feat(security): Strix 발견을 AppGuardrail 이슈로 중앙 집계#560
Conversation
There was a problem hiding this comment.
Pull request overview
OpenCode cannot approve yet because required coverage evidence did not pass.
Review outcome
1. HIGH .github/workflows/opencode-review.yml:1 - Coverage evidence did not prove required test/docstring evidence
-
Problem: The required coverage-evidence job result was
failure, so OpenCode cannot establish approval sufficiency for this head. -
Root cause: Automated approval is only valid when the same-head coverage-evidence job proves supported repository test suites passed and configured docstring gates passed or were advisory, or reports not applicable because no supported source files or package manifests exist. Missing, failed, skipped, unavailable, or unsupported-tooling test evidence is a blocker.
-
Fix: Install or configure the repository test/docstring evidence tooling when source files or package manifests exist, rerun the current-head coverage-evidence job, and approve only after it reports
successwith required evidence or explicit no-source not-applicable evidence. -
Regression test: Keep the approval branch checking
needs.coverage-evidence.result == successbefore posting APPROVE, and publish REQUEST_CHANGES when coverage-evidence blocker states such as cancelled, skipped, failed, unsupported-tooling, or below-100 evidence are present. -
Result: REQUEST_CHANGES
-
Reason: coverage-evidence result was
failure, so required test/docstring evidence was not proven for current headad0241e8efda55f42a6a1025e311ab410d180cec. -
Head SHA:
ad0241e8efda55f42a6a1025e311ab410d180cec -
Workflow run: 29342501743
-
Workflow attempt: 1
Coverage evidence
Coverage Decision
- Result: FAIL
- Test evidence: not proven passing
- Docstring evidence: not proven passing when configured
- Failure count: 1
Changed-File Evidence Map
flowchart LR
PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
Evidence --> S1["Workflow (4 files)"]
S1 --> I1["GitHub Actions review job"]
I1 --> R1["Review risk: Workflow (4 files)"]
R1 --> V1["actionlint plus required checks"]
Evidence --> S2["Changed file (2 files)"]
S2 --> I2["repository behavior"]
I2 --> R2["Review risk: Changed file (2 files)"]
R2 --> V2["required checks"]
Evidence --> S3["Docs: strix-appguardrail-issues.md"]
S3 --> I3["operator or user guidance"]
I3 --> R3["Review risk: Docs: strix-appguardrail-issues.md"]
R3 --> V3["docs review"]
Evidence --> S4["CI script (7 files)"]
S4 --> I4["review and security gate shell path"]
I4 --> R4["Review risk: CI script (7 files)"]
R4 --> V4["bash -n plus Strix self-test"]
Evidence --> S5["Test (5 files)"]
S5 --> I5["regression suite"]
I5 --> R5["Review risk: Test (5 files)"]
R5 --> V5["targeted test run"]
OpenCode Review Overview
Pull request overviewOpenCode cannot approve yet because required coverage evidence did not pass. Review outcome1. HIGH .github/workflows/opencode-review.yml:1 - Coverage evidence did not prove required test/docstring evidence
Coverage evidenceCoverage Decision
Changed-File Evidence Mapflowchart LR
PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
Evidence --> S1["Workflow (4 files)"]
S1 --> I1["GitHub Actions review job"]
I1 --> R1["Review risk: Workflow (4 files)"]
R1 --> V1["actionlint plus required checks"]
Evidence --> S2["Changed file (2 files)"]
S2 --> I2["repository behavior"]
I2 --> R2["Review risk: Changed file (2 files)"]
R2 --> V2["required checks"]
Evidence --> S3["Docs: strix-appguardrail-issues.md"]
S3 --> I3["operator or user guidance"]
I3 --> R3["Review risk: Docs: strix-appguardrail-issues.md"]
R3 --> V3["docs review"]
Evidence --> S4["CI script (7 files)"]
S4 --> I4["review and security gate shell path"]
I4 --> R4["Review risk: CI script (7 files)"]
R4 --> V4["bash -n plus Strix self-test"]
Evidence --> S5["Test (5 files)"]
S5 --> I5["regression suite"]
I5 --> R5["Review risk: Test (5 files)"]
R5 --> V5["targeted test run"]
|
Superseded automated OpenCode change request from a previous head; current head 6900880 has passing coverage and security checks. Current-head model output remains a separate required-review state.
OpenCode receipt candidates
scripts/ci/strix_emit_appguardrail_issues.py:44source-line-sha256=df6d83d7cef00f95021019d23122552853407da9156a32528e1ddc5435eed105.github/workflows/strix.yml:797source-line-sha256=f05ab3628ca4fe39800593c1f8406d4c0456a356ff85e40be210eadf96806190These exact current-head receipts are normalizer-verifiable for adversarial probes.
변경 사항
STRIX_TARGET_PATH=__PR_SCOPE__ requires PR scoping회귀를 수정합니다.workflow_run은 OpenCode/Strix 두 upstream workflow만 허용하여 상호 재귀 queue를 차단합니다.github.tokenrepository dispatch를 사용할 수 있습니다.path:line을 인용할 때만 구조화 필드를 재결합하며, 모호한 경우 후보 수를 로그에 남기고 fail-closed 합니다.검증
실제 취약점이 없는 경우 가짜 이슈를 만들지 않습니다. 병합 후 첫 실제 Medium 이상 Strix finding부터 AppGuardrail에 생성됩니다.