Skip to content

fix(review): guard mixed-trust label propagation#4490

Merged
JSONbored merged 3 commits into
mainfrom
codex/fix-mixed-trust-issue-label-vulnerability
Jul 10, 2026
Merged

fix(review): guard mixed-trust label propagation#4490
JSONbored merged 3 commits into
mainfrom
codex/fix-mixed-trust-issue-label-vulnerability

Conversation

@JSONbored

Copy link
Copy Markdown
Owner

Motivation

  • A mixed-trust configuration could allow a maintainer-authorized mapping to relax ownership for a shared issueLabel name and thereby unlock a strict/additive sensitive mapping that had not opted into maintainer trust, violating the per-mapping trustMaintainerAuthoredIssue contract.

Description

  • Group propagation mappings by lowercased issueLabel and compute relaxable labels only when every mapping sharing that label has explicitly opted into the relaxed trust flags in src/review/linked-issue-label-propagation-fetch.ts.
  • This preserves strict per-mapping authorization so a trusted mapping cannot indirectly authorize a separate strict mapping that shares the same issue label string.
  • Add a regression unit test test/unit/linked-issue-label-propagation-fetch.test.ts that exercises the mixed-trust duplicate-label shape and verifies strict mappings are not relaxed by a co-present trusted mapping.

Testing

  • Ran npx vitest run test/unit/linked-issue-label-propagation-fetch.test.ts, and the focused unit suite passed (all tests green).
  • Ran npm run typecheck and the TypeScript typecheck completed successfully.
  • Ran npm audit --audit-level=moderate but the registry audit endpoint returned 403 Forbidden in this environment so that check could not complete here.

Codex Task

@superagent-security

Copy link
Copy Markdown
Contributor

Superagent didn't find any vulnerabilities or security issues in this PR.

@gittensory-orb gittensory-orb Bot added the gittensor:bug Gittensor-scored bug fix — scores a 0.5x multiplier. label Jul 9, 2026
@codecov

codecov Bot commented Jul 9, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.11%. Comparing base (efcd25d) to head (62da196).
⚠️ Report is 2 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #4490   +/-   ##
=======================================
  Coverage   94.11%   94.11%           
=======================================
  Files         432      432           
  Lines       38348    38352    +4     
  Branches    13979    13981    +2     
=======================================
+ Hits        36091    36095    +4     
  Misses       1600     1600           
  Partials      657      657           
Files with missing lines Coverage Δ
src/review/linked-issue-label-propagation-fetch.ts 100.00% <100.00%> (ø)
🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@gittensory-orb

gittensory-orb Bot commented Jul 9, 2026

Copy link
Copy Markdown

Warning

🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨

⏸️ Gittensory review result - manual review recommended

Review updated: 2026-07-10 08:38:25 UTC

2 files · 1 AI reviewer · 2 blockers · readiness 93/100 · CI green · unstable

⏸️ Suggested Action - Manual Review

  • No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.
  • Maintainer requires a linked issue — Link the relevant issue (for example Closes #123) before opening the PR.

Review summary
The AI review returned blocking findings for this change but did not include a separate narrative summary. Review the blockers below before deciding this PR.

Blockers

  • The PR description does not link or close any open GitHub issue in JSONbored/gittensory, and repo convention requires every contributor PR to reference an eligible issue — please add a Fixes #NNN / issue link before this can be marked merge-ready.
Nits — 4 non-blocking
  • src/review/linked-issue-label-propagation-fetch.ts: building mappingsByIssueLabel via `[...(mappingsByIssueLabel.get(issueLabel) ?? []), mapping]` reallocates the whole array on every insert; since mapping lists here are tiny/config-driven this is fine, but a plain array push into a `Map<string, Mapping[]>` would be cheaper and equally readable if you touch this again.
  • Consider naming the loop variable in the `.filter(([, mappings]) => ...)` something other than `mappings` to avoid shadowing the outer `args.mappings` — purely a readability nit, not a bug.
  • Add a short comment at the mappingsByIssueLabel construction site cross-referencing the vulnerability being closed (mirrors this file's existing dense-comment style) so a future reader understands why grouping-then-`every()` is required instead of the simpler per-mapping filter.
  • If there's an eligible open issue tracking #priority-linked-issue-gate-ownership hardening, reference its number explicitly in the PR description per repo convention.

Concerns raised — review before merging

  • No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.
  • Maintainer requires a linked issue — Link the relevant issue (for example Closes #123) before opening the PR.
Signal Result Evidence
Code review ❌ 2 blockers 1 reviewer
Linked issue ⚠️ Missing No linked issue or no-issue rationale found.
Related work ✅ No active overlap found No same-issue or scoped active PR overlap found.
Change scope ✅ 20/20 Low review scope from cached public metadata (no linked issue context).
Validation posture ✅ 25/25 PR body includes validation/test evidence.
Contributor workload ✅ 10/10 Author activity: 48 registered-repo PR(s), 40 merged, 334 issue(s).
Contributor context ✅ Confirmed Gittensor contributor JSONbored; Gittensor profile; 48 PR(s), 334 issue(s).
Gate result ❌ Blocking Repo-configured hard blocker found.
Review context
  • Author: JSONbored
  • Role context: owner (maintainer lane)
  • Public audience mode: oss maintainer
  • Lane context: Repository is configured for direct PR review.
  • Public profile languages: not available
  • Official Gittensor activity: 48 PR(s), 334 issue(s).
  • PR-specific overlap: none found.
Contributor next steps
  • Treat this as maintainer-lane context rather than normal contributor-lane activity.
  • Explain no-issue PR.
  • Link the issue being solved, or explicitly explain why this is a no-issue PR.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

  • Re-run Gittensory review

@gittensory-orb gittensory-orb Bot added the manual-review Gittensor contributor context label Jul 9, 2026
# Conflicts:
#	src/review/linked-issue-label-propagation-fetch.ts
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 10, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs
gittensory-ui 62da196 Commit Preview URL

Branch Preview URL
Jul 10 2026, 08:26 AM

@JSONbored JSONbored merged commit 9075eb1 into main Jul 10, 2026
12 checks passed
@JSONbored JSONbored deleted the codex/fix-mixed-trust-issue-label-vulnerability branch July 10, 2026 08:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

aardvark codex gittensor:bug Gittensor-scored bug fix — scores a 0.5x multiplier. manual-review Gittensor contributor context

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant