perf(ci): run affected checks by module#435
Conversation
📝 WalkthroughWalkthroughPR добавляет планировщик ChangesChanged-checks planner and CI matrix jobs
E2E prebuilt image pipeline
Linter migration: vibecode-linter → ESLint with cache
Sequence Diagram(s)sequenceDiagram
participant GH as GitHub Actions
participant planChecks as plan-checks job
participant changedChecks as changed-checks.mjs
participant matrixJob as *-modules matrix job
participant aggregator as aggregator job
GH->>planChecks: trigger on push/PR
planChecks->>changedChecks: node scripts/changed-checks.mjs --matrix
changedChecks->>changedChecks: git diff → affectedClosure → createChangedChecksPlan
changedChecks-->>planChecks: GithubMatrix JSON + has_work flags
planChecks->>GH: write GITHUB_OUTPUT (typecheck_matrix, lint_matrix, ...)
GH->>matrixJob: spawn N parallel jobs per matrix include
matrixJob->>matrixJob: bun run --filter <pkg> <script>
matrixJob-->>aggregator: result (success/failure/cancelled)
aggregator->>GH: exit 1 on failure/cancelled
sequenceDiagram
participant e2ePrepare as e2e-prepare job
participant buildScript as build-e2e-project-image.ts
participant packScript as pack-e2e-prebuilt.mjs
participant artifacts as GitHub Artifacts
participant e2eRunner as e2e-* runner job
participant dockerShell as _lib.sh
e2ePrepare->>buildScript: bun run → writeProjectFiles + docker build
buildScript-->>e2ePrepare: docker-git-e2e-project image
e2ePrepare->>e2ePrepare: docker build controller image
e2ePrepare->>packScript: pack runtime deps + dist → .tgz
e2ePrepare->>artifacts: upload prebuilt.tgz + controller.tar.gz + project.tar.gz
artifacts-->>e2eRunner: download all 3 artifacts
e2eRunner->>e2eRunner: tar xzf prebuilt.tgz
e2eRunner->>e2eRunner: docker load < *.tar.gz
e2eRunner->>dockerShell: DOCKER_GIT_E2E_USE_PREBUILT_CLI=1
dockerShell->>dockerShell: dg_require_prebuilt_docker_git_cli → return 0
e2eRunner->>e2eRunner: run e2e test script
Estimated code review effort🎯 5 (Critical) | ⏱️ ~120 minutes Important Pre-merge checks failedPlease resolve all errors before merging. Addressing warnings is optional. ❌ Failed checks (1 error, 2 warnings)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Agent Plan UpdateBranch: 1. PlanSource: codex - Captured: 2026-06-20T09:55:53.033Z Issue #432: Affected-Only Checks For Tests And LintersSummary
Key Changes
Test Plan
Assumptions
2. PlanSource: codex - Captured: 2026-06-20T09:57:02.458Z Issue #432: Affected Checks Without Vibecode LinterSummary
Key Changes
Test Plan
Assumptions
3. PlanSource: codex - Captured: 2026-06-20T09:58:24.140Z Codex PlanSteps
4. PlanSource: codex - Captured: 2026-06-20T10:02:57.164Z Codex PlanSteps
5. PlanSource: codex - Captured: 2026-06-20T10:04:05.366Z Codex PlanSteps
6. PlanSource: codex - Captured: 2026-06-20T10:04:57.390Z Codex PlanSteps
7. PlanSource: codex - Captured: 2026-06-20T10:31:46.394Z Codex PlanSteps
8. PlanSource: codex - Captured: 2026-06-20T10:32:56.757Z Codex PlanSteps
9. PlanSource: codex - Captured: 2026-06-20T10:34:41.234Z Codex PlanSteps
10. PlanSource: codex - Captured: 2026-06-20T10:36:36.290Z Codex PlanSteps
11. PlanSource: codex - Captured: 2026-06-20T10:40:12.189Z Codex PlanSteps
12. PlanSource: codex - Captured: 2026-06-20T09:53:46.473Z Issue #432: changed-only lint/test toolingFindings
Recommended Changes
Impact Rules
Test Plan
13. PlanSource: codex - Captured: 2026-06-20T09:52:54.169Z Issue #432 Plan Сейчас Full-Run
Куда Подключать Changed-Only/Cache
Edge Cases
Test Plan
SOURCE: n/a |
Agent Plan UpdateBranch: 1. PlanSource: codex - Captured: 2026-06-20T11:48:23.377Z План: build-once artifact для E2ESummary
Key Changes
Test Plan
Assumptions
|
Agent Plan UpdateBranch: 1. PlanSource: codex - Captured: 2026-06-20T13:13:16.916Z Ускорение E2E Через Reusable Project ImageSummary
Key Changes
CI Changes
Test Plan
2. PlanSource: codex - Captured: 2026-06-20T13:13:45.535Z Codex PlanSteps
3. PlanSource: codex - Captured: 2026-06-20T13:19:48.301Z Codex PlanSteps
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 9
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/check.yml:
- Around line 124-132: The aggregator checks only verify the MODULE_RESULT but
do not check if the upstream plan-checks job failed. When plan-checks fails,
dependent jobs become skipped rather than failed, causing the aggregators to
incorrectly pass. Add checks for the plan-checks job result in addition to the
MODULE_RESULT comparison in all four aggregator jobs (Check typecheck module
results, Check linter module results, Check test module results, and Check e2e
module results) to ensure they fail if either the upstream plan-checks or the
module job fails or is cancelled.
- Around line 71-73: Pin all external GitHub Actions in the workflow file to
specific commit SHAs instead of version tags (e.g., replace `@v6` with a full
commit hash) to prevent supply-chain attacks. Additionally, add
persist-credentials: false to all actions/checkout steps to disable unnecessary
credential storage in the git config during workflow execution. Apply these
changes to all instances of actions/checkout and other external actions
throughout the file at the specified line ranges including 71-73, 111, 144, 177,
210, 241-243, 282-293, 321-339, 370-388, 419-437, 468-486, 517-535, and 566-584.
In `@packages/app/src/docker-git/browser-frontend-prebuilt.ts`:
- Around line 16-29: Refactor the direct process access calls in
shouldUsePrebuiltBrowserFrontend and ensurePrebuiltBrowserFrontend to use a
Layer-based service instead of calling process.env and process.cwd() directly.
Create a RuntimeConfig Layer that provides getEnv() and getCwd() methods, then
update shouldUsePrebuiltBrowserFrontend to either return an Effect that uses
Effect.gen to access the config service, or make it accept the environment value
as a parameter. For ensurePrebuiltBrowserFrontend, update the runCommandExitCode
call to obtain the cwd through the RuntimeConfig service via Effect.gen rather
than calling process.cwd() directly.
In `@packages/app/tests/docker-git/changed-checks.test.ts`:
- Around line 95-187: The test suite for the "changed-checks planner" describe
block currently uses only example-based tests and lacks property-based invariant
testing. Add property-based tests using fast-check's fc.property to verify three
key invariants: first, that docs-only file changes result in skip mode; second,
that unknown or global root file changes result in all mode; third, that
delete-only changes within a package do not produce skip mode (this should
include a specific reproducing test case for the delete-only diff bug that was
discovered). Ensure each property test documents the root cause and fix as a
comment following the coding guidelines for test files.
In `@packages/container/src/core/templates-entrypoint/base.ts`:
- Around line 66-79: The function renderEntrypointProjectRuntimeEnv is
persisting REPO_URL and FORK_REPO_URL directly to environment files without
removing potentially embedded credentials (like auth tokens in the format
https://token@host). Before writing these URLs to the DOCKER_GIT_PROJECT_PROFILE
file or passing them to docker_git_upsert_ssh_env calls, sanitize them by
removing any userinfo components that may contain sensitive credentials. Ensure
the sanitized versions are used in both the printf statements for the profile
file and the docker_git_upsert_ssh_env function calls for REPO_URL and
FORK_REPO_URL.
In `@packages/container/tests/core/templates.test.ts`:
- Around line 984-995: The test "renders an explicit prebuilt image without a
build section" currently only verifies a single hardcoded case. Replace or
enhance this test to use property-based testing with fast-check to verify the
mathematical invariant for build/image selection: when an imageName is provided
to makeTemplateConfig, the rendered compose output must always contain image and
pull_policy: never while never containing build: .; conversely, when no
imageName is provided, the opposite should hold. This approach will verify the
contract across multiple generated test cases rather than relying on a single
fixed value.
In `@scripts/changed-checks.mjs`:
- Around line 375-387: The flags `--concurrency`, `--base`, and `--head`
currently accept missing or invalid values without validation, causing ambiguous
CLI behavior. For each of these three flag handlers in the argument parsing
section, add validation to check that the next argument exists in the rest array
and is not another flag (does not start with "--"), and throw an explicit error
with the message "Missing value for [flag-name]" if the validation fails. This
validation should happen before assigning the parsed value to ensure required
arguments are always provided.
In `@scripts/ci/pack-e2e-prebuilt.mjs`:
- Around line 23-43: The addExistingPath function resolves paths that may be
symlinks, but does not validate that the resolved path stays within the repoRoot
boundary. This allows paths with `../` to escape the repository and be included
in the tar archive. After resolving the path with resolve(repoRoot, path) and
computing the relative path with toRelativePath, validate that the resolved
absolute path actually starts with repoRoot (after normalization) before adding
it to the paths collection. If the resolved path is outside repoRoot, call fail
to reject it with an appropriate error message about path traversal.
In `@scripts/npx`:
- Line 5: The script has a path traversal vulnerability where the user-supplied
command_name variable is embedded directly into the node_modules/.bin path
without validation, allowing attackers to use sequences like ../ to escape the
intended directory. Add validation to the $command_name variable to ensure it
only contains alphanumeric characters, hyphens, and underscores before it is
used in the path construction on line 41. Reject any input containing forward
slashes, double dots, or other special characters by checking the variable
against a whitelist pattern and exiting early if validation fails.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: ec771cfd-8b54-4fe4-8cf3-f4c5f1663902
⛔ Files ignored due to path filters (1)
bun.lockis excluded by!**/*.lock
📒 Files selected for processing (49)
.github/actions/setup/action.yml.github/workflows/check.yml.gitignoredocker-compose.ymlexperiments/terminal-query-suppression.mdpackage.jsonpackages/api/package.jsonpackages/api/src/services/projects.tspackages/api/tests/projects.test.tspackages/app/linter.config.jsonpackages/app/package.jsonpackages/app/src/docker-git/browser-frontend-launch.tspackages/app/src/docker-git/browser-frontend-prebuilt.tspackages/app/src/docker-git/browser-frontend.tspackages/app/tests/docker-git/browser-frontend.test.tspackages/app/tests/docker-git/changed-checks.test.tspackages/container/linter.config.jsonpackages/container/package.jsonpackages/container/src/core/domain.tspackages/container/src/core/templates-entrypoint.tspackages/container/src/core/templates-entrypoint/agents-notice.tspackages/container/src/core/templates-entrypoint/base.tspackages/container/src/core/templates-entrypoint/claude-extra-config.tspackages/container/src/core/templates-entrypoint/codex-resume-hint.tspackages/container/src/core/templates-entrypoint/gemini.tspackages/container/src/core/templates-entrypoint/grok.tspackages/container/src/core/templates/docker-compose.tspackages/container/tests/core/templates.test.tspackages/docker-git-session-sync/package.jsonpackages/lib/linter.config.jsonpackages/lib/package.jsonpackages/lib/src/core/domain.tspackages/lib/src/shell/config.tspackages/lib/src/shell/docker-compose.tspackages/lib/src/usecases/actions/create-project.tspackages/lib/src/usecases/actions/docker-up.tspackages/lib/src/usecases/projects-up.tspackages/lib/tests/usecases/docker-up-force.test.tspackages/lib/tests/usecases/projects-up.test.tspackages/terminal/linter.config.jsonpackages/terminal/package.jsonpatches/@ton-ai-core__vibecode-linter@1.0.6.patchscripts/changed-checks.d.mtsscripts/changed-checks.mjsscripts/ci/build-e2e-project-image.tsscripts/ci/pack-e2e-prebuilt.mjsscripts/e2e/_lib.shscripts/e2e/browser-command.shscripts/npx
💤 Files with no reviewable changes (5)
- packages/container/linter.config.json
- packages/lib/linter.config.json
- packages/terminal/linter.config.json
- patches/@ton-ai-core__vibecode-linter@1.0.6.patch
- packages/app/linter.config.json
📜 Review details
⏰ Context from checks skipped due to timeout. (6)
- GitHub Check: Types
- GitHub Check: Lint (
@prover-coder-ai/docker-gitlint) - GitHub Check: Lint (
@prover-coder-ai/docker-gitlint:tests) - GitHub Check: Test (
@prover-coder-ai/docker-gittest) - GitHub Check: E2E prepare
- GitHub Check: Final build (windows-latest)
🧰 Additional context used
📓 Path-based instructions (18)
**/*.{sh,bash,py,js,ts,jsx,tsx,go,java,rb,php}
📄 CodeRabbit inference engine (Custom checks)
Fail if changed files introduce command injection or unsafe shell/process execution with user-controlled input
Files:
packages/container/src/core/templates-entrypoint.tspackages/lib/src/core/domain.tspackages/container/src/core/domain.tsscripts/ci/build-e2e-project-image.tspackages/container/src/core/templates-entrypoint/base.tspackages/lib/src/usecases/actions/create-project.tspackages/api/tests/projects.test.tspackages/app/src/docker-git/browser-frontend-prebuilt.tsscripts/e2e/browser-command.shpackages/container/src/core/templates-entrypoint/codex-resume-hint.tspackages/lib/src/shell/config.tspackages/app/tests/docker-git/browser-frontend.test.tspackages/container/tests/core/templates.test.tspackages/api/src/services/projects.tspackages/container/src/core/templates-entrypoint/gemini.tspackages/lib/tests/usecases/projects-up.test.tspackages/lib/src/shell/docker-compose.tspackages/container/src/core/templates-entrypoint/grok.tspackages/app/tests/docker-git/changed-checks.test.tspackages/lib/tests/usecases/docker-up-force.test.tspackages/container/src/core/templates/docker-compose.tspackages/app/src/docker-git/browser-frontend-launch.tspackages/container/src/core/templates-entrypoint/agents-notice.tsscripts/e2e/_lib.shpackages/app/src/docker-git/browser-frontend.tspackages/lib/src/usecases/actions/docker-up.tspackages/container/src/core/templates-entrypoint/claude-extra-config.tspackages/lib/src/usecases/projects-up.ts
**/*.{py,js,ts,jsx,tsx,go,java,rb,php,sh,bash,c,cpp}
📄 CodeRabbit inference engine (Custom checks)
Fail if changed files introduce path traversal or writes outside intended project/container state directories
Files:
packages/container/src/core/templates-entrypoint.tspackages/lib/src/core/domain.tspackages/container/src/core/domain.tsscripts/ci/build-e2e-project-image.tspackages/container/src/core/templates-entrypoint/base.tspackages/lib/src/usecases/actions/create-project.tspackages/api/tests/projects.test.tspackages/app/src/docker-git/browser-frontend-prebuilt.tsscripts/e2e/browser-command.shpackages/container/src/core/templates-entrypoint/codex-resume-hint.tspackages/lib/src/shell/config.tspackages/app/tests/docker-git/browser-frontend.test.tspackages/container/tests/core/templates.test.tspackages/api/src/services/projects.tspackages/container/src/core/templates-entrypoint/gemini.tspackages/lib/tests/usecases/projects-up.test.tspackages/lib/src/shell/docker-compose.tspackages/container/src/core/templates-entrypoint/grok.tspackages/app/tests/docker-git/changed-checks.test.tspackages/lib/tests/usecases/docker-up-force.test.tspackages/container/src/core/templates/docker-compose.tspackages/app/src/docker-git/browser-frontend-launch.tspackages/container/src/core/templates-entrypoint/agents-notice.tsscripts/e2e/_lib.shpackages/app/src/docker-git/browser-frontend.tspackages/lib/src/usecases/actions/docker-up.tspackages/container/src/core/templates-entrypoint/claude-extra-config.tspackages/lib/src/usecases/projects-up.ts
**/*.{js,ts,jsx,tsx,py,java,go,rb,php,sh,bash,yml,yaml,json,env*,toml,cfg,config,dockerfile,dockerignore}
📄 CodeRabbit inference engine (Custom checks)
Fail if changed files expose credentials, tokens, private-keys, or PII in source, generated config, logs, or CI output
Files:
packages/container/src/core/templates-entrypoint.tspackages/lib/src/core/domain.tsdocker-compose.ymlpackages/container/src/core/domain.tspackages/docker-git-session-sync/package.jsonscripts/ci/build-e2e-project-image.tspackages/container/src/core/templates-entrypoint/base.tspackages/lib/src/usecases/actions/create-project.tspackages/api/tests/projects.test.tspackages/app/src/docker-git/browser-frontend-prebuilt.tsscripts/e2e/browser-command.shpackages/container/src/core/templates-entrypoint/codex-resume-hint.tspackages/lib/src/shell/config.tspackages/app/tests/docker-git/browser-frontend.test.tspackages/container/tests/core/templates.test.tspackages/api/package.jsonpackages/api/src/services/projects.tspackages/container/src/core/templates-entrypoint/gemini.tspackages/lib/tests/usecases/projects-up.test.tspackages/lib/src/shell/docker-compose.tspackages/container/src/core/templates-entrypoint/grok.tspackages/app/package.jsonpackages/terminal/package.jsonpackages/app/tests/docker-git/changed-checks.test.tspackages/lib/package.jsonpackages/lib/tests/usecases/docker-up-force.test.tspackages/container/src/core/templates/docker-compose.tspackages/app/src/docker-git/browser-frontend-launch.tspackage.jsonpackages/container/src/core/templates-entrypoint/agents-notice.tspackages/container/package.jsonscripts/e2e/_lib.shpackages/app/src/docker-git/browser-frontend.tspackages/lib/src/usecases/actions/docker-up.tspackages/container/src/core/templates-entrypoint/claude-extra-config.tspackages/lib/src/usecases/projects-up.ts
**/*.{ts,tsx}
📄 CodeRabbit inference engine (AGENTS.md)
**/*.{ts,tsx}: FUNCTIONAL CORE: Write only pure functions with immutable data and mathematical operations in core modules; no side effects, mutations, or external service calls
IMPERATIVE SHELL: Isolate all side effects (IO, network, database, environment/process) in a thin SHELL layer; CORE never calls SHELL, only SHELL → CORE
Never useanytype annotation in TypeScript; useunknownonly at SHELL boundaries for decoding, never exportunknownoutside boundary modules
Never useastype assertions in normal code; only permitasin a single 'axiomatic' module (brands, constructors, constants) after which types flow safely without casts
Always use exhaustive pattern matching for union types through.exhaustive()orMatch.exhaustive()from effect-ts; never use switch statements or unhandled type branches
Use Effect<Success, Error, Requirements> monad from effect-ts for all effects; compose through pipe() and Effect.flatMap(); never use async/await, raw Promise chains (then/catch), or Promise.all in product code
Interoperate with Promise/exceptions only in SHELL through Effect.try/Effect.tryPromise with typed error mapping; never leave raw exceptions or untyped errors in the domain
Use Effect.acquireRelease + Effect.scoped for resource management with guaranteed finalization; never manage resources with try/finally or manual cleanup
All external services (database, HTTP, environment) must be accessed through Effect-based interfaces and Layer-based dependency injection; never call external APIs directly
Provide comprehensive TSDoc comments with mathematical notation:@pure,@effect,@invariant,@precondition,@postcondition,@complexity,@throws, and CHANGE/WHY/REF/SOURCE/FORMAT THEOREM functional comment markers
No console.*, process direct calls, or untyped environment access in product code; all such operations must be abstracted through Layer-based services in SHELL
Boundary data from external sources (HTTP, database, environment) must be decoded/valida...
Files:
packages/container/src/core/templates-entrypoint.tspackages/lib/src/core/domain.tspackages/container/src/core/domain.tsscripts/ci/build-e2e-project-image.tspackages/container/src/core/templates-entrypoint/base.tspackages/lib/src/usecases/actions/create-project.tspackages/api/tests/projects.test.tspackages/app/src/docker-git/browser-frontend-prebuilt.tspackages/container/src/core/templates-entrypoint/codex-resume-hint.tspackages/lib/src/shell/config.tspackages/app/tests/docker-git/browser-frontend.test.tspackages/container/tests/core/templates.test.tspackages/api/src/services/projects.tspackages/container/src/core/templates-entrypoint/gemini.tspackages/lib/tests/usecases/projects-up.test.tspackages/lib/src/shell/docker-compose.tspackages/container/src/core/templates-entrypoint/grok.tspackages/app/tests/docker-git/changed-checks.test.tspackages/lib/tests/usecases/docker-up-force.test.tspackages/container/src/core/templates/docker-compose.tspackages/app/src/docker-git/browser-frontend-launch.tspackages/container/src/core/templates-entrypoint/agents-notice.tspackages/app/src/docker-git/browser-frontend.tspackages/lib/src/usecases/actions/docker-up.tspackages/container/src/core/templates-entrypoint/claude-extra-config.tspackages/lib/src/usecases/projects-up.ts
**/{browser*,server*,app*,*.ts,*.js}
📄 CodeRabbit inference engine (README.md)
Web version must listen on 0.0.0.0 by default for accessibility across LAN devices
Files:
packages/container/src/core/templates-entrypoint.tspackages/lib/src/core/domain.tspackages/container/src/core/domain.tsscripts/ci/build-e2e-project-image.tspackages/container/src/core/templates-entrypoint/base.tspackages/lib/src/usecases/actions/create-project.tspackages/api/tests/projects.test.tspackages/app/src/docker-git/browser-frontend-prebuilt.tsscripts/e2e/browser-command.shpackages/container/src/core/templates-entrypoint/codex-resume-hint.tspackages/lib/src/shell/config.tspackages/app/tests/docker-git/browser-frontend.test.tspackages/container/tests/core/templates.test.tspackages/api/src/services/projects.tspackages/container/src/core/templates-entrypoint/gemini.tspackages/lib/tests/usecases/projects-up.test.tspackages/lib/src/shell/docker-compose.tspackages/container/src/core/templates-entrypoint/grok.tspackages/app/tests/docker-git/changed-checks.test.tspackages/lib/tests/usecases/docker-up-force.test.tspackages/container/src/core/templates/docker-compose.tspackages/app/src/docker-git/browser-frontend-launch.tspackages/container/src/core/templates-entrypoint/agents-notice.tspackages/app/src/docker-git/browser-frontend.tspackages/lib/src/usecases/actions/docker-up.tspackages/container/src/core/templates-entrypoint/claude-extra-config.tspackages/lib/src/usecases/projects-up.ts
**/{cli*,command*,auto*,*.ts,*.tsx}
📄 CodeRabbit inference engine (README.md)
Implement auto-mode agent selection logic to choose Claude, Codex, Gemini, or Grok randomly from available authorized providers, or allow forced selection with --auto=
Files:
packages/container/src/core/templates-entrypoint.tspackages/lib/src/core/domain.tspackages/container/src/core/domain.tsscripts/ci/build-e2e-project-image.tspackages/container/src/core/templates-entrypoint/base.tspackages/lib/src/usecases/actions/create-project.tspackages/api/tests/projects.test.tspackages/app/src/docker-git/browser-frontend-prebuilt.tspackages/container/src/core/templates-entrypoint/codex-resume-hint.tspackages/lib/src/shell/config.tspackages/app/tests/docker-git/browser-frontend.test.tspackages/container/tests/core/templates.test.tspackages/api/src/services/projects.tspackages/container/src/core/templates-entrypoint/gemini.tspackages/lib/tests/usecases/projects-up.test.tspackages/lib/src/shell/docker-compose.tspackages/container/src/core/templates-entrypoint/grok.tspackages/app/tests/docker-git/changed-checks.test.tspackages/lib/tests/usecases/docker-up-force.test.tspackages/container/src/core/templates/docker-compose.tspackages/app/src/docker-git/browser-frontend-launch.tspackages/container/src/core/templates-entrypoint/agents-notice.tspackages/app/src/docker-git/browser-frontend.tspackages/lib/src/usecases/actions/docker-up.tspackages/container/src/core/templates-entrypoint/claude-extra-config.tspackages/lib/src/usecases/projects-up.ts
**/*
⚙️ CodeRabbit configuration file
**/*: Ты строгий ревьюер SPEC DRIVEN DEVELOPMENT.Перед выводами изучи README.md, другие *.md файлы, linked issues,
PR description, PR comments/discussion и релевантную кодовую базу.Сверь изменения с исходным ТЗ/спекой и обсуждением. Флагай любой уход
от спеки, недокументированное изменение поведения, отсутствие тестов
для заявленного поведения и security-риск. Если спека не видна,
попроси автора добавить ее в issue или PR description.Проверь решение с точки зрения формальной верификации: какие инварианты,
предусловия и постусловия можно доказать математически, а где доказуемость
слабая. Оцени решение с точки зрения теории игр: устойчивы ли стимулы,
нет ли выгодного обхода правил, и какое решение было бы сильнее.
Files:
packages/container/src/core/templates-entrypoint.tsexperiments/terminal-query-suppression.mdscripts/npxpackages/lib/src/core/domain.tsdocker-compose.ymlpackages/container/src/core/domain.tspackages/docker-git-session-sync/package.jsonscripts/ci/build-e2e-project-image.tspackages/container/src/core/templates-entrypoint/base.tspackages/lib/src/usecases/actions/create-project.tspackages/api/tests/projects.test.tspackages/app/src/docker-git/browser-frontend-prebuilt.tsscripts/e2e/browser-command.shpackages/container/src/core/templates-entrypoint/codex-resume-hint.tspackages/lib/src/shell/config.tspackages/app/tests/docker-git/browser-frontend.test.tspackages/container/tests/core/templates.test.tsscripts/changed-checks.d.mtsscripts/ci/pack-e2e-prebuilt.mjspackages/api/package.jsonpackages/api/src/services/projects.tspackages/container/src/core/templates-entrypoint/gemini.tspackages/lib/tests/usecases/projects-up.test.tspackages/lib/src/shell/docker-compose.tspackages/container/src/core/templates-entrypoint/grok.tspackages/app/package.jsonpackages/terminal/package.jsonpackages/app/tests/docker-git/changed-checks.test.tspackages/lib/package.jsonpackages/lib/tests/usecases/docker-up-force.test.tspackages/container/src/core/templates/docker-compose.tspackages/app/src/docker-git/browser-frontend-launch.tspackage.jsonpackages/container/src/core/templates-entrypoint/agents-notice.tspackages/container/package.jsonscripts/e2e/_lib.shpackages/app/src/docker-git/browser-frontend.tspackages/lib/src/usecases/actions/docker-up.tspackages/container/src/core/templates-entrypoint/claude-extra-config.tsscripts/changed-checks.mjspackages/lib/src/usecases/projects-up.ts
**
⚙️ CodeRabbit configuration file
**: РОЛЬ: Математик-программист, специализирующийся на формально верифицируемой функциональной архитектуре.ЦЕЛЬ: Создавать математически доказуемые решения через функциональную парадигму с полным разделением чистых вычислений и контролируемых эффектов.
МОДЕЛЬ РАССУЖДЕНИЯ:
- Не выдавать “личные мнения”. Формировать вывод как результат симуляции профессионального обсуждения релевантных ролей
(архитектор Effect/FP, ревьюер типов, страж CORE↔SHELL, тест-инженер).- Если запрос сформулирован как “что думаешь”, отвечать в терминах аргументов ролей и выбирать решение
по критериям инвариантов, типовой безопасности и тестируемости (если пользователь явно просит выбор — выбрать и обосновать).ПРАВИЛО ПРОЦЕССА (НЕ ФОРМАТ ОТВЕТА):
В начале работы (внутренне) формулировать Deep Research вопрос:
"I am looking for code that does , is there existing code that can do this?"
Далее:
- если доступен проект/код — сперва искать и переиспользовать существующие паттерны (минимальный корректный diff),
- если проект недоступен — опираться на предоставленный контекст и явно фиксировать допущения,
- код писать только после формального понимания задачи (типы/инварианты → архитектура → код → тесты),
- источники указывать только если реально использован внешний материал; иначе
SOURCE: n/a.ИНСТРУМЕНТАЛЬНОЕ ПОВЕДЕНИЕ (ОБЯЗАТЕЛЬНО, НЕ ФОРМАТ ОТВЕТА):
- Агент всегда использует доступные инструменты среды (терминал, поиск по проекту, запуск тестов/скриптов, анализ сборки, web-ресёрч при необходимости)
для ресёрча, проверки гипотез и выполнения действий. Приоритет: проверяемость, воспроизводимость, минимальный риск.- Агент не предлагает “гайд” как замену действия. Если действие возможно выполнить инструментами — агент выполняет его сам,
затем сообщает, что было сделано и как повторить.- Любые инструкции (команды/процедуры) агент даёт только после собственной проверки на доступной среде.
Если проверить невозможно — явно фиксирует ограничение и перечисляе...
Files:
packages/container/src/core/templates-entrypoint.tsexperiments/terminal-query-suppression.mdscripts/npxpackages/lib/src/core/domain.tsdocker-compose.ymlpackages/container/src/core/domain.tspackages/docker-git-session-sync/package.jsonscripts/ci/build-e2e-project-image.tspackages/container/src/core/templates-entrypoint/base.tspackages/lib/src/usecases/actions/create-project.tspackages/api/tests/projects.test.tspackages/app/src/docker-git/browser-frontend-prebuilt.tsscripts/e2e/browser-command.shpackages/container/src/core/templates-entrypoint/codex-resume-hint.tspackages/lib/src/shell/config.tspackages/app/tests/docker-git/browser-frontend.test.tspackages/container/tests/core/templates.test.tsscripts/changed-checks.d.mtsscripts/ci/pack-e2e-prebuilt.mjspackages/api/package.jsonpackages/api/src/services/projects.tspackages/container/src/core/templates-entrypoint/gemini.tspackages/lib/tests/usecases/projects-up.test.tspackages/lib/src/shell/docker-compose.tspackages/container/src/core/templates-entrypoint/grok.tspackages/app/package.jsonpackages/terminal/package.jsonpackages/app/tests/docker-git/changed-checks.test.tspackages/lib/package.jsonpackages/lib/tests/usecases/docker-up-force.test.tspackages/container/src/core/templates/docker-compose.tspackages/app/src/docker-git/browser-frontend-launch.tspackage.jsonpackages/container/src/core/templates-entrypoint/agents-notice.tspackages/container/package.jsonscripts/e2e/_lib.shpackages/app/src/docker-git/browser-frontend.tspackages/lib/src/usecases/actions/docker-up.tspackages/container/src/core/templates-entrypoint/claude-extra-config.tsscripts/changed-checks.mjspackages/lib/src/usecases/projects-up.ts
**/{setup,install,config,*.sh,*.md}
📄 CodeRabbit inference engine (README.md)
Ensure default projects directory is ~/.docker-git
Files:
experiments/terminal-query-suppression.mdscripts/e2e/browser-command.shscripts/e2e/_lib.sh
.gitignore
📄 CodeRabbit inference engine (AGENTS.md)
Ensure .gitignore includes node_modules, dist, build, .env, and other sensitive/build artifacts; version control only source code and configuration templates
Files:
.gitignore
**/{.git*,config*,*.sh,docker-compose*}
📄 CodeRabbit inference engine (README.md)
Use git credential helper to automatically select correct token by host for HTTPS clone/push operations
Files:
.gitignoredocker-compose.ymlscripts/e2e/browser-command.shpackages/lib/src/shell/config.tspackages/lib/src/shell/docker-compose.tspackages/container/src/core/templates/docker-compose.tsscripts/e2e/_lib.sh
**/{Dockerfile*,docker-compose*.{yml,yaml},.dockerignore}
📄 CodeRabbit inference engine (Custom checks)
Fail if changed files introduce unsafe Docker configuration such as privileged containers, broad host mounts, unbounded Docker socket access, or unnecessary write permissions
Files:
docker-compose.yml
**/{package*.json,requirements*.txt,setup.py,setup.cfg,Pipfile,Pipfile.lock,pyproject.toml,pom.xml,build.gradle,Gemfile,Gemfile.lock,go.mod,go.sum,composer.json,Cargo.toml,Cargo.lock}
📄 CodeRabbit inference engine (Custom checks)
Fail if dependency or package-manager changes materially increase supply-chain risk without justification
Files:
packages/docker-git-session-sync/package.jsonpackages/api/package.jsonpackages/app/package.jsonpackages/terminal/package.jsonpackages/lib/package.jsonpackage.jsonpackages/container/package.json
**/*.test.{ts,tsx}
📄 CodeRabbit inference engine (AGENTS.md)
**/*.test.{ts,tsx}: Write property-based tests using fast-check (fc.property) to verify mathematical invariants; unit tests must use Effect test utilities without async/await
Every bug fix must be accompanied by a reproducing test case; the test must fail before the fix and pass after; document the Proof of Fix with root cause and solution
Files:
packages/api/tests/projects.test.tspackages/app/tests/docker-git/browser-frontend.test.tspackages/container/tests/core/templates.test.tspackages/lib/tests/usecases/projects-up.test.tspackages/app/tests/docker-git/changed-checks.test.tspackages/lib/tests/usecases/docker-up-force.test.ts
**/{browser*,server*,.env*,*.sh}
📄 CodeRabbit inference engine (README.md)
Allow DOCKER_GIT_WEB_HOST environment variable to restrict web access to 127.0.0.1
Files:
packages/app/src/docker-git/browser-frontend-prebuilt.tsscripts/e2e/browser-command.shpackages/app/tests/docker-git/browser-frontend.test.tspackages/app/src/docker-git/browser-frontend-launch.tsscripts/e2e/_lib.shpackages/app/src/docker-git/browser-frontend.ts
**/{.env*,auth*,config*,setup*}
📄 CodeRabbit inference engine (README.md)
Store authentication tokens in env-file as GIT_AUTH_TOKEN__ / GIT_AUTH_USER__
Files:
packages/lib/src/shell/config.ts
package.json
📄 CodeRabbit inference engine (AGENTS.md)
Dependencies must include effect ^3.x and
@effect/schema^0.x; prohibit downgrading these versions or introducing incompatible alternatives (async-only libraries without Effect support)Require Effect and
@effect/schemaas mandatory dependencies for type-safe effects and validation
Files:
package.json
**/.github/workflows/*.{yml,yaml}
📄 CodeRabbit inference engine (Custom checks)
Fail if changed files introduce unsafe GitHub Actions configuration such as unsafe
pull_request_target, or unnecessary write permissions
Files:
.github/workflows/check.yml
🧠 Learnings (3)
📚 Learning: 2026-05-22T21:08:18.083Z
Learnt from: skulidropek
Repo: ProverCoderAI/docker-git PR: 344
File: packages/app/src/docker-git/controller-compose.ts:34-40
Timestamp: 2026-05-22T21:08:18.083Z
Learning: In this repo’s docker-git controller compose generation, `${DOCKER_GIT_CONTROLLER_BUILD_SKILLER:-1}` should be treated as standard bash parameter expansion: when `DOCKER_GIT_CONTROLLER_BUILD_SKILLER` is unset, it defaults to the string "1". There is no "-1" mode. The runtime contract enforced by `packages/app/src/docker-git/controller-compose.ts` is: unset / "1" / "true" => output "1"; "0" / "false" => output "0". If review code shows branching/behavior for "-1" or any numeric value other than this 0/1 contract, flag it. Also ensure the Dockerfile ARG `DOCKER_GIT_CONTROLLER_BUILD_SKILLER` stays consistent with default `1`.
Applied to files:
packages/app/src/docker-git/browser-frontend-prebuilt.tspackages/app/src/docker-git/browser-frontend-launch.tspackages/app/src/docker-git/browser-frontend.ts
📚 Learning: 2026-06-10T10:21:51.286Z
Learnt from: konard
Repo: ProverCoderAI/docker-git PR: 386
File: packages/app/tests/docker-git/gridland-react-singleton.test.ts:0-0
Timestamp: 2026-06-10T10:21:51.286Z
Learning: In `packages/app/tests/docker-git` tests that inspect the `packages/terminal` workspace (e.g., for React-related versions), remember that `react-dom` is intentionally declared as a `devDependency` in `packages/terminal` (the terminal exports components but does not render to the DOM itself). Therefore, test assertions should not require `react-dom` to appear in `dependencies`; when resolving versions, accept either `dependencies` or `devDependencies` (as `resolveDepVersion` does in `gridland-react-singleton.test.ts`).
Applied to files:
packages/app/tests/docker-git/browser-frontend.test.tspackages/app/tests/docker-git/changed-checks.test.ts
📚 Learning: 2026-05-18T07:43:38.131Z
Learnt from: skulidropek
Repo: ProverCoderAI/docker-git PR: 313
File: packages/api/src/services/panel-cloudflare-tunnel.ts:123-135
Timestamp: 2026-05-18T07:43:38.131Z
Learning: In this repo’s ProverCoderAI/docker-git architecture, it is intentional for service modules under packages/api/src/services/ to call Node.js APIs directly (e.g., fs, child_process, fetch). Do not treat direct Node API usage in these service modules as a dependency-injection (DI) violation. This codebase provides the NodeContext at the program boundary (entry point) rather than injecting Context.Tag/Layer services into individual service modules; reviewers should only flag DI/context issues if the expected boundary setup is missing.
Applied to files:
packages/api/src/services/projects.ts
🪛 zizmor (1.25.2)
.github/workflows/check.yml
[warning] 71-73: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[warning] 111-111: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[warning] 144-144: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[warning] 177-177: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[warning] 210-210: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[warning] 241-243: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[warning] 115-115: code injection via template expansion (template-injection): may expand into attacker-controllable code
(template-injection)
[warning] 115-115: code injection via template expansion (template-injection): may expand into attacker-controllable code
(template-injection)
[warning] 148-148: code injection via template expansion (template-injection): may expand into attacker-controllable code
(template-injection)
[warning] 148-148: code injection via template expansion (template-injection): may expand into attacker-controllable code
(template-injection)
[warning] 181-181: code injection via template expansion (template-injection): may expand into attacker-controllable code
(template-injection)
[warning] 181-181: code injection via template expansion (template-injection): may expand into attacker-controllable code
(template-injection)
[warning] 214-214: code injection via template expansion (template-injection): may expand into attacker-controllable code
(template-injection)
[warning] 214-214: code injection via template expansion (template-injection): may expand into attacker-controllable code
(template-injection)
[error] 71-71: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 111-111: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 144-144: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 177-177: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 210-210: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 241-241: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 282-282: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 287-287: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 293-293: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[warning] 321-323: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[warning] 370-372: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[warning] 419-421: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[warning] 468-470: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[warning] 517-519: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[warning] 566-568: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 321-321: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 329-329: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 334-334: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 339-339: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 370-370: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 378-378: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 383-383: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 388-388: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 419-419: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 427-427: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 432-432: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 437-437: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 468-468: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 476-476: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 481-481: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 486-486: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 517-517: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 525-525: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 530-530: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 535-535: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 566-566: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 574-574: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 579-579: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 584-584: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🔇 Additional comments (29)
.gitignore (1)
17-19: Проблем не выявлено в этом фрагменте.packages/app/package.json (1)
27-30: Проблем не выявлено в этом фрагменте.packages/container/package.json (1)
13-14: Проблем не выявлено в этом фрагменте.packages/terminal/package.json (1)
14-16: Проблем не выявлено в этом фрагменте.packages/lib/package.json (1)
15-19: Проблем не выявлено в этом фрагменте.packages/api/package.json (1)
17-20: Проблем не выявлено в этом фрагменте.packages/docker-git-session-sync/package.json (1)
15-15: Проблем не выявлено в этом фрагменте.experiments/terminal-query-suppression.md (1)
100-101: Проблем не выявлено в этом фрагменте.scripts/changed-checks.d.mts (1)
1-60: LGTM!package.json (1)
24-25: LGTM!Also applies to: 51-61
.github/actions/setup/action.yml (1)
12-15: LGTM!Also applies to: 63-63
scripts/changed-checks.mjs (1)
414-417: Unable to complete verification: The original verification request does not contain an actual review comment to rewrite. Only coding guidelines and architectural standards are provided. Please supply the specific review comment that needs to be verified and rewritten.packages/container/src/core/domain.ts (1)
81-81: LGTM!packages/container/src/core/templates/docker-compose.ts (1)
52-59: LGTM!Also applies to: 127-131, 252-252
packages/container/src/core/templates-entrypoint/codex-resume-hint.ts (1)
15-15: LGTM!Also applies to: 85-85
packages/container/src/core/templates-entrypoint/agents-notice.ts (1)
14-17: LGTM!Also applies to: 133-136
packages/container/src/core/templates-entrypoint/claude-extra-config.ts (1)
55-58: LGTM!Also applies to: 100-101
packages/container/src/core/templates-entrypoint/gemini.ts (1)
309-312: LGTM!Also applies to: 341-343
packages/container/src/core/templates-entrypoint/grok.ts (1)
297-300: LGTM!Also applies to: 324-327
packages/app/src/docker-git/browser-frontend-launch.ts (1)
20-37: Дубликат: здесь тот же паттерн прямогоprocess.*, уже отмеченный вpackages/app/src/docker-git/browser-frontend-prebuilt.tsкак корневая проблема.Also applies to: 51-51
packages/lib/src/shell/config.ts (1)
90-91: LGTM!packages/lib/src/core/domain.ts (1)
92-92: LGTM!packages/lib/src/usecases/actions/docker-up.ts (1)
60-60: LGTM!Also applies to: 186-217, 262-268
packages/lib/src/shell/docker-compose.ts (1)
119-136: LGTM!packages/lib/src/usecases/projects-up.ts (1)
53-54: LGTM!Also applies to: 227-230
packages/lib/src/usecases/actions/create-project.ts (1)
184-185: LGTM!scripts/ci/build-e2e-project-image.ts (1)
1-47: LGTM!scripts/e2e/_lib.sh (1)
549-580: LGTM!scripts/e2e/browser-command.sh (1)
194-195: LGTM!
| - uses: actions/checkout@v6 | ||
| with: | ||
| fetch-depth: 0 |
There was a problem hiding this comment.
Нужно закрепить внешние actions по commit SHA и отключить persist-credentials в checkout.
Сейчас uses: ...@v6/@v7 остаются плавающими, а checkout по умолчанию сохраняет токен в git-конфиге runner-а. Для workflow с активной работой с артефактами это лишний риск supply-chain/credential hygiene.
As per coding guidelines: "**/.github/workflows/*.{yml,yaml}: Fail if changed files introduce unsafe GitHub Actions configuration such as unsafe pull_request_target, or unnecessary write permissions".
Also applies to: 111-111, 144-144, 177-177, 210-210, 241-243, 282-293, 321-339, 370-388, 419-437, 468-486, 517-535, 566-584
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 71-73: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 71-71: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/check.yml around lines 71 - 73, Pin all external GitHub
Actions in the workflow file to specific commit SHAs instead of version tags
(e.g., replace `@v6` with a full commit hash) to prevent supply-chain attacks.
Additionally, add persist-credentials: false to all actions/checkout steps to
disable unnecessary credential storage in the git config during workflow
execution. Apply these changes to all instances of actions/checkout and other
external actions throughout the file at the specified line ranges including
71-73, 111, 144, 177, 210, 241-243, 282-293, 321-339, 370-388, 419-437, 468-486,
517-535, and 566-584.
Sources: Coding guidelines, Linters/SAST tools
| - name: Check typecheck module results | ||
| env: | ||
| MODULE_RESULT: ${{ needs.types-modules.result }} | ||
| run: | | ||
| if [ -f packages/docker-git-session-sync/package.json ]; then | ||
| bun run --cwd packages/docker-git-session-sync typecheck | ||
| else | ||
| echo "packages/docker-git-session-sync is not present; skipping" | ||
| if [[ "$MODULE_RESULT" == "failure" || "$MODULE_RESULT" == "cancelled" ]]; then | ||
| echo "Typecheck module job result: $MODULE_RESULT" >&2 | ||
| exit 1 | ||
| fi | ||
| - name: Typecheck (lib) | ||
| run: bun run --cwd packages/lib typecheck | ||
| - name: Typecheck (api) | ||
| run: bun run --cwd packages/api typecheck | ||
| echo "Typecheck module job result: $MODULE_RESULT" |
There was a problem hiding this comment.
Агрегаторы могут дать ложный green при падении plan-checks.
На Line 124-132 (и аналогично Line 157-165, 190-198, 223-231) проверяется только MODULE_RESULT. Если plan-checks завершится failure, модульный job станет skipped, и агрегатор пройдет успешно.
Предлагаемый фикс (паттерн для всех 4 агрегаторов)
- name: Check typecheck module results
env:
+ PLAN_RESULT: ${{ needs.plan-checks.result }}
MODULE_RESULT: ${{ needs.types-modules.result }}
run: |
+ if [[ "$PLAN_RESULT" == "failure" || "$PLAN_RESULT" == "cancelled" ]]; then
+ echo "Plan-checks job result: $PLAN_RESULT" >&2
+ exit 1
+ fi
if [[ "$MODULE_RESULT" == "failure" || "$MODULE_RESULT" == "cancelled" ]]; then
echo "Typecheck module job result: $MODULE_RESULT" >&2
exit 1
fi
echo "Typecheck module job result: $MODULE_RESULT"Also applies to: 157-165, 190-198, 223-231
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/check.yml around lines 124 - 132, The aggregator checks
only verify the MODULE_RESULT but do not check if the upstream plan-checks job
failed. When plan-checks fails, dependent jobs become skipped rather than
failed, causing the aggregators to incorrectly pass. Add checks for the
plan-checks job result in addition to the MODULE_RESULT comparison in all four
aggregator jobs (Check typecheck module results, Check linter module results,
Check test module results, and Check e2e module results) to ensure they fail if
either the upstream plan-checks or the module job fails or is cancelled.
| export const shouldUsePrebuiltBrowserFrontend = (): boolean => | ||
| isTruthyEnv(process.env["DOCKER_GIT_E2E_USE_PREBUILT_WEB"]) | ||
|
|
||
| export const ensurePrebuiltBrowserFrontend = (): Effect.Effect< | ||
| void, | ||
| ControllerBootstrapError | PlatformError, | ||
| CommandExecutor.CommandExecutor | ||
| > => | ||
| pipe( | ||
| runCommandExitCode({ | ||
| args: ["-c", "test -f packages/app/dist-web/index.html"], | ||
| command: "sh", | ||
| cwd: process.cwd() | ||
| }), |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Проверка прямых process-вызовов в новых browser frontend модулях
rg -n --type=ts '\bprocess\.(env|cwd)\b' \
packages/app/src/docker-git/browser-frontend-prebuilt.ts \
packages/app/src/docker-git/browser-frontend-launch.tsRepository: ProverCoderAI/docker-git
Length of output: 532
🏁 Script executed:
#!/bin/bash
# Получить содержимое файлов для понимания контекста
echo "=== browser-frontend-prebuilt.ts ==="
cat -n packages/app/src/docker-git/browser-frontend-prebuilt.ts
echo -e "\n=== browser-frontend-launch.ts ==="
cat -n packages/app/src/docker-git/browser-frontend-launch.tsRepository: ProverCoderAI/docker-git
Length of output: 5666
🏁 Script executed:
#!/bin/bash
# Поиск существующих Layer-based паттернов для Environment/Runtime
rg -A 5 "class.*Env.*extends.*Context\.Tag|class.*Runtime.*extends.*Context\.Tag" \
packages/lib/src --type=ts | head -50Repository: ProverCoderAI/docker-git
Length of output: 50
🏁 Script executed:
#!/bin/bash
# Поиск существующих паттернов использования process в SHELL слое
rg -B 2 -A 2 "process\.(env|cwd)" packages/lib/src --type=ts | head -80Repository: ProverCoderAI/docker-git
Length of output: 6179
🏁 Script executed:
#!/bin/bash
# Проверить структуру проекта: где находится SHELL слой
find packages -name "*shell*" -o -name "*boundary*" -o -name "*layer*" | head -20Repository: ProverCoderAI/docker-git
Length of output: 445
Абстрагируйте process.env и process.cwd() через Layer-based сервис вместо прямых обращений.
На линиях 17, 28 (файл browser-frontend-prebuilt.ts) и линиях 22, 51 (файл browser-frontend-launch.ts) добавлены прямые обращения к process.env и process.cwd().
Функция shouldUsePrebuiltBrowserFrontend() читает environment синхронно. Функции ensurePrebuiltBrowserFrontend() и runStreaming() — это Effect'ы, которые жёстко зависят от глобального процесса вместо полученной конфигурации.
Согласно архитектурным правилам: no process direct calls, or untyped environment access in product code; all such operations must be abstracted through Layer-based services.
Решение:
- Создайте
RuntimeConfigLayer с методамиgetEnv()иgetCwd() - Передайте их как зависимости в
Effect.gen()функции вместо прямых обращений кprocess - Для синхронного
shouldUsePrebuiltBrowserFrontend()— либо сделайте его Effect, либо передавайте уже прочитанное значение из вызывающего кода
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@packages/app/src/docker-git/browser-frontend-prebuilt.ts` around lines 16 -
29, Refactor the direct process access calls in shouldUsePrebuiltBrowserFrontend
and ensurePrebuiltBrowserFrontend to use a Layer-based service instead of
calling process.env and process.cwd() directly. Create a RuntimeConfig Layer
that provides getEnv() and getCwd() methods, then update
shouldUsePrebuiltBrowserFrontend to either return an Effect that uses Effect.gen
to access the config service, or make it accept the environment value as a
parameter. For ensurePrebuiltBrowserFrontend, update the runCommandExitCode call
to obtain the cwd through the RuntimeConfig service via Effect.gen rather than
calling process.cwd() directly.
Source: Coding guidelines
| describe("changed-checks planner", () => { | ||
| it("skips docs-only changes", () => { | ||
| const result = plan("test", ["docs/process.md", "README.md"]) | ||
|
|
||
| expect(result.mode).toBe("skip") | ||
| expect(result.commands).toEqual([]) | ||
| }) | ||
|
|
||
| it("fails closed to a full run for root toolchain changes", () => { | ||
| const result = plan("test", ["bun.lock"]) | ||
|
|
||
| expect(result.mode).toBe("all") | ||
| expect(result.commands.map((command) => command.packageName)).toEqual([ | ||
| "@prover-coder-ai/docker-git-container", | ||
| "@prover-coder-ai/docker-git-session-sync", | ||
| "@effect-template/lib", | ||
| "@prover-coder-ai/docker-git-terminal", | ||
| "@effect-template/api", | ||
| "@prover-coder-ai/docker-git" | ||
| ]) | ||
| }) | ||
|
|
||
| it("runs normal lint only for the owning package", () => { | ||
| const result = plan("lint", ["packages/terminal/src/core/output-buffer.ts"]) | ||
|
|
||
| expect(result.mode).toBe("affected") | ||
| expect(result.commands).toEqual([ | ||
| { | ||
| args: ["run", "--filter", "@prover-coder-ai/docker-git-terminal", "lint"], | ||
| command: "bun", | ||
| packageName: "@prover-coder-ai/docker-git-terminal", | ||
| phase: "lint", | ||
| serial: false, | ||
| scriptName: "lint" | ||
| } | ||
| ]) | ||
| }) | ||
|
|
||
| it("adds test lint when a package test file changed", () => { | ||
| const result = plan("lint", ["packages/app/tests/docker-git/menu-create.test.ts"]) | ||
|
|
||
| expect(result.commands.map((command) => command.scriptName)).toEqual(["lint", "lint:tests"]) | ||
| }) | ||
|
|
||
| it("expands typecheck to transitive dependents", () => { | ||
| const result = plan("typecheck", ["packages/terminal/src/core/output-buffer.ts"]) | ||
|
|
||
| expect(result.commands.map((command) => command.packageName)).toEqual([ | ||
| "@prover-coder-ai/docker-git-terminal", | ||
| "@effect-template/api", | ||
| "@prover-coder-ai/docker-git" | ||
| ]) | ||
| }) | ||
|
|
||
| it("fails closed for unknown root files", () => { | ||
| const result = plan("lint:effect", [".editorconfig"]) | ||
|
|
||
| expect(result.mode).toBe("all") | ||
| expect(result.commands.length).toBeGreaterThan(1) | ||
| }) | ||
|
|
||
| it("marks package commands with pre-hooks as serial for local execution", () => { | ||
| const result = plan("typecheck", ["packages/app/src/web/api-http.ts"]) | ||
|
|
||
| expect(result.commands.find((command) => command.packageName === "@prover-coder-ai/docker-git")).toMatchObject({ | ||
| phase: "typecheck", | ||
| serial: true, | ||
| scriptName: "typecheck" | ||
| }) | ||
| }) | ||
|
|
||
| it("builds a GitHub matrix per affected package command", () => { | ||
| const result = plan("lint", [ | ||
| "packages/app/src/web/api-http.ts", | ||
| "packages/app/tests/docker-git/api-http.test.ts" | ||
| ]) | ||
|
|
||
| expect(createGithubMatrix(result)).toEqual({ | ||
| include: [ | ||
| { | ||
| label: "@prover-coder-ai/docker-git lint", | ||
| packageName: "@prover-coder-ai/docker-git", | ||
| script: "lint" | ||
| }, | ||
| { | ||
| label: "@prover-coder-ai/docker-git lint:tests", | ||
| packageName: "@prover-coder-ai/docker-git", | ||
| script: "lint:tests" | ||
| } | ||
| ] | ||
| }) | ||
| }) | ||
| }) |
There was a problem hiding this comment.
Нужны property-based тесты инвариантов planner (и репродуктор для delete-only diff).
Сейчас suite полностью example-based. Для этого файла добавьте fc.property-проверки инвариантов (например: docs-only ⇒ skip, unknown/global ⇒ all, и delete-only изменение внутри пакета не даёт skip) и зафиксируйте Proof of fix для найденного кейса удаления.
As per coding guidelines: **/*.test.{ts,tsx}: "Write property-based tests using fast-check (fc.property) ..."; и "Every bug fix must be accompanied by a reproducing test case ... document the Proof of Fix with root cause and solution".
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@packages/app/tests/docker-git/changed-checks.test.ts` around lines 95 - 187,
The test suite for the "changed-checks planner" describe block currently uses
only example-based tests and lacks property-based invariant testing. Add
property-based tests using fast-check's fc.property to verify three key
invariants: first, that docs-only file changes result in skip mode; second, that
unknown or global root file changes result in all mode; third, that delete-only
changes within a package do not produce skip mode (this should include a
specific reproducing test case for the delete-only diff bug that was
discovered). Ensure each property test documents the root cause and fix as a
comment following the coding guidelines for test files.
Source: Coding guidelines
| export const renderEntrypointProjectRuntimeEnv = (): string => | ||
| String.raw`# Publish runtime project identity into login and SSH environments. | ||
| DOCKER_GIT_PROJECT_PROFILE="/etc/profile.d/docker-git-project.sh" | ||
| { | ||
| printf "export TARGET_DIR=%q\n" "$TARGET_DIR" | ||
| printf "export REPO_URL=%q\n" "$REPO_URL" | ||
| printf "export REPO_REF=%q\n" "$REPO_REF" | ||
| printf "export FORK_REPO_URL=%q\n" "$FORK_REPO_URL" | ||
| } > "$DOCKER_GIT_PROJECT_PROFILE" | ||
| chmod 0644 "$DOCKER_GIT_PROJECT_PROFILE" | ||
| docker_git_upsert_ssh_env "TARGET_DIR" "$TARGET_DIR" | ||
| docker_git_upsert_ssh_env "REPO_URL" "$REPO_URL" | ||
| docker_git_upsert_ssh_env "REPO_REF" "$REPO_REF" | ||
| docker_git_upsert_ssh_env "FORK_REPO_URL" "$FORK_REPO_URL"` |
There was a problem hiding this comment.
Не сохраняйте REPO_URL и FORK_REPO_URL в env-файлы без редактирования секретов
На Line 71-73 и Line 77-79 URL записываются «как есть» в /etc/profile.d/docker-git-project.sh и ~/.ssh/environment. Если в URL присутствует userinfo (https://token@host/...), токен персистируется и может утечь.
Вариант исправления
export const renderEntrypointProjectRuntimeEnv = (): string =>
String.raw`# Publish runtime project identity into login and SSH environments.
DOCKER_GIT_PROJECT_PROFILE="/etc/profile.d/docker-git-project.sh"
+docker_git_redact_url_userinfo() {
+ printf "%s" "$1" | sed -E 's#(https?://)[^/@]+@#\1#'
+}
+REPO_URL_SAFE="$(docker_git_redact_url_userinfo "$REPO_URL")"
+FORK_REPO_URL_SAFE="$(docker_git_redact_url_userinfo "$FORK_REPO_URL")"
{
printf "export TARGET_DIR=%q\n" "$TARGET_DIR"
- printf "export REPO_URL=%q\n" "$REPO_URL"
+ printf "export REPO_URL=%q\n" "$REPO_URL_SAFE"
printf "export REPO_REF=%q\n" "$REPO_REF"
- printf "export FORK_REPO_URL=%q\n" "$FORK_REPO_URL"
+ printf "export FORK_REPO_URL=%q\n" "$FORK_REPO_URL_SAFE"
} > "$DOCKER_GIT_PROJECT_PROFILE"
chmod 0644 "$DOCKER_GIT_PROJECT_PROFILE"
docker_git_upsert_ssh_env "TARGET_DIR" "$TARGET_DIR"
-docker_git_upsert_ssh_env "REPO_URL" "$REPO_URL"
+docker_git_upsert_ssh_env "REPO_URL" "$REPO_URL_SAFE"
docker_git_upsert_ssh_env "REPO_REF" "$REPO_REF"
-docker_git_upsert_ssh_env "FORK_REPO_URL" "$FORK_REPO_URL"`
+docker_git_upsert_ssh_env "FORK_REPO_URL" "$FORK_REPO_URL_SAFE"`As per coding guidelines: **/*.{js,ts,jsx,tsx,py,java,go,rb,php,sh,bash,yml,yaml,json,env*,toml,cfg,config,dockerfile,dockerignore}: “Fail if changed files expose credentials, tokens, private-keys, or PII in source, generated config, logs, or CI output”.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@packages/container/src/core/templates-entrypoint/base.ts` around lines 66 -
79, The function renderEntrypointProjectRuntimeEnv is persisting REPO_URL and
FORK_REPO_URL directly to environment files without removing potentially
embedded credentials (like auth tokens in the format https://token@host). Before
writing these URLs to the DOCKER_GIT_PROJECT_PROFILE file or passing them to
docker_git_upsert_ssh_env calls, sanitize them by removing any userinfo
components that may contain sensitive credentials. Ensure the sanitized versions
are used in both the printf statements for the profile file and the
docker_git_upsert_ssh_env function calls for REPO_URL and FORK_REPO_URL.
Source: Coding guidelines
| it("renders an explicit prebuilt image without a build section", () => { | ||
| const compose = renderDockerCompose( | ||
| makeTemplateConfig({ | ||
| imageName: "docker-git-e2e-project:latest" | ||
| }) | ||
| ) | ||
|
|
||
| expect(compose).toContain(" image: 'docker-git-e2e-project:latest'\n") | ||
| expect(compose).toContain(" pull_policy: never\n") | ||
| expect(compose).not.toContain(" build: .\n") | ||
| }) | ||
|
|
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Проверка, есть ли property-based тесты для этого инварианта в файле
rg -n --type=ts 'fc\.property|renderDockerCompose\(' packages/container/tests/core/templates.test.tsRepository: ProverCoderAI/docker-git
Length of output: 848
🏁 Script executed:
#!/bin/bash
# Получить контекст вокруг целевого теста line 984-995
sed -n '970,1005p' packages/container/tests/core/templates.test.ts | cat -n
echo "---"
# Получить контекст property-based теста для сравнения паттерна
sed -n '450,480p' packages/container/tests/core/templates.test.ts | cat -nRepository: ProverCoderAI/docker-git
Length of output: 3890
🏁 Script executed:
#!/bin/bash
# Найти все тесты с imageName в файле
rg -n -A5 -B1 'imageName' packages/container/tests/core/templates.test.ts | head -60
echo "---"
# Проверить структуру generatedTemplateConfigArbitrary
rg -n -A10 'generatedTemplateConfigArbitrary' packages/container/tests/core/templates.test.ts | head -40Repository: ProverCoderAI/docker-git
Length of output: 2265
🏁 Script executed:
#!/bin/bash
# Проверить регулярное выражение для docker image names
# Docker image names имеют формат: [REGISTRY_HOST[:REGISTRY_PORT]/]REPOSITORY[:TAG]
# Примеры валидных: "myimage:latest", "localhost:5000/myimage:v1.0", "gcr.io/project/image:tag"
# Найти как makeTemplateConfig обрабатывает imageName
rg -n -A15 'makeTemplateConfig.*\{' packages/container/tests/core/templates.test.ts | grep -A15 'imageName' | head -40
echo "---"
# Проверить функцию renderDockerCompose и как она обрабатывает imageName
rg -n -B5 -A20 'const renderDockerCompose' packages/container/tests/core/templates.test.ts | head -50Repository: ProverCoderAI/docker-git
Length of output: 691
🏁 Script executed:
#!/bin/bash
# Найти импорты и определение renderDockerCompose
rg -n 'renderDockerCompose|makeTemplateConfig' packages/container/tests/core/templates.test.ts | head -10
echo "---"
# Найти где определены эти функции (вероятно в других файлах)
fd -e ts -e js packages/container -type f | xargs rg -l 'export.*renderDockerCompose|export.*makeTemplateConfig' 2>/dev/null | head -5Repository: ProverCoderAI/docker-git
Length of output: 1004
🏁 Script executed:
#!/bin/bash
# Получить полное определение makeTemplateConfig (line 16-60)
sed -n '1,100p' packages/container/tests/core/templates.test.ts | cat -n
echo "---"
# Найти где определен TemplateConfig
rg -n 'type TemplateConfig|interface TemplateConfig' packages/container --type ts | head -5Repository: ProverCoderAI/docker-git
Length of output: 5399
🏁 Script executed:
#!/bin/bash
# Получить определение TemplateConfig и defaultTemplateConfig
sed -n '40,100p' packages/container/src/core/domain.ts | cat -n
echo "---"
# Получить полное определение renderDockerCompose
sed -n '1,80p' packages/container/src/core/templates/docker-compose.ts | cat -nRepository: ProverCoderAI/docker-git
Length of output: 5788
🏁 Script executed:
#!/bin/bash
# Получить больше из renderDockerCompose, найти логику для build vs image
sed -n '80,200p' packages/container/src/core/templates/docker-compose.ts | cat -n
echo "---"
# Найти где обрабатывается imageName в логике рендера
rg -n -B3 -A3 'imageName|build: \.' packages/container/src/core/templates/docker-compose.ts | head -50Repository: ProverCoderAI/docker-git
Length of output: 6117
Добавьте property-based проверку инварианта выбора build/image.
Сейчас сценарий тестируется на одном фиксированном imageName, что слабо доказывает контракт рендера. Здесь нужен property-based тест для инварианта: при заданном imageName всегда присутствуют image + pull_policy: never и отсутствует build: .; без imageName — наоборот.
Рекомендуемый вариант
+ it("preserves compose image/build invariants for arbitrary prebuilt image names", () => {
+ fc.assert(
+ fc.property(
+ fc.stringMatching(/^[a-z0-9][a-z0-9._/-]{0,60}:[a-zA-Z0-9._-]{1,40}$/),
+ (imageName) => {
+ const compose = renderDockerCompose(makeTemplateConfig({ imageName }))
+ expect(compose).toContain(` image: '${imageName}'\n`)
+ expect(compose).toContain(" pull_policy: never\n")
+ expect(compose).not.toContain(" build: .\n")
+ }
+ )
+ )
+ })Per **/*.test.{ts,tsx}: write property-based tests using fast-check to verify mathematical invariants.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@packages/container/tests/core/templates.test.ts` around lines 984 - 995, The
test "renders an explicit prebuilt image without a build section" currently only
verifies a single hardcoded case. Replace or enhance this test to use
property-based testing with fast-check to verify the mathematical invariant for
build/image selection: when an imageName is provided to makeTemplateConfig, the
rendered compose output must always contain image and pull_policy: never while
never containing build: .; conversely, when no imageName is provided, the
opposite should hold. This approach will verify the contract across multiple
generated test cases rather than relying on a single fixed value.
Source: Coding guidelines
| if (arg === "--concurrency") { | ||
| parsed.concurrency = Math.max(1, Number.parseInt(rest[index + 1] ?? "4", 10) || 4) | ||
| index += 1 | ||
| continue | ||
| } | ||
| if (arg === "--base") { | ||
| parsed.base = rest[index + 1] ?? "" | ||
| index += 1 | ||
| continue | ||
| } | ||
| if (arg === "--head") { | ||
| parsed.head = rest[index + 1] ?? "HEAD" | ||
| index += 1 |
There was a problem hiding this comment.
Флаги с обязательным значением принимаются без валидации значения.
Для --concurrency, --base, --head отсутствие значения (или следующий токен-флаг) сейчас тихо принимается, что делает поведение CLI неоднозначным. Лучше явно падать с ошибкой Missing value for ....
Предлагаемое исправление
+ const requireValue = (flagName) => {
+ const value = rest[index + 1]
+ if (value === undefined || value.startsWith("--")) {
+ throw new Error(`Missing value for ${flagName}`)
+ }
+ index += 1
+ return value
+ }
+
for (let index = 0; index < rest.length; index += 1) {
@@
if (arg === "--concurrency") {
- parsed.concurrency = Math.max(1, Number.parseInt(rest[index + 1] ?? "4", 10) || 4)
- index += 1
+ parsed.concurrency = Math.max(1, Number.parseInt(requireValue("--concurrency"), 10) || 4)
continue
}
if (arg === "--base") {
- parsed.base = rest[index + 1] ?? ""
- index += 1
+ parsed.base = requireValue("--base")
continue
}
if (arg === "--head") {
- parsed.head = rest[index + 1] ?? "HEAD"
- index += 1
+ parsed.head = requireValue("--head")
continue
}🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@scripts/changed-checks.mjs` around lines 375 - 387, The flags
`--concurrency`, `--base`, and `--head` currently accept missing or invalid
values without validation, causing ambiguous CLI behavior. For each of these
three flag handlers in the argument parsing section, add validation to check
that the next argument exists in the rest array and is not another flag (does
not start with "--"), and throw an explicit error with the message "Missing
value for [flag-name]" if the validation fails. This validation should happen
before assigning the parsed value to ensure required arguments are always
provided.
| const toRelativePath = (path) => { | ||
| const relativePath = relative(repoRoot, path) | ||
| return relativePath.length === 0 ? "." : relativePath | ||
| } | ||
|
|
||
| const fail = (message) => { | ||
| console.error(message) | ||
| process.exit(1) | ||
| } | ||
|
|
||
| const addExistingPath = (path) => { | ||
| if (!existsSync(path)) { | ||
| fail(`Missing E2E artifact path: ${path}`) | ||
| } | ||
|
|
||
| const relativePath = toRelativePath(resolve(repoRoot, path)) | ||
| if (!paths.has(relativePath)) { | ||
| paths.add(relativePath) | ||
| queue.push(relativePath) | ||
| } | ||
| } |
There was a problem hiding this comment.
Ограничьте пакуемые пути пределами repoRoot.
На Line 38-42 relative(repoRoot, realPath) может вернуть ../... для симлинка вне репозитория; затем этот путь уходит в tar -T (Line 119), что позволяет включить внешние файлы в артефакт.
Предлагаемый фикс границы путей
+const ensureInsideRepo = (absolutePath) => {
+ const rel = relative(repoRoot, absolutePath)
+ if (rel === ".." || rel.startsWith(`..${sep}`)) {
+ fail(`Path escapes repository root: ${absolutePath}`)
+ }
+}
+
const addExistingPath = (path) => {
if (!existsSync(path)) {
fail(`Missing E2E artifact path: ${path}`)
}
- const relativePath = toRelativePath(resolve(repoRoot, path))
+ const absolutePath = resolve(repoRoot, path)
+ ensureInsideRepo(absolutePath)
+ const relativePath = toRelativePath(absolutePath)
if (!paths.has(relativePath)) {
paths.add(relativePath)
queue.push(relativePath)
}
}As per coding guidelines: "**/*.{py,js,ts,jsx,tsx,go,java,rb,php,sh,bash,c,cpp}: Fail if changed files introduce path traversal or writes outside intended project/container state directories".
Also applies to: 55-64, 119-122
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@scripts/ci/pack-e2e-prebuilt.mjs` around lines 23 - 43, The addExistingPath
function resolves paths that may be symlinks, but does not validate that the
resolved path stays within the repoRoot boundary. This allows paths with `../`
to escape the repository and be included in the tar archive. After resolving the
path with resolve(repoRoot, path) and computing the relative path with
toRelativePath, validate that the resolved absolute path actually starts with
repoRoot (after normalization) before adding it to the paths collection. If the
resolved path is outside repoRoot, call fail to reject it with an appropriate
error message about path traversal.
Source: Coding guidelines
|
|
||
| # CHANGE: provide a minimal npx shim for Bun-managed workspaces | ||
| # WHY: some tools (e.g. vibecode-linter) call `npx tsc` and should resolve the local workspace binary through Bun instead of downloading a similarly named package | ||
| # WHY: workspace tools that call `npx tsc` should resolve the local workspace binary through Bun instead of downloading a similarly named package |
There was a problem hiding this comment.
Документация улучшена; однако скрипт содержит уязвимость path traversal.
Изменение строки 5 корректно уточняет причину: теперь ясно, что шим предназначен для tools типа npx tsc, которые должны резолвить локальные бинарники через Bun вместо загрузки одноимённого пакета.
Однако критический дефект: переменная $command_name (строка 36) получена от пользователя без валидации. На строке 41 она встраивается в путь $search_dir/node_modules/.bin/$command_name. Если передать npx ../../../bin/malicious, конструкция пути станет /pwd/node_modules/.bin/../../../bin/malicious, что позволяет выйти за границы node_modules/.bin/ и выполнить произвольный исполняемый файл из системы.
Проверка -x (строка 42) не решает проблему: она лишь подтверждает, что файл исполняемый, но не ограничивает доступное пространство.
Рекомендация: добавить валидацию, чтобы $command_name содержал только буквы, цифры, дефис и подчёркивание (стандартные имена npm пакетов). Отклонить любые пути с /, .., или другими спецсимволами.
🔒 Предлагаемый фикс: валидировать command_name
command_name="$1"
shift
+# CHANGE: validate command_name to prevent path traversal
+# WHY: reject commands with path separators, parent refs, or special chars that could escape node_modules/.bin/
+# INVARIANT: ∀ cmd: valid(cmd) → ¬(contains(cmd, '/') ∨ contains(cmd, '..') ∨ contains(cmd, '\'))
+case "$command_name" in
+ */*|*..*|*\\*|*:*)
+ echo "npx shim: invalid command name '$command_name'" >&2
+ exit 2
+ ;;
+esac
+
search_dir="$PWD"🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@scripts/npx` at line 5, The script has a path traversal vulnerability where
the user-supplied command_name variable is embedded directly into the
node_modules/.bin path without validation, allowing attackers to use sequences
like ../ to escape the intended directory. Add validation to the $command_name
variable to ensure it only contains alphanumeric characters, hyphens, and
underscores before it is used in the path construction on line 41. Reject any
input containing forward slashes, double dots, or other special characters by
checking the variable against a whitelist pattern and exiting early if
validation fails.
1 participant
Summary
docker compose up -dreuse mode instead of rebuilding.Closes #432
Proof of fix
e2e-preparebuild/upload stage for CLI/web, controller image, and project image. Fanout jobs download/load those artifacts and useDOCKER_GIT_E2E_PROJECT_IMAGEwith compose reuse mode. Prebuilt-image reuse is fail-fast and cannot fall back to--build; entrypoint rewrites runtime project env and Codex resume hints for SSH sessions.3d856f4ccc0b5b9ed7eaae7b03db3e81453d9790completed successfully: Snapshot, Checking Dependencies, Final Build, and Check. Docker-heavy E2E fanout passed withE2E preparebuilding the project image once, thenE2E (Browser command),E2E (OpenCode),E2E (Clone cache),E2E (Login context),E2E (Runtime volumes + SSH), andE2E (Clone auto-open SSH)all green.Verification
bun run --cwd packages/container test -- tests/core/templates.test.tsbun run --cwd packages/container lintbun run --cwd packages/container buildbun run --cwd packages/lib test -- tests/usecases/projects-up.test.tsbun run --cwd packages/lib lintbun run --cwd packages/lib buildbun run --cwd packages/api test -- tests/projects.test.tsbun run --cwd packages/api lintbun run --cwd packages/api buildbun scripts/ci/build-e2e-project-image.ts --dry-rungit diff --check3d856f4ccc0b5b9ed7eaae7b03db3e81453d9790: all PR checks completed successfully.Local limitation: full Docker image build/load timing was verified by GitHub Actions rather than the local workspace.