docs(security): close API40 train state#2926
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b740a660a6
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| "remote_branch_deleted": true, | ||
| "repo": "fap-api", | ||
| "status": "in_progress", | ||
| "status": "merged", |
There was a problem hiding this comment.
Don’t close API-40 with an unapproved changed path
When closing this ledger item as merged, the recorded implementation SHA c3b45b30ee1e05f35343f1283301c07a548c1509 still includes backend/tests/Unit/Services/BigFive/ResultPageV2/BigFiveResultPageV2CoreBodyPreviewTest.php in git show --name-only, but SECURITY-169-API-40's manifest allowed_paths only includes the media service/controller, the feature media test, routes, and train docs. That makes the state closeout contradict the repo's PR-train scope discipline and the existing scope_validation evidence, so the ledger will incorrectly report this train item as cleanly merged unless the missing path is authorized in the manifest or the state records the scope violation instead.
Useful? React with 👍 / 👎.
What changed
Why
Validation
python3 -m json.tool docs/codex/pr-train-state.json >/dev/nullgit diff --checkdocs/codex/pr-train-state.json.Deferred items