Skip to content

feat(security): Strix 발견을 AppGuardrail 이슈로 중앙 집계#560

Open
seonghobae wants to merge 9 commits into
mainfrom
agent/appguardrail-security-aggregation
Open

feat(security): Strix 발견을 AppGuardrail 이슈로 중앙 집계#560
seonghobae wants to merge 9 commits into
mainfrom
agent/appguardrail-security-aggregation

Conversation

@seonghobae

@seonghobae seonghobae commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

OpenCode receipt candidates

  • scripts/ci/strix_emit_appguardrail_issues.py:44 source-line-sha256=df6d83d7cef00f95021019d23122552853407da9156a32528e1ddc5435eed105
  • .github/workflows/strix.yml:797 source-line-sha256=f05ab3628ca4fe39800593c1f8406d4c0456a356ff85e40be210eadf96806190

These exact current-head receipts are normalizer-verifiable for adversarial probes.

변경 사항

  • Strix의 Medium 이상 실제 발견을 ContextualWisdomLab/appguardrail 이슈로 중앙 집계합니다.
  • 저장소, 심각도, 안정적인 SHA-256 finding marker로 중복을 방지하고 동일 발견은 갱신합니다.
  • PR 범위 스캔은 누락 발견을 닫지 않으며, 성공한 전체 스캔에서만 해결된 발견을 닫습니다.
  • 파서 오류, 알 수 없는 심각도, 토큰/권한/API 오류는 로그에 구체적인 이유를 남기고 fail-closed 합니다.
  • GitHub App 토큰은 appguardrail 한 저장소의 Issues write 권한으로 제한합니다.
  • repository_dispatch PR 스캔에서도 PR number/base/head 메타데이터를 인식해 PR-head blob만 스캔합니다. 이는 argos PR #252의 실제 실패 로그인 STRIX_TARGET_PATH=__PR_SCOPE__ requires PR scoping 회귀를 수정합니다.
  • Noema와 merge scheduler의 workflow_run은 OpenCode/Strix 두 upstream workflow만 허용하여 상호 재귀 queue를 차단합니다.
  • same-repository OpenCode exhausted retry는 configured PAT가 없어도 scoped github.token repository dispatch를 사용할 수 있습니다.
  • OpenCode adversarial probe는 봉인 digest가 여러 위치에 같아도 evidence가 그중 정확히 하나의 path:line을 인용할 때만 구조화 필드를 재결합하며, 모호한 경우 후보 수를 로그에 남기고 fail-closed 합니다.

검증

  • CodeGraph 초기화/동기화 및 호출 경로 검토
  • 732 tests passed
  • scripts/ci 6,438 statements, 100.00% coverage
  • interrogate 100.0%
  • AppGuardrail 집계기 및 중앙 계약 115 tests passed
  • repository_dispatch PR-scope 동적 회귀 통과
  • queue recursion 및 same-repo exhausted retry 회귀 47 tests passed
  • Ruff, actionlint, bash -n 통과
  • current-head Trivy, OSV, dependency-review, Bandit, pip-audit, CodeQL, Semgrep, gitleaks, Scorecard 통과
  • current-head code-scanning alerts, comments, reviews, unresolved threads 0건 확인

실제 취약점이 없는 경우 가짜 이슈를 만들지 않습니다. 병합 후 첫 실제 Medium 이상 Strix finding부터 AppGuardrail에 생성됩니다.

@opencode-agent opencode-agent Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

OpenCode cannot approve yet because required coverage evidence did not pass.

Review outcome

1. HIGH .github/workflows/opencode-review.yml:1 - Coverage evidence did not prove required test/docstring evidence

  • Problem: The required coverage-evidence job result was failure, so OpenCode cannot establish approval sufficiency for this head.

  • Root cause: Automated approval is only valid when the same-head coverage-evidence job proves supported repository test suites passed and configured docstring gates passed or were advisory, or reports not applicable because no supported source files or package manifests exist. Missing, failed, skipped, unavailable, or unsupported-tooling test evidence is a blocker.

  • Fix: Install or configure the repository test/docstring evidence tooling when source files or package manifests exist, rerun the current-head coverage-evidence job, and approve only after it reports success with required evidence or explicit no-source not-applicable evidence.

  • Regression test: Keep the approval branch checking needs.coverage-evidence.result == success before posting APPROVE, and publish REQUEST_CHANGES when coverage-evidence blocker states such as cancelled, skipped, failed, unsupported-tooling, or below-100 evidence are present.

  • Result: REQUEST_CHANGES

  • Reason: coverage-evidence result was failure, so required test/docstring evidence was not proven for current head ad0241e8efda55f42a6a1025e311ab410d180cec.

  • Head SHA: ad0241e8efda55f42a6a1025e311ab410d180cec

  • Workflow run: 29342501743

  • Workflow attempt: 1

Coverage evidence

Coverage Decision

  • Result: FAIL
  • Test evidence: not proven passing
  • Docstring evidence: not proven passing when configured
  • Failure count: 1

Changed-File Evidence Map

flowchart LR
  PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
  Evidence --> S1["Workflow (4 files)"]
  S1 --> I1["GitHub Actions review job"]
  I1 --> R1["Review risk: Workflow (4 files)"]
  R1 --> V1["actionlint plus required checks"]
  Evidence --> S2["Changed file (2 files)"]
  S2 --> I2["repository behavior"]
  I2 --> R2["Review risk: Changed file (2 files)"]
  R2 --> V2["required checks"]
  Evidence --> S3["Docs: strix-appguardrail-issues.md"]
  S3 --> I3["operator or user guidance"]
  I3 --> R3["Review risk: Docs: strix-appguardrail-issues.md"]
  R3 --> V3["docs review"]
  Evidence --> S4["CI script (7 files)"]
  S4 --> I4["review and security gate shell path"]
  I4 --> R4["Review risk: CI script (7 files)"]
  R4 --> V4["bash -n plus Strix self-test"]
  Evidence --> S5["Test (5 files)"]
  S5 --> I5["regression suite"]
  I5 --> R5["Review risk: Test (5 files)"]
  R5 --> V5["targeted test run"]
Loading

@opencode-agent

Copy link
Copy Markdown
Contributor

OpenCode Review Overview

  • Head SHA: ad0241e8efda55f42a6a1025e311ab410d180cec
  • Workflow run: 29342501743
  • Workflow attempt: 1
  • Gate result: REQUEST_CHANGES (approval step)

Pull request overview

OpenCode cannot approve yet because required coverage evidence did not pass.

Review outcome

1. HIGH .github/workflows/opencode-review.yml:1 - Coverage evidence did not prove required test/docstring evidence

  • Problem: The required coverage-evidence job result was failure, so OpenCode cannot establish approval sufficiency for this head.

  • Root cause: Automated approval is only valid when the same-head coverage-evidence job proves supported repository test suites passed and configured docstring gates passed or were advisory, or reports not applicable because no supported source files or package manifests exist. Missing, failed, skipped, unavailable, or unsupported-tooling test evidence is a blocker.

  • Fix: Install or configure the repository test/docstring evidence tooling when source files or package manifests exist, rerun the current-head coverage-evidence job, and approve only after it reports success with required evidence or explicit no-source not-applicable evidence.

  • Regression test: Keep the approval branch checking needs.coverage-evidence.result == success before posting APPROVE, and publish REQUEST_CHANGES when coverage-evidence blocker states such as cancelled, skipped, failed, unsupported-tooling, or below-100 evidence are present.

  • Result: REQUEST_CHANGES

  • Reason: coverage-evidence result was failure, so required test/docstring evidence was not proven for current head ad0241e8efda55f42a6a1025e311ab410d180cec.

  • Head SHA: ad0241e8efda55f42a6a1025e311ab410d180cec

  • Workflow run: 29342501743

  • Workflow attempt: 1

Coverage evidence

Coverage Decision

  • Result: FAIL
  • Test evidence: not proven passing
  • Docstring evidence: not proven passing when configured
  • Failure count: 1

Changed-File Evidence Map

flowchart LR
  PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
  Evidence --> S1["Workflow (4 files)"]
  S1 --> I1["GitHub Actions review job"]
  I1 --> R1["Review risk: Workflow (4 files)"]
  R1 --> V1["actionlint plus required checks"]
  Evidence --> S2["Changed file (2 files)"]
  S2 --> I2["repository behavior"]
  I2 --> R2["Review risk: Changed file (2 files)"]
  R2 --> V2["required checks"]
  Evidence --> S3["Docs: strix-appguardrail-issues.md"]
  S3 --> I3["operator or user guidance"]
  I3 --> R3["Review risk: Docs: strix-appguardrail-issues.md"]
  R3 --> V3["docs review"]
  Evidence --> S4["CI script (7 files)"]
  S4 --> I4["review and security gate shell path"]
  I4 --> R4["Review risk: CI script (7 files)"]
  R4 --> V4["bash -n plus Strix self-test"]
  Evidence --> S5["Test (5 files)"]
  S5 --> I5["regression suite"]
  I5 --> R5["Review risk: Test (5 files)"]
  R5 --> V5["targeted test run"]
Loading

@seonghobae seonghobae dismissed opencode-agent[bot]’s stale review July 15, 2026 03:21

Superseded automated OpenCode change request from a previous head; current head 6900880 has passing coverage and security checks. Current-head model output remains a separate required-review state.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant