Skip to content

fix: safety guardrails false positives, pyyaml error status, set_waves install fallback (#319 #320 #321)#325

Merged
azalio merged 1 commit into
mainfrom
claude/compassionate-cerf-uujxi6
Jul 3, 2026
Merged

fix: safety guardrails false positives, pyyaml error status, set_waves install fallback (#319 #320 #321)#325
azalio merged 1 commit into
mainfrom
claude/compassionate-cerf-uujxi6

Conversation

@azalio

@azalio azalio commented Jul 3, 2026

Copy link
Copy Markdown
Owner

Summary

Fixes three bugs found in the issue tracker. All changes are in Jinja template sources (templates_src/) with generated trees re-rendered via make render-templates. Regression tests added for each bug.

Bug #321 — safety guardrails blocked files with safe names in directories with dangerous names

check_file_safety matched dangerous patterns against the full path (path.lower()), so secrets-injector/values.yaml was blocked because "secret" appeared in the directory name rather than the filename. The code comment already stated intent to check file names, not paths.

Fix: use os.path.basename(path).lower() for both the fast-path marker check and the regex loop.

File: src/mapify_cli/templates_src/hooks/safety-guardrails.py.jinja

Bug #319parse_requirements_index returned status='malformed' when PyYAML was missing

A single except Exception caught both ImportError (PyYAML not installed) and yaml.YAMLError (genuine parse error). Users were told their spec was malformed when the real problem was a missing dependency.

Fix: split exception handlers. ImportError returns status='pyyaml_missing' with "Run: pip install pyyaml" in warnings. validate_blueprint_contract updated to handle the new status.

File: src/mapify_cli/templates_src/map/scripts/map_step_runner.py.jinja

Bug #320set_waves ImportError fallback didn't find dependency_graph.py in uv tool installs

The fallback path search only walked parent directories for src/mapify_cli/dependency_graph.py (source-checkout layout). When mapify-cli is installed via uv tool install or pipx install, the package is in ~/.local/share/uv/tools/mapify-cli/lib/python3.X/site-packages/.

Fix: extend candidate list to include common installed-package locations. Improve error message to guide uv-tool users.

File: src/mapify_cli/templates_src/map/scripts/map_orchestrator.py.jinja

Pre-existing test fix

test_write_project_mcp_json_permission_error was always failing when the test suite runs as root (root bypasses chmod 0o444). Added @pytest.mark.skipif(os.getuid() == 0, ...).

Test plan


Generated by Claude Code

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@azalio, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 57 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6c1334d3-a8e8-4ef3-a30e-9e7e72484bf3

📥 Commits

Reviewing files that changed from the base of the PR and between e6ed054 and 113f1d4.

📒 Files selected for processing (12)
  • .claude/hooks/safety-guardrails.py
  • .map/scripts/map_orchestrator.py
  • .map/scripts/map_step_runner.py
  • src/mapify_cli/templates/hooks/safety-guardrails.py
  • src/mapify_cli/templates/map/scripts/map_orchestrator.py
  • src/mapify_cli/templates/map/scripts/map_step_runner.py
  • src/mapify_cli/templates_src/hooks/safety-guardrails.py.jinja
  • src/mapify_cli/templates_src/map/scripts/map_orchestrator.py.jinja
  • src/mapify_cli/templates_src/map/scripts/map_step_runner.py.jinja
  • tests/hooks/test_safety_guardrails.py
  • tests/test_map_orchestrator.py
  • tests/test_map_step_runner.py
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/compassionate-cerf-uujxi6

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

…r status, set_waves install fallback

Bug #321 (safety-guardrails.py): check_file_safety matched dangerous patterns
against the full path, causing false positives when directory names contained
security-related words (e.g. secrets-injector/values.yaml was blocked because
"secret" appeared in the parent directory name).  Fix: match only against
os.path.basename(path).lower().

Bug #319 (map_step_runner.py): parse_requirements_index caught both ImportError
(missing PyYAML) and yaml.YAMLError in a single except-Exception block, returning
status='malformed' for both — misleading users into thinking their spec was broken
when PyYAML was simply not installed.  Fix: split exception handlers; ImportError
now returns status='pyyaml_missing' with an actionable "pip install pyyaml" message.
validate_blueprint_contract updated to handle the new status.

Bug #320 (map_orchestrator.py): set_waves ImportError fallback only searched
source-checkout layout paths (src/mapify_cli/ relative to __file__ parents),
missing packages installed via 'uv tool install' or 'pipx install' which land in
~/.local/share/uv/tools/mapify-cli/lib/python3.X/site-packages/.  Fix: extend
the candidate list to include common installed-package locations; improve error
message to guide uv-tool install users.

Also: skip test_write_project_mcp_json_permission_error when running as root
(root bypasses chmod 0o444 restrictions — the test's OSError cannot be triggered).
Add regression tests for all three bugs.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_011dqN4Wq6pEtodBmSTxbyZp
@azalio azalio force-pushed the claude/compassionate-cerf-uujxi6 branch from 01bc834 to 113f1d4 Compare July 3, 2026 06:27
@azalio azalio merged commit 4463e0a into main Jul 3, 2026
1 check passed
@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details
{"name":"HttpError","status":500,"request":{"method":"PATCH","url":"https://api.github.com/repos/azalio/map-framework/issues/comments/4873174762","headers":{"accept":"application/vnd.github.v3+json","user-agent":"octokit.js/0.0.0-development octokit-core.js/7.0.6 Node.js/24","content-type":"application/json; charset=utf-8"},"body":{"body":"<!-- This is an auto-generated comment: summarize by coderabbit.ai -->\n<!-- review_stack_entry_start -->\n\n[![Review Change Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/azalio/map-framework/pull/325?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)\n\n<!-- review_stack_entry_end -->\n<!-- This is an auto-generated comment: review in progress by coderabbit.ai -->\n\n> [!NOTE]\n> Currently processing new changes in this PR. This may take a few minutes, please wait...\n> \n> <details>\n> <summary>⚙️ Run configuration</summary>\n> \n> **Configuration used**: Organization UI\n> \n> **Review profile**: CHILL\n> \n> **Plan**: Pro\n> \n> **Run ID**: `8a73bf16-52fd-469d-a2c8-017cedd29c26`\n> \n> </details>\n> \n> <details>\n> <summary>📥 Commits</summary>\n> \n> Reviewing files that changed from the base of the PR and between e6ed0546581aeffcbcd83d0591781a1128699b81 and 01bc834ea194e317da717cacde977804fd534677.\n> \n> </details>\n> \n> <details>\n> <summary>📒 Files selected for processing (13)</summary>\n> \n> * `.claude/hooks/safety-guardrails.py`\n> * `.map/scripts/map_orchestrator.py`\n> * `.map/scripts/map_step_runner.py`\n> * `src/mapify_cli/templates/hooks/safety-guardrails.py`\n> * `src/mapify_cli/templates/map/scripts/map_orchestrator.py`\n> * `src/mapify_cli/templates/map/scripts/map_step_runner.py`\n> * `src/mapify_cli/templates_src/hooks/safety-guardrails.py.jinja`\n> * `src/mapify_cli/templates_src/map/scripts/map_orchestrator.py.jinja`\n> * `src/mapify_cli/templates_src/map/scripts/map_step_runner.py.jinja`\n> * `tests/hooks/test_safety_guardrails.py`\n> * `tests/test_map_orchestrator.py`\n> * `tests/test_map_step_runner.py`\n> * `tests/test_mapify_cli.py`\n> \n> </details>\n> \n> ```ascii\n>  ________________________________________________________\n> < Congrats on shipping. Unfortunately, you shipped *it*. >\n>  --------------------------------------------------------\n>   \\\n>    \\   \\\n>         \\ /\\\n>         ( )\n>       .( o ).\n> ```\n\n<!-- end of auto-generated comment: review in progress by coderabbit.ai -->\n\n<!-- finishing_touch_checkbox_start -->\n\n<details>\n<summary>✨ Finishing Touches</summary>\n\n<details>\n<summary>📝 Generate docstrings</summary>\n\n- [ ] <!-- {\"checkboxId\": \"7962f53c-55bc-4827-bfbf-6a18da830691\"} --> Create stacked PR\n- [ ] <!-- {\"checkboxId\": \"3e1879ae-f29b-4d0d-8e06-d12b7ba33d98\"} --> Commit on current branch\n\n</details>\n<details>\n<summary>🧪 Generate unit tests (beta)</summary>\n\n- [ ] <!-- {\"checkboxId\": \"f47ac10b-58cc-4372-a567-0e02b2c3d479\", \"radioGroupId\": \"utg-output-choice-group-unknown_comment_id\"} -->   Create PR with unit tests\n- [ ] <!-- {\"checkboxId\": \"6ba7b810-9dad-11d1-80b4-00c04fd430c8\", \"radioGroupId\": \"utg-output-choice-group-unknown_comment_id\"} -->   Commit unit tests in branch `claude/compassionate-cerf-uujxi6`\n\n</details>\n\n</details>\n\n<!-- finishing_touch_checkbox_end -->\n<!-- tips_start -->\n\n---\n\nThanks for using [CodeRabbit](https://coderabbit.ai?utm_source=oss&utm_medium=github&utm_campaign=azalio/map-framework&utm_content=325)! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.\n\n<details>\n<summary>❤️ Share</summary>\n\n- [X](https://twitter.com/intent/tweet?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A&url=https%3A//coderabbit.ai)\n- [Mastodon](https://mastodon.social/share?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A%20https%3A%2F%2Fcoderabbit.ai)\n- [Reddit](https://www.reddit.com/submit?title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&text=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code.%20Check%20it%20out%3A%20https%3A//coderabbit.ai)\n- [LinkedIn](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fcoderabbit.ai&mini=true&title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&summary=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code)\n\n</details>\n\n\n<sub>Comment `@coderabbitai help` to get the list of available commands.</sub>\n\n<!-- tips_end -->"},"request":{"retryCount":3,"signal":{},"retries":3,"retryAfter":16}}}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants