Skip to content

Add daily Sentinel v2.4 operational-check script, runbook, and tests#142

Open
OneFineStarstuff wants to merge 4 commits into
mainfrom
codex/perform-devsecops-operational-checks
Open

Add daily Sentinel v2.4 operational-check script, runbook, and tests#142
OneFineStarstuff wants to merge 4 commits into
mainfrom
codex/perform-devsecops-operational-checks

Conversation

@OneFineStarstuff

@OneFineStarstuff OneFineStarstuff commented Jul 6, 2026

Copy link
Copy Markdown
Owner

Motivation

  • Provide an auditable, dependency-light CLI to validate daily operational evidence for the Omni-Sentinel environment including dashboard health, G-SRI, PQC WORM Object Lock commits, and TEE/TPM attestations.
  • Capture the runbook and machine-readable expectations so CI, auditors, and on-call teams can consistently validate evidence packs.

Description

  • Add a new CLI script scripts/daily_sentinel_operational_check.py that performs checks for dashboard reachability, gsri threshold/signature, pqc_worm_logger S3 Object Lock commits, and TEE/TPM attestation, and emits Markdown or JSON output and a suitable exit code.
  • Add daily-sentinel-operational-check entry to pyproject.toml under [project.scripts] for easy invocation as a project script.
  • Add a detailed runbook document docs/reports/DAILY_SENTINEL_V24_DEVSECOPS_RUNBOOK.md describing required checks, example evidence JSON payloads, CLI usage, and fail-closed rules.
  • Add comprehensive pytest unit tests in tests/test_daily_sentinel_operational_check.py to validate individual check logic, CLI behavior (offline and JSON modes), and error handling.

Testing

  • Added unit tests in tests/test_daily_sentinel_operational_check.py covering check_gsri, check_worm, check_attestation, timestamp parsing, and main behavior in offline and JSON modes.
  • Ran the test suite with pytest tests/test_daily_sentinel_operational_check.py and all tests completed successfully.
  • Exercise of CLI modes (Markdown and JSON) is covered by tests that assert overall status and output structure.

Codex Task

Summary by Sourcery

Introduce a daily Sentinel AI v2.4 operational check CLI that validates key evidence planes and exposes them via a project script.

New Features:

  • Add a daily operational-check CLI for Sentinel telemetry, G-SRI thresholds, PQC WORM Object Lock commits, and TEE/TPM attestations, with Markdown and JSON reporting.
  • Register the daily Sentinel operational check as a daily-sentinel-operational-check project script for easy invocation.

Documentation:

  • Add a DevSecOps runbook documenting the daily Sentinel v2.4 operational checks, expected evidence JSON payloads, CLI usage, and fail-closed rules.

Tests:

  • Add pytest coverage for the new operational-check CLI, including individual evidence validations, timestamp handling, overall status computation, and CLI behavior in offline and JSON modes.

Summary by CodeRabbit

  • New Features

    • Added a new daily operational check command for Sentinel v2.4.
    • Supports both human-readable and JSON output, with options to skip the dashboard check and run against local evidence files.
  • Bug Fixes

    • Adds fail-closed validation for dashboard health, evidence freshness, WORM commit status, and attestation checks.
    • Improves overall status reporting so issues are surfaced clearly with remediation guidance.

@vercel

vercel Bot commented Jul 6, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
v0-one-fine-starstuff-github-io Ready Ready Preview, Comment, Open in v0 Jul 6, 2026 7:25pm

@code-genius-code-coverage

Copy link
Copy Markdown

The files' contents are under analysis for test generation.

@semanticdiff-com

semanticdiff-com Bot commented Jul 6, 2026

Copy link
Copy Markdown

Review changes with  SemanticDiff

Changed Files
File Status
  docs/reports/DAILY_SENTINEL_V24_DEVSECOPS_RUNBOOK.md Unsupported file format
  pyproject.toml Unsupported file format
  scripts/daily_sentinel_operational_check.py  0% smaller
  tests/test_daily_sentinel_operational_check.py  0% smaller

@gitnotebooks

gitnotebooks Bot commented Jul 6, 2026

Copy link
Copy Markdown

@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

@difflens

difflens Bot commented Jul 6, 2026

Copy link
Copy Markdown

View changes in DiffLens

@sourcery-ai

sourcery-ai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Reviewer's Guide

Adds a new daily Sentinel v2.4 operational-check CLI that validates dashboard reachability, G-SRI evidence, PQC WORM Object Lock commits, and TEE/TPM attestation; wires it into the project entry points, documents runbook usage and expectations, and provides pytest coverage for core check logic and CLI behavior.

Sequence diagram for daily Sentinel v2.4 operational-check CLI flow

sequenceDiagram
  actor Operator
  participant daily_sentinel_operational_check_main as main
  participant SentinelDashboard
  participant EvidenceFS

  Operator->>daily_sentinel_operational_check_main: main(argv)
  daily_sentinel_operational_check_main->>daily_sentinel_operational_check_main: parse_args(argv)

  alt dashboard_not_skipped
    daily_sentinel_operational_check_main->>SentinelDashboard: check_dashboard(dashboard_url, dashboard_timeout, insecure_tls)
    SentinelDashboard-->>daily_sentinel_operational_check_main: HTTP status code
  else dashboard_skipped
    daily_sentinel_operational_check_main->>daily_sentinel_operational_check_main: CheckResult("sentinel_dashboard", WARN, "dashboard reachability skipped by operator")
  end

  daily_sentinel_operational_check_main->>EvidenceFS: load_json(gsri_evidence_path)
  EvidenceFS-->>daily_sentinel_operational_check_main: gsri_evidence
  daily_sentinel_operational_check_main->>daily_sentinel_operational_check_main: result_from_check("gsri_threshold", check_gsri(gsri_evidence, max_age_minutes))

  daily_sentinel_operational_check_main->>EvidenceFS: load_json(worm_evidence_path)
  EvidenceFS-->>daily_sentinel_operational_check_main: worm_evidence
  daily_sentinel_operational_check_main->>daily_sentinel_operational_check_main: result_from_check("pqc_worm_logger", check_worm(worm_evidence, max_age_minutes, worm_max_lag_seconds, expected_worm_bucket, require_compliance_object_lock))

  daily_sentinel_operational_check_main->>EvidenceFS: load_json(attestation_evidence_path)
  EvidenceFS-->>daily_sentinel_operational_check_main: attestation_evidence
  daily_sentinel_operational_check_main->>daily_sentinel_operational_check_main: result_from_check("tee_tpm_attestation", check_attestation(attestation_evidence, max_age_minutes))

  alt json_output
    daily_sentinel_operational_check_main->>daily_sentinel_operational_check_main: render_json(results)
  else markdown_output
    daily_sentinel_operational_check_main->>daily_sentinel_operational_check_main: render_markdown(results)
  end

  daily_sentinel_operational_check_main->>Operator: exit(1 if any(result.is_failure) else 0)
Loading

File-Level Changes

Change Details Files
Introduce a Sentinel daily operational-check CLI with evidence validation helpers and reporting, plus documentation and tests, and register it as a project script.
  • Add a dependency-light CLI in scripts.daily_sentinel_operational_check with argument parsing, per-plane evidence validation (dashboard, G-SRI, WORM, attestation), aggregate status computation, Markdown/JSON rendering, and exit-code semantics.
  • Implement robust JSON loading and strict UTC timestamp parsing with freshness checks and custom CheckError exceptions so malformed or stale evidence is converted into explicit FAIL results without aborting the overall run.
  • Add Sentinel-specific validation logic for G-SRI thresholds, PQC WORM S3 Object Lock evidence (including bucket expectations, Object Lock mode, retention and commit-lag SLOs), and TEE/TPM attestation (PCR_MATCH, TEE status, required identifiers, signatures).
  • Register the CLI as daily-sentinel-operational-check in pyproject.toml under [project.scripts] for direct invocation via the project entry point.
  • Add pytest coverage in tests/test_daily_sentinel_operational_check for the individual check functions, timestamp parsing, main() behavior in both offline and JSON modes, and ensuring failures, stale evidence, and per-check exceptions produce the expected statuses and output.
  • Document the operational runbook in docs/reports/DAILY_SENTINEL_V24_DEVSECOPS_RUNBOOK.md, including required checks, expected evidence JSON structures, CLI usage examples (live, offline, JSON, compliance-only), and fail-closed rules for control state.
scripts/daily_sentinel_operational_check.py
pyproject.toml
tests/test_daily_sentinel_operational_check.py
docs/reports/DAILY_SENTINEL_V24_DEVSECOPS_RUNBOOK.md

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@github-actions github-actions Bot added documentation Improvements or additions to documentation python Pull requests that update python code labels Jul 6, 2026
@difflens

difflens Bot commented Jul 6, 2026

Copy link
Copy Markdown

View changes in DiffLens

@deepsource-io

deepsource-io Bot commented Jul 6, 2026

Copy link
Copy Markdown

DeepSource Code Review

We reviewed changes in a8c9a19...9207200 on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade   Security  

Reliability  

Complexity  

Hygiene  

Code Review Summary

Analyzer Status Updated (UTC) Details
Python Jul 6, 2026 7:26p.m. Review ↗
JavaScript Jul 6, 2026 7:26p.m. Review ↗
Shell Jul 6, 2026 7:26p.m. Review ↗

Important

AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.

@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

This PR adds a new daily_sentinel_operational_check.py script performing fail-closed DevSecOps evidence validation across dashboard reachability, G-SRI, WORM Object Lock, and TEE/TPM attestation checks, with Markdown/JSON reporting, a CLI entry point, unit/integration tests, and an accompanying runbook document.

Changes

Daily Sentinel Operational Check

Layer / File(s) Summary
Core validation primitives
scripts/daily_sentinel_operational_check.py
Adds CheckError, CheckResult, JSON loading, and strict UTC timestamp freshness checks.
Dashboard reachability check
scripts/daily_sentinel_operational_check.py
Validates dashboard health via HTTP with optional insecure TLS and HEAD→GET fallback.
G-SRI evidence check
scripts/daily_sentinel_operational_check.py, tests/test_daily_sentinel_operational_check.py
Validates freshness, threshold, and signature fields; adds pass/fail tests.
WORM Object Lock check
scripts/daily_sentinel_operational_check.py, tests/test_daily_sentinel_operational_check.py
Validates commit status, Object Lock mode, PQC signature, retention, and commit lag; adds failure-case tests for logger name, bucket mismatch, and signature.
TEE/TPM attestation check
scripts/daily_sentinel_operational_check.py, tests/test_daily_sentinel_operational_check.py
Validates PCR match, TEE status, and signature verification; adds factory and pass/fail tests.
Reporting, CLI, and main
scripts/daily_sentinel_operational_check.py
Adds status aggregation, Markdown/JSON rendering, CLI argument parsing, and main orchestration with exit codes.
Main/CLI integration tests
tests/test_daily_sentinel_operational_check.py
Adds test helpers and integration tests for valid, stale, invalid-file, and --json output scenarios.
Runbook and script wiring
docs/reports/DAILY_SENTINEL_V24_DEVSECOPS_RUNBOOK.md, pyproject.toml
Adds operational runbook document and registers daily-sentinel-operational-check CLI entry point.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
    participant Operator
    participant CheckerCLI as daily_sentinel_operational_check
    participant Dashboard
    participant EvidenceFiles as Evidence JSON files
    participant Report as Markdown/JSON output

    Operator->>CheckerCLI: run with args (evidence paths, flags)
    CheckerCLI->>Dashboard: HTTP HEAD/GET request (unless skipped)
    Dashboard-->>CheckerCLI: status code or WARN if skipped
    CheckerCLI->>EvidenceFiles: load G-SRI evidence JSON
    CheckerCLI->>EvidenceFiles: load WORM evidence JSON
    CheckerCLI->>EvidenceFiles: load TEE/TPM evidence JSON
    CheckerCLI->>CheckerCLI: validate freshness, thresholds, signatures
    CheckerCLI->>CheckerCLI: aggregate results into overall_status
    CheckerCLI->>Report: render_markdown or render_json
    CheckerCLI-->>Operator: print report, exit code (0 or 1)
Loading

Suggested labels: size/XXL

Suggested reviewers: gstraccini

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change set: a daily Sentinel v2.4 operational-check script, runbook, and tests were added.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/perform-devsecops-operational-checks

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • Consider validating CLI numeric options like --max-age-minutes and --worm-max-lag-seconds up front (e.g., enforcing non-negative values) so misconfiguration fails fast with a clearer error message.
  • In result_from_check, the explicit name parameter is only used on exception paths while successful results rely on the inner check’s CheckResult.name; simplifying this helper to derive the name from the inner result would reduce the chance of name mismatches between the caller and the check implementation.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- Consider validating CLI numeric options like `--max-age-minutes` and `--worm-max-lag-seconds` up front (e.g., enforcing non-negative values) so misconfiguration fails fast with a clearer error message.
- In `result_from_check`, the explicit `name` parameter is only used on exception paths while successful results rely on the inner check’s `CheckResult.name`; simplifying this helper to derive the name from the inner result would reduce the chance of name mismatches between the caller and the check implementation.

Fix all in Cursor


Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@codacy-production

codacy-production Bot commented Jul 6, 2026

Copy link
Copy Markdown

Not up to standards ⛔

🔴 Issues 1 critical · 48 high · 8 medium · 43 minor

Alerts:
⚠ 100 issues (≤ 0 issues of at least minor severity)

Results:
100 new issues

Category Results
UnusedCode 2 medium
Documentation 30 minor
ErrorProne 2 medium
1 high
Security 1 medium
47 high
CodeStyle 8 minor
Complexity 5 minor
1 critical
3 medium

View in Codacy

🟢 Metrics 104 complexity · 4 duplication

Metric Results
Complexity 104
Duplication 4

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@charliecreates charliecreates Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Blocking feedback

  1. Dashboard input validation can crash the CLI before any evidence report is emitted — scripts/daily_sentinel_operational_check.py#L129-L170

If you'd like me to push fixes, reply with item numbers (for example: please fix 1).

Comment thread scripts/daily_sentinel_operational_check.py
@netlify

netlify Bot commented Jul 6, 2026

Copy link
Copy Markdown

Deploy Preview for onefinestarstuff canceled.

Name Link
🔨 Latest commit 9207200
🔍 Latest deploy log https://app.netlify.com/projects/onefinestarstuff/deploys/6a4c011978d1f30008c280c3

@difflens

difflens Bot commented Jul 6, 2026

Copy link
Copy Markdown

View changes in DiffLens

@difflens

difflens Bot commented Jul 6, 2026

Copy link
Copy Markdown

View changes in DiffLens

@difflens

difflens Bot commented Jul 6, 2026

Copy link
Copy Markdown

View changes in DiffLens

@difflens

difflens Bot commented Jul 6, 2026

Copy link
Copy Markdown

View changes in DiffLens

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (3)
tests/test_daily_sentinel_operational_check.py (3)

109-113: 🎯 Functional Correctness | 🔵 Trivial | 💤 Low value

Unescaped regex metacharacter in match=.

match="pqc_worm_logger.py" treats . as "any character," not a literal dot. Ruff (RUF043) flags this. Currently harmless since the literal string also satisfies the pattern, but it's imprecise.

🔧 Proposed fix
+import re
+
 def test_check_worm_rejects_wrong_logger_name() -> None:
     evidence = valid_worm()
     evidence["logger_name"] = "other.py"
-    with pytest.raises(checker.CheckError, match="pqc_worm_logger.py"):
+    with pytest.raises(checker.CheckError, match=re.escape("pqc_worm_logger.py")):
         checker.check_worm(evidence, max_age_minutes=30, max_lag_seconds=900)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/test_daily_sentinel_operational_check.py` around lines 109 - 113, The
`test_check_worm_rejects_wrong_logger_name` assertion uses `pytest.raises(...,
match=...)` with an unescaped regex metacharacter, so the pattern is imprecise.
Update the `match` argument in this test to use a properly escaped literal for
`pqc_worm_logger.py` (or otherwise quote the pattern) so Ruff RUF043 is
satisfied while still matching the `checker.CheckError` raised by
`checker.check_worm`.

Source: Linters/SAST tools


186-234: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

Weak assertions only check for field-name presence, not failure state.

assert "gsri_threshold" in output (Line 208) and assert "gsri_threshold" in output (Line 232) only confirm the check ran; they don't confirm it actually reports FAIL/error. A regression that silently turns these into PASS entries would still satisfy the assertion. Consider asserting on the status marker too (e.g., "gsri_threshold | FAIL" or similar), consistent with how Lines 233-234 already assert "pqc_worm_logger | PASS".

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/test_daily_sentinel_operational_check.py` around lines 186 - 234, The
test assertions in test_main_returns_nonzero_when_evidence_is_stale and
test_main_continues_after_individual_evidence_error are too weak because they
only check for the gsri_threshold name; update them to assert the emitted status
shows a failure state, matching the existing PASS checks for pqc_worm_logger and
tee_tpm_attestation. Use the checker.main output captured by capsys to verify
gsri_threshold is reported with a FAIL/error marker rather than just present in
the text.

1-260: 📐 Maintainability & Code Quality | 🔵 Trivial | 🏗️ Heavy lift

No direct test coverage for check_dashboard.

Every main()-based test passes --skip-dashboard, so the dashboard reachability check (HTTP HEAD/GET fallback, TLS options) added in this cohort has no unit test exercising it directly in this file. Consider adding at least one test (e.g., via responses/requests-mock or a local HTTP server) covering the HEAD/GET fallback path.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/test_daily_sentinel_operational_check.py` around lines 1 - 260, Add
direct unit coverage for check_dashboard in this test module, since all existing
main() cases use --skip-dashboard and never exercise the dashboard reachability
logic. Create at least one test around
scripts.daily_sentinel_operational_check.check_dashboard that verifies the
HEAD-to-GET fallback path, and if applicable another that covers TLS-related
request options, using a mock HTTP layer or local test server so the behavior is
validated without hitting a real endpoint.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/reports/DAILY_SENTINEL_V24_DEVSECOPS_RUNBOOK.md`:
- Around line 86-91: Remove the maintenance-window exception from the RED-state
criteria in the runbook unless there is an actual enforcement path in the
checker; the current CLI only exposes `--skip-dashboard`, so update the guidance
in the affected section to match what the checker can truly evaluate and keep
the remaining Sentinel health, G-SRI, WORM, and TEE/TPM conditions unchanged.

In `@scripts/daily_sentinel_operational_check.py`:
- Around line 106-127: The dashboard URL handling in _open_dashboard currently
passes any scheme through to urllib.request.urlopen, which can allow non-HTTP
resources. Add an explicit allowlist check for only http and https schemes
before the urlopen call, and make invalid schemes return a failed dashboard
check result with a clear error instead of raising or opening the resource.

---

Nitpick comments:
In `@tests/test_daily_sentinel_operational_check.py`:
- Around line 109-113: The `test_check_worm_rejects_wrong_logger_name` assertion
uses `pytest.raises(..., match=...)` with an unescaped regex metacharacter, so
the pattern is imprecise. Update the `match` argument in this test to use a
properly escaped literal for `pqc_worm_logger.py` (or otherwise quote the
pattern) so Ruff RUF043 is satisfied while still matching the
`checker.CheckError` raised by `checker.check_worm`.
- Around line 186-234: The test assertions in
test_main_returns_nonzero_when_evidence_is_stale and
test_main_continues_after_individual_evidence_error are too weak because they
only check for the gsri_threshold name; update them to assert the emitted status
shows a failure state, matching the existing PASS checks for pqc_worm_logger and
tee_tpm_attestation. Use the checker.main output captured by capsys to verify
gsri_threshold is reported with a FAIL/error marker rather than just present in
the text.
- Around line 1-260: Add direct unit coverage for check_dashboard in this test
module, since all existing main() cases use --skip-dashboard and never exercise
the dashboard reachability logic. Create at least one test around
scripts.daily_sentinel_operational_check.check_dashboard that verifies the
HEAD-to-GET fallback path, and if applicable another that covers TLS-related
request options, using a mock HTTP layer or local test server so the behavior is
validated without hitting a real endpoint.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 99095d9a-ec16-4652-969b-4aa14078f5fb

📥 Commits

Reviewing files that changed from the base of the PR and between a8c9a19 and 9207200.

📒 Files selected for processing (4)
  • docs/reports/DAILY_SENTINEL_V24_DEVSECOPS_RUNBOOK.md
  • pyproject.toml
  • scripts/daily_sentinel_operational_check.py
  • tests/test_daily_sentinel_operational_check.py

Comment on lines +86 to +91
Treat the daily control state as **RED** when any of the following conditions occurs:

- Sentinel dashboard/API health is not 2xx and the outage is not covered by an approved maintenance window.
- G-SRI evidence is missing, stale, unsigned, or at/above the policy threshold.
- `pqc_worm_logger.py` has not committed the latest WORM batch, the bucket does not match the designated Object Lock bucket, Object Lock metadata is missing, retention is expired, the PQC signature is not verified, or commit lag exceeds the SLO.
- TEE/TPM attestation is stale, `PCR_MATCH` is not true, TEE status is not trusted/verified, or the attestation signature is not verified.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Locate the runbook and any references to maintenance windows or the checker contract.
git ls-files 'docs/reports/DAILY_SENTINEL_V24_DEVSECOPS_RUNBOOK.md' \
  | xargs -r -I{} sh -c 'echo "### {}"; wc -l "{}"; echo'
echo "### Search for maintenance window references"
rg -n --hidden --no-ignore-vcs -S "maintenance window|maintenance-window|approved maintenance|checker contract|fail-closed|Sentinel dashboard/API health|RED when any" docs . || true

Repository: OneFineStarstuff/OneFineStarstuff.github.io

Length of output: 50399


🏁 Script executed:

#!/bin/bash
set -euo pipefail

file='docs/reports/DAILY_SENTINEL_V24_DEVSECOPS_RUNBOOK.md'

echo "### Runbook excerpt"
sed -n '70,105p' "$file" | cat -n

echo
echo "### Maintenance-window references near Sentinel docs"
rg -n -S "maintenance window|maintenance-window|approved maintenance|Sentinel dashboard/API health|checker contract|daily control state|RED when any" \
  docs/reports rag-agentic-dashboard --glob '!**/*.html' --glob '!**/node_modules/**' || true

echo
echo "### Contract-like references in the Sentinel generator"
rg -n -S "dashboard/API health|maintenance|checker|contract|fail-closed" rag-agentic-dashboard/gen-sentinel-ai-v24-governance.py || true

Repository: OneFineStarstuff/OneFineStarstuff.github.io

Length of output: 4355


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "### Locate the checker implementation"
rg -n -S "daily_sentinel_operational_check|skip-dashboard|require-compliance-object-lock|maintenance window|maintenance-window|overall_status|results array" \
  . --glob '!**/*.html' --glob '!**/node_modules/**' --glob '!**/dist/**' --glob '!**/build/**' || true

echo
echo "### Likely Python entrypoints"
fd -HI 'daily_sentinel_operational_check*|*operational_check*|*sentinel*check*' . || true

Repository: OneFineStarstuff/OneFineStarstuff.github.io

Length of output: 8171


🏁 Script executed:

#!/bin/bash
set -euo pipefail

file='scripts/daily_sentinel_operational_check.py'

echo "### CLI and dashboard-related functions"
ast-grep outline "$file" --view expanded

echo
echo "### Relevant slices"
sed -n '1,220p' "$file" | cat -n
echo
sed -n '220,470p' "$file" | cat -n

Repository: OneFineStarstuff/OneFineStarstuff.github.io

Length of output: 22050


Drop the maintenance-window exception unless the checker enforces it. The CLI only exposes --skip-dashboard; there’s no maintenance-window input or enforcement path, so this line suggests a bypass operators can’t actually use.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/reports/DAILY_SENTINEL_V24_DEVSECOPS_RUNBOOK.md` around lines 86 - 91,
Remove the maintenance-window exception from the RED-state criteria in the
runbook unless there is an actual enforcement path in the checker; the current
CLI only exposes `--skip-dashboard`, so update the guidance in the affected
section to match what the checker can truly evaluate and keep the remaining
Sentinel health, G-SRI, WORM, and TEE/TPM conditions unchanged.

Comment on lines +106 to +127
def _ssl_context(insecure_tls: bool) -> ssl.SSLContext | None:
"""Build the TLS context for dashboard checks."""
if not insecure_tls:
return None
context = ssl.create_default_context()
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
return context


def _open_dashboard(
url: str,
method: str,
timeout_seconds: float,
context: ssl.SSLContext | None,
) -> int:
request = urllib.request.Request(url, method=method)
with urllib.request.urlopen(
request, timeout=timeout_seconds, context=context
) as resp:
return resp.getcode()

@coderabbitai coderabbitai Bot Jul 6, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Map the target file and nearby call sites.
ast-grep outline scripts/daily_sentinel_operational_check.py --view expanded || true

echo '--- file excerpt ---'
sed -n '1,220p' scripts/daily_sentinel_operational_check.py

echo '--- url-related references ---'
rg -n "urlsplit|urlopen|_open_dashboard|check_dashboard|dashboard" scripts/daily_sentinel_operational_check.py

Repository: OneFineStarstuff/OneFineStarstuff.github.io

Length of output: 11190


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo '--- parse_args / main ---'
sed -n '388,490p' scripts/daily_sentinel_operational_check.py

echo '--- dashboard-url references across repo ---'
rg -n --hidden --glob '!*.git' --glob '!**/node_modules/**' --glob '!**/dist/**' --glob '!**/build/**' --glob '!**/.venv/**' \
  --fixed-strings -- 'dashboard-url' .

echo '--- url scheme usage in this file ---'
python3 - <<'PY'
from urllib.parse import urlsplit
for u in [
    "https://sentinel.internal.g-sifi.local",
    "http://example.com",
    "file:///etc/passwd",
    "ftp://example.com",
    "data:text/plain,hi",
]:
    print(u, "->", urlsplit(u).scheme)
PY

Repository: OneFineStarstuff/OneFineStarstuff.github.io

Length of output: 3691


🏁 Script executed:

python3 - <<'PY'
import tempfile
from pathlib import Path
from urllib.request import urlopen

# file:// support
tmp = tempfile.NamedTemporaryFile(delete=False)
tmp.write(b"hello")
tmp.close()
file_url = Path(tmp.name).as_uri()

for url in [file_url, "data:text/plain,hi"]:
    try:
        with urlopen(url, timeout=2) as resp:
            print(url, "opened", "code=", resp.getcode(), "class=", type(resp).__name__)
            print("read:", resp.read(16))
    except Exception as e:
        print(url, "ERROR", type(e).__name__, e)
PY

Repository: OneFineStarstuff/OneFineStarstuff.github.io

Length of output: 323


Restrict dashboard URLs to HTTP(S) scripts/daily_sentinel_operational_check.py:116-129

urllib.request.urlopen will happily open file: and data: URLs, so a crafted --dashboard-url can reach local or non-HTTP resources. Add an http/https allowlist before calling urlopen, and surface the bad scheme as a failed check instead of letting it escape.

🧰 Tools
🪛 ast-grep (0.44.1)

[warning] 122-124: Request-controlled URL passed to urlopen; validate against an allowlist to prevent SSRF.
Context: urllib.request.urlopen(
request, timeout=timeout_seconds, context=context
)
Note: [CWE-918] Server-Side Request Forgery (SSRF).

(urlopen-unsanitized-data)

🪛 GitHub Check: CodeFactor

[warning] 123-125: scripts/daily_sentinel_operational_check.py#L123-L125
Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected. (B310)

🪛 Ruff (0.15.20)

[error] 122-122: Audit URL open for permitted schemes. Allowing use of file: or custom schemes is often unexpected.

(S310)


[error] 123-125: Audit URL open for permitted schemes. Allowing use of file: or custom schemes is often unexpected.

(S310)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/daily_sentinel_operational_check.py` around lines 106 - 127, The
dashboard URL handling in _open_dashboard currently passes any scheme through to
urllib.request.urlopen, which can allow non-HTTP resources. Add an explicit
allowlist check for only http and https schemes before the urlopen call, and
make invalid schemes return a failed dashboard check result with a clear error
instead of raising or opening the resource.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Micro-Learning Topic: Server-Side Request Forgery (SSRF) (CWE 918)

Matched on "CWE-918"

What is this? (2min video)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Server-side request forgery (Detected by phrase)

Matched on "Server-Side Request Forgery"

What is this? (2min video)

Server-Side Request Forgery (SSRF) vulnerabilities are caused when an attacker can supply or modify a URL that reads or sends data to the server. The attacker can create a malicious request with a manipulated URL, when this request reaches the server, the server-side code executes the exploit URL causing the attacker to be able to read data from services that shouldn't be exposed.

Try a challenge in Secure Code Warrior

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skipped: comment is from another GitHub bot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

codex 📦 dependencies documentation Improvements or additions to documentation julia python Pull requests that update python code size/XL

Projects

Development

Successfully merging this pull request may close these issues.

3 participants