Skip to content

ci/security/test: automated audit fixes for QuantStrategyPlugins#34

Merged
Pigbibi merged 1 commit into
mainfrom
codex/audit-fix-20260702-0331
Jul 1, 2026
Merged

ci/security/test: automated audit fixes for QuantStrategyPlugins#34
Pigbibi merged 1 commit into
mainfrom
codex/audit-fix-20260702-0331

Conversation

@Pigbibi

@Pigbibi Pigbibi commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

Automated audit fixes for QuantStrategyPlugins focused on safe audit logging, PR static guard secret redaction, and CI quality gates.

Problems found

  • scripts/gate_codex_app_review.py reported the matched hardcoded-secret snippet in check output, which can leak the suspected secret value into CI logs or PR diagnostics.
  • ai_audit scrubbed common API key/header shapes, but did not redact assignment-style secret text such as api_key=..., token=..., or password=... in network errors, gateway fallback logs, and AI audit failure summaries.
  • CI ran tests and Ruff but did not check installed dependency consistency or package buildability.

Fixes applied

  • Redacted static-gate hardcoded-secret findings to field=<redacted> while preserving the file path and field name for review.
  • Extended AI audit error scrubbing for assignment-style sensitive fields and applied it to network errors, gateway warning logs, and failure summaries.
  • Added regression tests for gate and AI audit redaction behavior.
  • Added CI pip check and package build gates; added build to the test extra only.

Security impact

  • Prevents suspected secret values from being echoed by the PR static guard.
  • Reduces risk of AI provider/gateway errors leaking tokens or passwords into logs/artifacts.
  • No production secrets, credentials, cloud permissions, or trading permissions were changed.
  • Local high-confidence literal secret scan found no committed secrets.
  • pip-audit found no known vulnerabilities in the installed local environment.

Architecture impact

  • No public plugin API changes intended.
  • No behavior change to strategy signal generation, routing, or live eligibility decisions.
  • CI now better reflects package release health by verifying buildability.

Tests run

  • actionlint
  • .venv/bin/python -m pip check
  • .venv/bin/ruff check .
  • .venv/bin/python -m pytest -q88 passed
  • .venv/bin/python -m build
  • uvx pip-audit --path .venv
  • high-confidence literal secret scan (values suppressed)
  • git diff --check

Failed or skipped checks with reasons

  • No mypy/pyright config was found, so Python static type checking was not run.
  • python -m build succeeds but emits a setuptools deprecation warning for project.license table syntax; left as follow-up to avoid raising the build backend requirement in this security/CI patch.

Deployment notes

  • This package has no deployment workflow. Merge only after required GitHub Actions checks pass.
  • No production runtime configuration or secrets were modified.

Rollback plan

  • Revert the merge commit from main.
  • Re-run CI on main.
  • No cloud resource rollback is required for this repository.

Manual follow-up checklist

  • Decide whether to update pyproject.toml license metadata and raise the setuptools build-system minimum before 2027-02-18.
  • Consider adding a scheduled dependency audit workflow once dependency pinning/lock strategy is defined.
  • Consider extracting shared secret-redaction helpers into a stable shared package API after multiple repositories converge on the same behavior.

@Pigbibi Pigbibi added codex AI Codex operations automated-audit Automated repository audit security Security review and hardening tests Test coverage or validation ci Continuous integration changes needs-review Requires human review labels Jul 1, 2026
@chatgpt-codex-connector

This comment has been minimized.

@Pigbibi Pigbibi force-pushed the codex/audit-fix-20260702-0331 branch from bc81f35 to a898912 Compare July 1, 2026 19:40
@Pigbibi Pigbibi added auto-merge-ok Safe to auto-merge and removed needs-review Requires human review labels Jul 1, 2026
@Pigbibi Pigbibi merged commit 772eb0c into main Jul 1, 2026
2 checks passed
@Pigbibi Pigbibi deleted the codex/audit-fix-20260702-0331 branch July 1, 2026 19:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

auto-merge-ok Safe to auto-merge automated-audit Automated repository audit ci Continuous integration changes codex AI Codex operations security Security review and hardening tests Test coverage or validation

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant