From 8d2e428a937b2162e81e2842c742aacdd26cb51d Mon Sep 17 00:00:00 2001
From: seonghobae <8172694+seonghobae@users.noreply.github.com>
Date: Tue, 16 Jun 2026 05:08:44 +0000
Subject: [PATCH 1/4] Add test for _print_supabase_reminder

---
 tests/test_vibesec.py | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/tests/test_vibesec.py b/tests/test_vibesec.py
index a5a41f9..c7ac81e 100644
--- a/tests/test_vibesec.py
+++ b/tests/test_vibesec.py
@@ -5,7 +5,7 @@
 
 import pytest
 
-from scanner.cli.vibesec import _collect_files, _print_scan_results, _scan_file, cmd_init, cmd_scan
+from scanner.cli.vibesec import _collect_files, _print_scan_results, _scan_file, _print_supabase_reminder, cmd_init, cmd_scan
 
 MOCK_RULES = [
     {
@@ -416,3 +416,13 @@ def test_sanitize_terminal_output():
 
     # Test non-strings
     assert _sanitize_terminal_output(None) is None
+
+
+def test_print_supabase_reminder(capsys):
+    _print_supabase_reminder()
+    captured = capsys.readouterr()
+
+    assert "Supabase stack detected. Quick reminders:" in captured.out
+    assert "Enable RLS on every user-data table" in captured.out
+    assert "Use getUser() not getSession() on the server" in captured.out
+    assert "Keep SUPABASE_SERVICE_ROLE_KEY server-side only" in captured.out

From bc2caa136fd61bf1773155f0e80059f43b4d64c5 Mon Sep 17 00:00:00 2001
From: seonghobae <8172694+seonghobae@users.noreply.github.com>
Date: Tue, 16 Jun 2026 06:00:20 +0000
Subject: [PATCH 2/4] Add test for _print_supabase_reminder


From 51d2664cf3cde159efeb74e92dca38f77f5ee1ea Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 16 Jun 2026 06:34:16 +0000
Subject: [PATCH 3/4] Remove duplicate merged test assertion

---
 tests/test_vibesec.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tests/test_vibesec.py b/tests/test_vibesec.py
index 63b3ab8..cfc60f0 100644
--- a/tests/test_vibesec.py
+++ b/tests/test_vibesec.py
@@ -520,7 +520,6 @@ def __iter__(self):
         files = list(_collect_files(tmp_path))
         assert len(files) == 1
         assert files[0].name == "file2.py"
-        assert files[0].name == "file2.py"
 # ---------------------------------------------------------------------------
 # cmd_review tests
 # ---------------------------------------------------------------------------

From 71880b1985055a64b4e754d2bd711dbeedf18f2a Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 16 Jun 2026 06:35:31 +0000
Subject: [PATCH 4/4] Fix opencode output path root check

---
 scripts/ci/opencode_review_normalize_output.py      |  8 ++++++--
 .../ci/test_opencode_review_normalize_output.py     | 13 ++++++++++++-
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/scripts/ci/opencode_review_normalize_output.py b/scripts/ci/opencode_review_normalize_output.py
index 7d2a797..92174c1 100755
--- a/scripts/ci/opencode_review_normalize_output.py
+++ b/scripts/ci/opencode_review_normalize_output.py
@@ -121,6 +121,10 @@ def iter_json_objects(text: str) -> list[Any]:
     return values
 
 
+def project_root() -> Path:
+    return Path(__file__).resolve().parents[2]
+
+
 def main(argv: list[str]) -> int:
     if len(argv) != 5:
         print(
@@ -132,9 +136,9 @@ def main(argv: list[str]) -> int:
 
     expected_head_sha, expected_run_id, expected_run_attempt, output_file_arg = argv[1:]
     output_file = Path(output_file_arg)
-    project_root = Path.cwd().resolve()
+    root = project_root()
 
-    if not output_file.resolve().is_relative_to(project_root):
+    if not output_file.resolve().is_relative_to(root):
         print(f"error: output file path {output_file_arg!r} is outside the project root", file=sys.stderr)
         return 65
 
diff --git a/tests/scripts/ci/test_opencode_review_normalize_output.py b/tests/scripts/ci/test_opencode_review_normalize_output.py
index 6926389..7fbc04f 100644
--- a/tests/scripts/ci/test_opencode_review_normalize_output.py
+++ b/tests/scripts/ci/test_opencode_review_normalize_output.py
@@ -1,6 +1,6 @@
 import pytest
 
-from scripts.ci.opencode_review_normalize_output import valid_control
+from scripts.ci.opencode_review_normalize_output import main, valid_control
 
 def test_valid_control_approve():
     value = {
@@ -164,3 +164,14 @@ def test_valid_control_invalid_findings():
         finding[field] = "   "
         val = dict(base, findings=[finding])
         assert valid_control(val, expected_head_sha="sha", expected_run_id="id", expected_run_attempt="1") is None
+
+
+def test_main_rejects_output_file_outside_repo(monkeypatch, tmp_path, capsys):
+    monkeypatch.chdir(tmp_path)
+    output_file = tmp_path / "review.json"
+    output_file.write_text("{}", encoding="utf-8")
+
+    exit_code = main(["prog", "sha123", "run123", "1", str(output_file)])
+
+    assert exit_code == 65
+    assert "outside the project root" in capsys.readouterr().err