Skip to content

fix(commands): authorize intent routing before AI classification#5107

Merged
JSONbored merged 1 commit into
mainfrom
codex/fix-intent-routing-ai-authorization-issue
Jul 12, 2026
Merged

fix(commands): authorize intent routing before AI classification#5107
JSONbored merged 1 commit into
mainfrom
codex/fix-intent-routing-ai-authorization-issue

Conversation

@JSONbored

Copy link
Copy Markdown
Owner

Motivation

  • Prevent a pre-authorization AI-consumption path introduced by intent routing where unrecognized @gittensory mentions could trigger env.AI_ADVISORY.run before command authorization and per-actor throttling.
  • Ensure enabling advisoryAiRouting.intentRouting alone cannot create an unmetered cost-bearing surface when commandRateLimitPolicy is left off.

Description

  • Require the commenter to be authorized for at least one INTENT_ROUTABLE_COMMANDS entry before calling the intent classifier by checking isAuthorizedCommandActor over that closed set and only invoking maybeThrottleIntentRouting/classifyGittensoryIntent when authorized.
  • Treat intent-routing as throttled when commandRateLimitPolicy is off (make maybeThrottleIntentRouting return true for the off policy) so intent routing does not bypass rate-limit billing.
  • Reuse the pre-classification miner-detection (official) result and delay duplicate miner checks so the later real authorization step can reuse the same value rather than re-fetching.
  • Add/adjust unit test coverage and fixtures: update test/unit/queue-5.test.ts to include a regression test that an unauthorized commenter does not call AI_ADVISORY.run, enable the hold policy where needed, and extend the mention payload helper to allow custom commenter logins.

Testing

  • Ran the new regression test with npx vitest run test/unit/queue-5.test.ts -t "unauthorized commenters cannot spend" --reporter=verbose and it passed.
  • Type-checked the code with npx tsc --noEmit --pretty false which succeeded.
  • Verified no diff/check issues with git diff --check (no problems reported).

Codex Task

@superagent-security

Copy link
Copy Markdown
Contributor

Superagent didn't find any vulnerabilities or security issues in this PR.

@codecov

codecov Bot commented Jul 11, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.34%. Comparing base (810b203) to head (b4e9f69).
⚠️ Report is 3 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #5107   +/-   ##
=======================================
  Coverage   94.33%   94.34%           
=======================================
  Files         473      473           
  Lines       39930    39936    +6     
  Branches    14559    14562    +3     
=======================================
+ Hits        37669    37676    +7     
  Misses       1585     1585           
+ Partials      676      675    -1     
Flag Coverage Δ
shard-1 46.33% <30.00%> (-0.01%) ⬇️
shard-2 34.43% <100.00%> (-0.25%) ⬇️
shard-3 31.22% <0.00%> (-0.82%) ⬇️
shard-4 32.66% <0.00%> (+0.71%) ⬆️
shard-5 33.66% <0.00%> (-0.10%) ⬇️
shard-6 45.08% <0.00%> (+0.20%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
src/queue/processors.ts 95.50% <100.00%> (+0.04%) ⬆️
🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@gittensory-orb gittensory-orb Bot added the gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. label Jul 11, 2026
@gittensory-orb

gittensory-orb Bot commented Jul 11, 2026

Copy link
Copy Markdown

Caution

🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥

🛑 Gittensory review result - fixes required

Review updated: 2026-07-12 08:35:23 UTC

2 files · 1 AI reviewer · 2 blockers · readiness 93/100 · CI failing · unstable

🛑 Suggested Action - Manual Review

  • No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.
  • Maintainer requires a linked issue — Link the relevant issue (for example Closes #123) before opening the PR.

Review summary
This closes a real pre-authorization AI-spend hole: the intent classifier for unrecognized @​gittensory mentions could previously fire before any per-actor authorization or rate-limit check, and `commandRateLimitPolicy: off` let it bypass throttling entirely. The fix requires the commenter to be authorized for at least one `INTENT_ROUTABLE_COMMANDS` entry (via `isAuthorizedCommandActor`) before calling `maybeThrottleIntentRouting`/`classifyGittensoryIntent`, and flips `maybeThrottleIntentRouting` to return `true` (blocking) when policy is `off`, plus reuses the pre-classification miner-detection result to avoid a duplicate fetch. The logic traces correctly end-to-end and a targeted regression test asserts `AI_ADVISORY.run` is never invoked for an unauthorized commenter, with existing intent-routing tests updated to set `commandRateLimitPolicy: hold` so they still exercise the classifier path.

Blockers

  • src/queue/processors.ts:12505: `authorizedForIntentRouting` calls `isAuthorizedCommandActor` without `commandRateLimitPolicy` and `pullRequestOpenAndNotDraft`, so a PR author who is authorized for an intent-routable command that depends on those fields, such as `chat`, is treated as unauthorized before classification and falls back instead of reaching the real authorization path; pass the same fields used by the later authorization call, e.g. `commandRateLimitPolicy: settings.commandRateLimitPolicy` and the computed open/non-draft PR boolean.
Nits — 5 non-blocking
  • The new `mentionPayload` still hardcodes `author_association: "OWNER"` regardless of the `commenter` override (test/unit/queue-5.test.ts:1150), so the 'unauthorized commenter' regression test relies on the mocked `/collaborators/.../permission` → "none" response rather than a genuinely non-owner association — worth varying the association with the commenter for clarity even though the live-permission mock makes the test pass correctly.
  • codecov/patch is at 80% against a 99% target for this diff; the `needsIntentMinerDetection` branch and the `official` reuse/no-reuse branches in maybeProcessGittensoryMentionCommand (src/queue/processors.ts) look like likely uncovered paths worth adding direct-unit coverage for.
  • The flagged possible secret at test/unit/queue-5.test.ts:1410 is almost certainly `generatePrivateKeyPem()` test fixture output, not a real credential, but worth a quick glance to confirm nothing static leaked in.
  • Add a unit test where `INTENT_ROUTABLE_COMMANDS.some(...)` returns true for a commenter authorized on a non-default command to confirm the `authorizedForIntentRouting` gate isn't accidentally too narrow.
  • Consider a short comment near the new `needsIntentMinerDetection`/`official` prefetch (src/queue/processors.ts:12492) noting it's an optimization only — the later block still safely refetches when `official` wasn't prefetched — to preempt confusion about the two-step computation.

Why this is blocked

  • No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.
  • Maintainer requires a linked issue — Link the relevant issue (for example Closes #123) before opening the PR.

CI checks failing

  • codecov/patch — 80.00% of diff hit (target 99.00%)
Signal Result Evidence
Code review ❌ 2 blockers 1 reviewer
Linked issue ⚠️ Missing No linked issue or no-issue rationale found.
Related work ✅ No active overlap found No same-issue or scoped active PR overlap found.
Change scope ✅ 20/20 Low review scope from cached public metadata (no linked issue context).
Validation posture ✅ 25/25 PR body includes validation/test evidence.
Contributor workload ✅ 10/10 Author activity: 45 registered-repo PR(s), 37 merged, 411 issue(s).
Contributor context ✅ Confirmed Gittensor contributor JSONbored; Gittensor profile; 45 PR(s), 411 issue(s).
Gate result ❌ Blocking Repo-configured hard blocker found.
Improvement ✅ Minor risk: clean · value: minor — Code changes are accompanied by test evidence.
Review context
  • Author: JSONbored
  • Role context: owner (maintainer lane)
  • Public audience mode: oss maintainer
  • Lane context: Repository is configured for direct PR review.
  • Public profile languages: not available
  • Official Gittensor activity: 45 PR(s), 411 issue(s).
  • PR-specific overlap: none found.
Contributor next steps
  • Treat this as maintainer-lane context rather than normal contributor-lane activity.
  • Explain no-issue PR.
  • Link the issue being solved, or explicitly explain why this is a no-issue PR.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.
[BETA] Chat with Gittensory

Ask Gittensory a question about this PR directly in a comment — grounded only in the same cached, public-safe facts shown above, never a new claim.

  • @gittensory ask &lt;question&gt; answers contribution-quality Q&A with source citations and freshness.
  • @gittensory chat &lt;question&gt; answers in natural prose from cached decision-pack facts via local inference (maintainer/collaborator; read-only).
  • A plain-language @gittensory mention with a real question is routed to the closest matching read-only command automatically -- no exact syntax required.

Full command reference: https://gittensory.aethereal.dev/docs/gittensory-commands

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

  • Re-run Gittensory review

@gittensory-orb gittensory-orb Bot added the manual-review Gittensor contributor context label Jul 11, 2026
Requires the commenter be authorized for at least one INTENT_ROUTABLE_COMMANDS
entry before calling classifyGittensoryIntent (a cost-bearing local-AI call),
and changes maybeThrottleIntentRouting to treat commandRateLimitPolicy === "off"
as throttled (blocking) instead of not-throttled (previously allowing unmetered
spend when a repo hasn't configured rate limiting at all).

Adds regression coverage for the policy-off fail path, the confirmed-miner
own-PR authorization path, and the pullRequestAuthor null fallback when
neither the cached PR row nor the webhook issue carry a user login.
@JSONbored JSONbored force-pushed the codex/fix-intent-routing-ai-authorization-issue branch from 0961058 to b4e9f69 Compare July 12, 2026 08:40
@JSONbored JSONbored merged commit 3680301 into main Jul 12, 2026
17 checks passed
@JSONbored JSONbored deleted the codex/fix-intent-routing-ai-authorization-issue branch July 12, 2026 08:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

aardvark codex gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. manual-review Gittensor contributor context

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant