Skip to content

ci/security/test: automated audit fixes for CodexAuditBridge#48

Merged
Pigbibi merged 1 commit into
mainfrom
codex/audit-fix-20260702-0225
Jul 1, 2026
Merged

ci/security/test: automated audit fixes for CodexAuditBridge#48
Pigbibi merged 1 commit into
mainfrom
codex/audit-fix-20260702-0225

Conversation

@Pigbibi

@Pigbibi Pigbibi commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Harden the Codex audit service source checkout path so clone failures become failed jobs instead of stuck running jobs.
  • Stop placing source repository tokens in clone URLs; use Git extraheader auth and redact clone errors before persisting job state.
  • Restrict the AI Gateway dashboard proxy to known read-only routes and preserve query strings.
  • Add regression coverage for audit service clone failures and dashboard route validation.

Problems found

  • Async audit jobs could remain running when source repository clone failed.
  • Clone error serialization could expose token-bearing clone URLs if git auth was embedded in the URL.
  • The dashboard /api/* proxy accepted arbitrary authenticated GET paths to the origin and dropped query strings used by dashboard time-window requests.

Fixes applied

  • Use GIT_CONFIG_* extraheader auth for service-side git clone.
  • Sanitize clone errors and persist failed job status on clone/subprocess failures.
  • Skip source checkout for explicit fake-output service tests.
  • Add dashboard API route allowlist and HTTPS origin enforcement.
  • Extend CI to run both Cloudflare Worker test suites.

Security impact

  • Reduces credential leakage risk in persisted job errors and polling responses.
  • Reduces dashboard-origin proxy surface to read-only metrics routes.
  • No secrets, tokens, credentials, or production configuration values were changed.

Architecture impact

  • Keeps existing async job contract and dashboard UI contract.
  • Adds narrow helper functions around service git auth and dashboard origin URL construction; no broad refactor.

Tests run

  • python3 -m ruff check .
  • python3 -m pytest tests -q
  • node --experimental-default-type=module --test cloudflare/codex-audit-proxy/tests/index.test.mjs
  • node --experimental-default-type=module --test cloudflare/ai-gateway-dash/tests/index.test.mjs
  • actionlint
  • git diff --check
  • python3 -m pip check
  • Targeted high-confidence secret scan on changed files

Failed or skipped checks with reasons

  • ruff format --check . was run and failed on existing repository-wide formatting drift across 21 files. CI does not currently enforce format; this PR avoids unrelated full-repo formatting churn.
  • Dependency vulnerability scan is not applicable because this repository has no Python or Node dependency manifest/lockfile.

Deployment notes

  • If the VPS service is deployed from main, redeploy it after merge to pick up service clone/error handling.
  • If the dashboard Worker is deployed from main, redeploy it after merge to enforce the new API route allowlist.

Rollback plan

  • Revert this commit to restore the previous clone and dashboard proxy behavior.
  • If redeployed, redeploy the previous known-good main commit.

Manual follow-up checklist

  • Confirm the VPS service environment uses CROSS_REPO_GIT_TOKEN or GH_TOKEN for source clone auth; do not use private-key material as a git token.
  • Consider adding a dedicated format gate in a separate formatting-only PR.
  • Consider SHA-pinning GitHub Actions in a separate supply-chain hardening PR.

@Pigbibi Pigbibi added codex AI Codex operations automated-audit Automated audit changes security Security-related review or hardening tests Test coverage or validation changes ci Continuous integration or deployment changes needs-review Needs human review before merge labels Jul 1, 2026
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

🤖 Codex PR Review

⚠️ Review skipped: The Codex review could not be completed.

Codex service request failed: 401 {"error": "OIDC workflow_ref is not allowed"}

Please ensure a human reviewer checks this PR before merging.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4eef4c5648

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

const apiPath = path.slice(4);
try {
return await proxyAPI(apiPath, env);
return await proxyAPI(apiPath, url.search, env);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Route effectiveness queries correctly

When the dashboard loads it calls /api/v1/ai/changes/effectiveness?days=90; forwarding url.search makes the origin receive /v1/ai/changes/effectiveness?days=90. The current VPS handler in service/ai_gateway_service.py:503 checks exact self.path == "/v1/ai/changes/effectiveness" before the generic /v1/ai/changes/ branch, so with a query it falls into change-detail lookup and returns 404. Because this call is part of the dashboard's Promise.all, that one 404 prevents all dashboard cards from rendering; please fix the origin router first or avoid forwarding the query for this route.

Useful? React with 👍 / 👎.

@Pigbibi Pigbibi removed the needs-review Needs human review before merge label Jul 1, 2026
@Pigbibi Pigbibi merged commit 2f5cfe6 into main Jul 1, 2026
5 checks passed
@Pigbibi Pigbibi deleted the codex/audit-fix-20260702-0225 branch July 1, 2026 18:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

automated-audit Automated audit changes ci Continuous integration or deployment changes codex AI Codex operations security Security-related review or hardening tests Test coverage or validation changes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant