoke/E2E enabled for analytics-only diffs.
  • Made both the GitHub workflow and local CI script fail closed if scale-impact output attempts to disable MBTI smoke.
  • Removed runtime-freeze exemptions for destructive migration and scale lookup controller changes.
  • Added focused resolver and classifier regressions plus PR-train evidence.

Why

Security acceptance gates must not be bypassed by path classification, environment overrides, destructive migration labels, or broad lookup-controller exemptions.

Validation

  • Focused tests: 17 passed, 68 assertions.
  • RUN_MBTI_SMOKE=0 bash backend/scripts/ci_verify_mbti.sh rejected before test execution.
  • bash backend/scripts/ci_verify_mbti.sh passed.
  • php artisan route:list --no-ansi: 233 routes.
  • Fresh SQLite migration passed.
  • Pint, shell syntax, workflow/manifest YAML parsing, state JSON parsing, scope validation 7/9, and git diff --check passed.

Deferred items

  • No production import, CMS/search write, staging wait, manual deploy, or production deploy was executed.
  • The destructive migration and lookup controller were classification inputs only; their runtime behavior was not changed in this guardrail PR.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 50bada975a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/ci.yml
Comment on lines +257 to +260
if [[ "$value" != "1" ]]; then
echo "Scale impact resolver attempted to disable required MBTI smoke checks." >&2
exit 1
fi

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Fail closed when scale-impact command errors

This guard only rejects an explicit run_mbti_smoke=0. If scripts/ci/resolve_scale_impact.sh exits non-zero before emitting that key (for example because ci:scale-impact breaks in PHP/artisan), the command is still run through process substitution later in this step, so its status is not covered by the set -euo pipefail pipeline; the loop exits successfully and ci_verify_mbti.sh falls back to its default RUN_MBTI_SMOKE=1. In that failure mode, PRs can keep green CI while the scale-impact guardrail itself is broken instead of failing closed.

Useful? React with 👍 / 👎.

@fermatmind fermatmind merged commit 30b974a into main Jul 10, 2026
15 checks passed
@fermatmind fermatmind deleted the codex/security-169-api-37-repair-ci-runtime-freeze-security-guardrails branch July 10, 2026 21:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant