Skip to content

fix(chat): restrict grounding to public summaries#5106

Open
JSONbored wants to merge 1 commit into
mainfrom
codex/propose-fix-for-chat-vulnerability
Open

fix(chat): restrict grounding to public summaries#5106
JSONbored wants to merge 1 commit into
mainfrom
codex/propose-fix-for-chat-vulnerability

Conversation

@JSONbored

Copy link
Copy Markdown
Owner

Motivation

  • Prevent contributor-visible @gittensory chat prompts from including private agent decision-pack details (e.g. why/blockedBy) that could leak confidential readiness/credibility signals when a PR author is authorized to run chat.
  • Keep chat Q&A grounded in deterministic, public-safe facts while preserving the existing publicSafeSummary path for useful contributor guidance.

Description

  • Limit the chat grounding bundle in compactChatSignalBundle to include only actionType, status, and a redacted publicSafeSummary, removing the raw why and blockedBy arrays from the serialized prompt payload in src/services/ai-chat-qa.ts.
  • Update the ChatGroundingAction/bundle types and the prompt construction so the model never receives why/blockedBy fields.
  • Add regression unit tests in test/unit/ai-chat-qa.test.ts asserting that private rationale/blocker examples are omitted from the compacted grounding and that provider prompts no longer serialize "why" or "blockedBy".

Testing

  • Ran the targeted unit suite with npm test -- --run test/unit/ai-chat-qa.test.ts, and all tests in that file passed.
  • Ran static type checks with npm run typecheck, which passed without errors.
  • Ran a scoped coverage invocation npm run test:coverage -- --run test/unit/ai-chat-qa.test.ts; the targeted tests passed but the repository-wide coverage threshold caused the coverage command to fail due to global thresholds (this is expected when running a single-file scope in this repository).

Codex Task

@superagent-security

Copy link
Copy Markdown
Contributor

Superagent didn't find any vulnerabilities or security issues in this PR.

@codecov

codecov Bot commented Jul 11, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.20%. Comparing base (e04e847) to head (64869e5).
⚠️ Report is 3 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #5106      +/-   ##
==========================================
- Coverage   94.20%   94.20%   -0.01%     
==========================================
  Files         470      470              
  Lines       39736    39734       -2     
  Branches    14501    14501              
==========================================
- Hits        37435    37433       -2     
  Misses       1645     1645              
  Partials      656      656              
Flag Coverage Δ
shard-1 46.40% <ø> (-0.02%) ⬇️
shard-2 33.64% <ø> (-0.22%) ⬇️
shard-3 31.36% <ø> (-0.80%) ⬇️
shard-4 32.77% <ø> (+0.96%) ⬆️
shard-5 33.44% <ø> (-0.10%) ⬇️
shard-6 45.10% <ø> (+0.20%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
src/services/ai-chat-qa.ts 98.70% <ø> (-0.04%) ⬇️
🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@gittensory-orb gittensory-orb Bot added the gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. label Jul 11, 2026
@gittensory-orb

gittensory-orb Bot commented Jul 11, 2026

Copy link
Copy Markdown

Warning

🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨

⏸️ Gittensory review result - manual review recommended

Review updated: 2026-07-11 17:27:12 UTC

2 files · 1 AI reviewer · 2 blockers · readiness 93/100 · CI green · unstable

⏸️ Suggested Action - Manual Review

  • No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.
  • Maintainer requires a linked issue — Link the relevant issue (for example Closes #123) before opening the PR.

Review summary
This narrows the chat-Q&A grounding bundle to actionType/status/redacted publicSafeSummary, dropping raw why/blockedBy arrays that could leak private decision-pack rationale (blocker codes, credibility signals) into a contributor-visible prompt. The change is mechanical and consistent: the ChatGroundingAction type, compactChatSignalBundle, and buildChatPrompt's JSON.stringify output all agree on the narrower shape, and the updated tests assert both structural equality of the compacted bundle and absence of "why"/"blockedBy" keys in the serialized prompt sent to the provider. redactGroundingText and its private-term regexes are untouched, so existing redaction of anything still surfaced (objective, summary, publicSafeSummary, freshnessWarnings) is preserved.

Nits — 5 non-blocking
  • The PR description doesn't cite a linked issue number (only references prior PR feat(commands): add @gittensory chat <question> — grounded LLM Q&A via local Ollama #4595 in comments) — confirm this closes a tracked issue per repo convention.
  • test/unit/ai-chat-qa.test.ts:bundleFixture still builds action.why/blockedBy fixture data even though they're now always stripped from output — fine for now since AgentRunBundle's action type still carries them, but worth a comment noting they're intentionally retained only as compaction-input fixtures.
  • Consider a short code comment at the ChatGroundingAction type definition (src/services/ai-chat-qa.ts:66) explicitly stating why/blockedBy are excluded by design, so a future edit doesn't accidentally re-add them without re-reading the redaction rationale in the nearby comment block.
  • PR description: nit: please add an explicit eligible issue link or closing reference for this change; the diff references `feat(commands): add @gittensory chat <question> — grounded LLM Q&A via local Ollama #4595` in existing comments/tests, but the PR body itself only links a Codex task.
  • src/services/ai-chat-qa.ts:186: nit: `publicSafeSummary` is still included even when redaction trims it to an empty string, so consider filtering empty summaries or falling back to a generic public-safe action label if empty summaries are possible.

Concerns raised — review before merging

  • No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.
  • Maintainer requires a linked issue — Link the relevant issue (for example Closes #123) before opening the PR.
Signal Result Evidence
Code review ❌ 2 blockers 1 reviewer
Linked issue ⚠️ Missing No linked issue or no-issue rationale found.
Related work ✅ No active overlap found No same-issue or scoped active PR overlap found.
Change scope ✅ 20/20 Low review scope from cached public metadata (no linked issue context).
Validation posture ✅ 25/25 PR body includes validation/test evidence.
Contributor workload ✅ 10/10 Author activity: 45 registered-repo PR(s), 37 merged, 414 issue(s).
Contributor context ✅ Confirmed Gittensor contributor JSONbored; Gittensor profile; 45 PR(s), 414 issue(s).
Gate result ❌ Blocking Repo-configured hard blocker found.
Improvement ✅ Minor risk: clean · value: minor — Code changes are accompanied by test evidence.
Review context
  • Author: JSONbored
  • Role context: owner (maintainer lane)
  • Public audience mode: oss maintainer
  • Lane context: Repository is configured for direct PR review.
  • Public profile languages: not available
  • Official Gittensor activity: 45 PR(s), 414 issue(s).
  • PR-specific overlap: none found.
Contributor next steps
  • Treat this as maintainer-lane context rather than normal contributor-lane activity.
  • Explain no-issue PR.
  • Link the issue being solved, or explicitly explain why this is a no-issue PR.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.
[BETA] Chat with Gittensory

Ask Gittensory a question about this PR directly in a comment — grounded only in the same cached, public-safe facts shown above, never a new claim.

  • @gittensory ask &lt;question&gt; answers contribution-quality Q&A with source citations and freshness.
  • @gittensory chat &lt;question&gt; answers in natural prose from cached decision-pack facts via local inference (maintainer/collaborator; read-only).
  • A plain-language @gittensory mention with a real question is routed to the closest matching read-only command automatically -- no exact syntax required.

Full command reference: https://gittensory.aethereal.dev/docs/gittensory-commands

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

  • Re-run Gittensory review

@gittensory-orb gittensory-orb Bot added the manual-review Gittensor contributor context label Jul 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

aardvark codex gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. manual-review Gittensor contributor context

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant