Skip to content

fix(public-stats): redact sparse accuracy trend counts#4979

Open
JSONbored wants to merge 2 commits into
mainfrom
codex/propose-fix-for-accuracy-trend-exposure
Open

fix(public-stats): redact sparse accuracy trend counts#4979
JSONbored wants to merge 2 commits into
mainfrom
codex/propose-fix-for-accuracy-trend-exposure

Conversation

@JSONbored

Copy link
Copy Markdown
Owner

Motivation

  • Prevent an information disclosure where low-sample weekly accuracy buckets exposed merged, closed, and reversed counts that allow unauthenticated callers to reconstruct a suppressed accuracyPct for sparse weeks.
  • Preserve the existing public accuracy formula for sufficiently-sampled weeks while avoiding identifying low-volume maintainer/automation activity in sparse buckets.

Description

  • Redact raw counts for sparse weekly buckets by returning merged, closed, and reversed as null when (merged+closed) < MIN_ACCURACY_TREND_SAMPLE, implemented via publicBucketOf(...) and applied in buildPublicAccuracyTrend (src/services/public-accuracy-trend.ts).
  • Make PublicAccuracyTrendWeek fields nullable (merged, closed, reversed) and update the openapi/schema to accept nullable counts (src/openapi/schemas.ts and regenerated apps/gittensory-ui/public/openapi.json).
  • Add regression tests that assert redaction for low-sample own-ledger and Orb-fleet-only weeks and adapt existing route tests to the nullable shape (test/unit/public-accuracy-trend.test.ts, test/integration/public-stats-route.test.ts).
  • Regenerated UI OpenAPI JSON and Cloudflare worker runtime types to keep generated artifacts in sync (apps/gittensory-ui/public/openapi.json, worker-configuration.d.ts).

Testing

  • Ran npm run ui:openapi successfully to regenerate the UI OpenAPI artifact. (passed)
  • Built the engine with npm --workspace @jsonbored/gittensory-engine run build to ensure package parity. (passed)
  • Ran targeted test suites with Vitest: npx vitest run test/unit/public-accuracy-trend.test.ts test/integration/public-stats-route.test.ts and all tests in those files passed. (passed)
  • Ran the full local gate npm run test:ci and observed a failure during the unsharded coverage phase where several pre-existing queue sweep tests timed out in test/unit/queue.test.ts, causing the overall gate to fail. (failed during full test:ci coverage phase)
  • Attempted npm audit --audit-level=moderate but the registry audit endpoint returned 403 Forbidden, so dependency audit could not complete. (audit unavailable)

Codex Task

@superagent-security

Copy link
Copy Markdown
Contributor

Superagent didn't find any vulnerabilities or security issues in this PR.

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 11, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs
gittensory-ui 45f727f Commit Preview URL

Branch Preview URL
Jul 11 2026, 01:12 PM

@JSONbored JSONbored force-pushed the codex/propose-fix-for-accuracy-trend-exposure branch from e0f5903 to 45f727f Compare July 11, 2026 13:10
@codecov

codecov Bot commented Jul 11, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.18%. Comparing base (99c2429) to head (2e013dc).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #4979   +/-   ##
=======================================
  Coverage   94.18%   94.18%           
=======================================
  Files         468      468           
  Lines       39616    39616           
  Branches    14456    14456           
=======================================
  Hits        37314    37314           
  Misses       1646     1646           
  Partials      656      656           
Flag Coverage Δ
shard-1 46.47% <0.00%> (-0.01%) ⬇️
shard-2 33.61% <100.00%> (-0.27%) ⬇️
shard-3 31.38% <0.00%> (-0.82%) ⬇️
shard-4 32.69% <0.00%> (+0.73%) ⬆️
shard-5 33.20% <0.00%> (-0.10%) ⬇️
shard-6 45.17% <100.00%> (+0.21%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
src/openapi/schemas.ts 100.00% <ø> (ø)
src/services/public-accuracy-trend.ts 100.00% <100.00%> (ø)
🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@gittensory-orb gittensory-orb Bot added the gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. label Jul 11, 2026
@gittensory-orb

gittensory-orb Bot commented Jul 11, 2026

Copy link
Copy Markdown

Warning

🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨

⏸️ Gittensory review result - manual review recommended

Review updated: 2026-07-12 01:10:06 UTC

5 files · 1 AI reviewer · 2 blockers · readiness 93/100 · CI green · unstable

⏸️ Suggested Action - Manual Review

  • No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.
  • Maintainer requires a linked issue — Link the relevant issue (for example Closes #123) before opening the PR.

Review summary
This PR closes a real info-disclosure gap: sparse weekly accuracyTrend buckets (below MIN_ACCURACY_TREND_SAMPLE=3 decided PRs) previously exposed raw merged/closed/reversed counts even though accuracyPct was already nulled, letting a caller reconstruct low-volume maintainer/automation activity. The core fix in public-accuracy-trend.ts (publicBucketOf) is a clean, correct refactor that reuses the existing decided<MIN gate and nulls all three counts alongside accuracyPct, and schemas.ts/openapi.json are updated in lockstep with matching tests for the null and boundary-at-MIN cases. The gap is that the hand-maintained frontend type in proof-of-power-stats-model.ts (not touched by this diff) still declares accuracyTrend.merged/closed/reversed as non-nullable number, which is consistent with the reported validate/validate-code CI failures on this commit.

Blockers

  • apps/gittensory-ui/src/components/site/proof-of-power-stats-model.ts's PublicStats.accuracyTrend type still types merged/closed/reversed as plain `number`, but the API can now return `null` per this PR's redaction in src/services/public-accuracy-trend.ts — this mismatch lines up with the validate/validate-code failures reported in CI STATUS and needs to be updated to `number | null` to match src/openapi/schemas.ts.
  • apps/gittensory-ui/src/components/site/proof-of-power-stats-model.ts:28 still types accuracyTrend.merged/closed/reversed as number even though src/openapi/schemas.ts now returns number | null, so the UI model is stale and will misrepresent the public API contract; change those three fields to number | null, or remove the duplicate hand-written shape in favor of the generated OpenAPI type.
Nits — 5 non-blocking
  • worker-configuration.d.ts's +73/-18 (email reply builder, workflow delay-function typing, DO jurisdiction "us") looks like an unrelated @​cloudflare/workers-types bump pulled in incidentally rather than something the redaction fix required — consider splitting generated/toolchain regen from behavior changes in future PRs so reviewers aren't scanning unrelated type surface.
  • The updated comment in src/openapi/schemas.ts (public-accuracy-trend.ts:120ish) says null counts mean 'too few decided PRs' but doesn't explicitly restate that this also intentionally hides identifying low-volume activity — worth a one-line callout since that's the actual security rationale from the PR description.
  • Consider adding a test where reversed is nonzero in a sub-threshold bucket (e.g. merged:1, closed:1, reversed:5) to make sure reversed is null'd too, not just the all-zero/all-real cases currently covered.
  • Update PublicStats.accuracyTrend in apps/gittensory-ui/src/components/site/proof-of-power-stats-model.ts to `merged: number | null; closed: number | null; reversed: number | null;` to match the now-nullable openapi schema.
  • Audit src/review/public-stats.ts's byProject/totals for the same sparse-sample disclosure pattern this PR fixes for accuracyTrend, and file a follow-up if raw counts leak there too.

Concerns raised — review before merging

  • No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.
  • Maintainer requires a linked issue — Link the relevant issue (for example Closes #123) before opening the PR.
Signal Result Evidence
Code review ❌ 2 blockers 1 reviewer
Linked issue ⚠️ Missing No linked issue or no-issue rationale found.
Related work ✅ No active overlap found No same-issue or scoped active PR overlap found.
Change scope ✅ 20/20 Low review scope from cached public metadata (no linked issue context).
Validation posture ✅ 25/25 PR body includes validation/test evidence.
Contributor workload ✅ 10/10 Author activity: 45 registered-repo PR(s), 37 merged, 415 issue(s).
Contributor context ✅ Confirmed Gittensor contributor JSONbored; Gittensor profile; 45 PR(s), 415 issue(s).
Gate result ❌ Blocking Repo-configured hard blocker found.
Improvement ✅ Minor risk: clean · value: minor — Code changes are accompanied by test evidence.
Review context
  • Author: JSONbored
  • Role context: owner (maintainer lane)
  • Public audience mode: oss maintainer
  • Lane context: Repository is configured for direct PR review.
  • Public profile languages: Python, TypeScript, Ruby, Go, JavaScript, MDX, Shell, Solidity
  • Official Gittensor activity: 45 PR(s), 415 issue(s).
  • PR-specific overlap: none found.
Contributor next steps
  • Treat this as maintainer-lane context rather than normal contributor-lane activity.
  • Explain no-issue PR.
  • Link the issue being solved, or explicitly explain why this is a no-issue PR.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.
[BETA] Chat with Gittensory

Ask Gittensory a question about this PR directly in a comment — grounded only in the same cached, public-safe facts shown above, never a new claim.

  • @gittensory ask &lt;question&gt; answers contribution-quality Q&A with source citations and freshness.
  • @gittensory chat &lt;question&gt; answers in natural prose from cached decision-pack facts via local inference (maintainer/collaborator; read-only).
  • A plain-language @gittensory mention with a real question is routed to the closest matching read-only command automatically -- no exact syntax required.

Full command reference: https://gittensory.aethereal.dev/docs/gittensory-commands

Visual preview
Route Viewport Before (production) After (this PR's preview) Diff
/ desktop before / after /
/ mobile before / (mobile) after / (mobile)

Click any thumbnail to open the full-size screenshot. Before = production · After = this PR's preview deploy.

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

  • Re-run Gittensory review

@gittensory-orb gittensory-orb Bot added the manual-review Gittensor contributor context label Jul 11, 2026
The rebase's own worker-configuration.d.ts regeneration (done to resolve a
merge conflict) picked up 176 lines of unrelated drift from this local
machine's wrangler/workerd cache being out of sync with whatever last
regenerated main's copy correctly. This PR has no legitimate reason to touch
this generated file at all -- copy main's exact, already-correct content
instead of regenerating it locally.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

aardvark codex gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. manual-review Gittensor contributor context

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant