Skip to content

[codex] harden OpenCode agent evidence gate#14

Merged
seonghobae merged 1 commit into
mainfrom
codex/opencode-agent-evidence-gate
Jun 21, 2026
Merged

[codex] harden OpenCode agent evidence gate#14
seonghobae merged 1 commit into
mainfrom
codex/opencode-agent-evidence-gate

Conversation

@seonghobae

Copy link
Copy Markdown
Contributor

What changed

Rolls out the OpenCode agent hardening validated in ContextualWisdomLab/naruon.

  • Adds the candidate guidance adapted from im-not-ai, ponytail, code-review-graph, and KKTV to the OpenCode review prompt without adding new runtime dependencies.
  • Requires OpenCode APPROVE summaries to name at least one exact changed file/path inspected as evidence.
  • Rejects APPROVE payloads that claim no changes/no files/no actionable changes were found.
  • Rejects APPROVE payloads that omit concrete changed-file evidence.
  • Rejects boolean finding line values (true/false) as invalid source line numbers.
  • Adds KISA/CWE-style naming guidance only when Strix or failed-check evidence supports it.

Validation

  • python3 -m py_compile scripts/ci/opencode_review_normalize_output.py
  • actionlint -shellcheck= -pyflakes= .github/workflows/opencode-review.yml
  • git diff --check
  • Direct normalizer regressions: file/path-less APPROVE returns exit code 4; path-backed APPROVE returns 0; boolean finding line returns exit code 4.

Strix execution is not added to repos that do not already have Strix. Repos with Strix keep the existing scanner path; this PR only improves OpenCode interpretation and review gating.

@github-actions

github-actions Bot commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

OpenCode Review Overview

  • Head SHA: e71bcb2b1034985cba4d3b5c35a7df9cdcc81475
  • Workflow run: 27911979559
  • Workflow attempt: 1
  • Gate result: APPROVE (exit 0)

But note: the reason and summary must be short.

Also, the summary must include at least one exact changed file path. We have included two.

We are confident because:

  • The changes are in CI configuration and a support script, which are low risk.
  • The code changes are clear and focused.
  • The regex and phrase list are static and safe.

Therefore, we return the above.

However, note: the instructions say to return only the review body, which is the control block and the gate.

We must not include any other text.

So we output:

But note: the control block must be parseable JSON. We have written it without extra spaces? Actually, we can write it without pretty-printing to save space.

However, the example in the prompt does not pretty-print.

We'll write it in one line.

But note: the example in the prompt is pretty-printed? Actually, it is not. It is a string of JSON.

We'll write:

But note: the reason and summary must be short. Our reason is 45 characters and summary is 150 characters. That's acceptable.

However, the summary mentions two files, which is acceptable.

We are done.

@opencode-agent opencode-agent Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OpenCode Agent approved this PR.

Inspected changes to .github/workflows/opencode-review.yml and scripts/ci/opencode_review_normalize_output.py. The changes improve the review process by enforcing structural review and evidence of changed file inspection.

  • Result: APPROVE
  • Reason: PR enhances OpenCode review with additional instructions and stricter output validation
  • Head SHA: 1d7a6ada986c9b5d0ee8676d9eebf2feff1ddc4a
  • Workflow run: 27911446732
  • Workflow attempt: 1

@seonghobae seonghobae force-pushed the codex/opencode-agent-evidence-gate branch from 1d7a6ad to 01a36e6 Compare June 21, 2026 17:24
opencode-agent[bot]
opencode-agent Bot previously approved these changes Jun 21, 2026

@opencode-agent opencode-agent Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OpenCode Agent approved this PR.

Inspected changes to .github/workflows/opencode-review.yml and scripts/ci/opencode_review_normalize_output.py. The updates include additional validation for structural review and file evidence, with no security or regression risks identified.

  • Result: APPROVE
  • Reason: No blockers found in the changes to the OpenCode review workflow and normalization script.
  • Head SHA: 01a36e6eccd95987331aed6eeb34f9ec0816b764
  • Workflow run: 27911921901
  • Workflow attempt: 1

@opencode-agent opencode-agent Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OpenCode Agent approved this PR.

Inspected changes to .github/workflows/opencode-review.yml and scripts/ci/opencode_review_normalize_output.py. Added validation rules prevent structural review bypass and ensure file evidence in approvals. No security, privacy, or functional regressions found.

  • Result: APPROVE
  • Reason: Enhancements improve review validation without introducing risks
  • Head SHA: e71bcb2b1034985cba4d3b5c35a7df9cdcc81475
  • Workflow run: 27911979559
  • Workflow attempt: 1

@seonghobae seonghobae merged commit a57837f into main Jun 21, 2026
1 check passed
@seonghobae seonghobae deleted the codex/opencode-agent-evidence-gate branch June 21, 2026 17:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant