Enable production decision metrics and tests#16
Closed
DevOpsMadDog wants to merge 1 commit into
Closed
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting
Comment on lines
+165
to
+170
| @staticmethod | ||
| async def _count(session: AsyncSession, column) -> int: | ||
| """Count rows for a given column without pulling entire tables.""" | ||
|
|
||
| result = await session.execute(select(func.count()).select_from(column.table)) | ||
| return int(result.scalar() or 0) |
There was a problem hiding this comment.
The new _count() helper calls select(func.count()).select_from(column.table) after being passed values such as SecurityFinding.id and PolicyRule.id. These arguments are SQLAlchemy InstrumentedAttribute descriptors, which do not expose a table attribute, so the call will raise AttributeError: 'InstrumentedAttribute' object has no attribute 'table' the first time collect() runs. That means production metrics cannot be returned. The helper should derive the table from the mapped class (e.g. column.property.columns[0].table or model.__table__) instead of using the descriptor directly.
Useful? React with 👍 / 👎.
DevOpsMadDog
added a commit
that referenced
this pull request
May 1, 2026
…— Phase 3 cluster S19 Patch+SOAR
Folds 3 standalone remediation-automation dashboards into a single tabbed
Automation & Orchestration Hub at /remediate/automation per
docs/UX_CONSOLIDATION_PLAN_2026-04-26.md §2.19 (S19 Remediation Center —
Automation/Orchestration sub-cluster):
tab | source page | endpoint
-------------|----------------------------|----------------------------------------------
patch | PatchManagementDashboard | /api/v1/patch-management/{patches,stats}
prioritize | PatchPrioritizer | /api/v1/patch-automation/{patches,stats}
soar | SOARDashboard | /api/v1/soar/{stats,playbooks,executions,mttr}
Old routes /patch-management, /patch-prioritizer, /soar redirect with ?tab=
to preserve deep-links (Cycode-style migration safety per §6.1).
Source pages preserved as-is (lazy-imported by hub) so all behavior, API
calls, loading/error/empty states, and form interactions continue to work.
Top-of-file FOLDED markers added to each source for git history.
Persona target: Remediation Engineer (#15), SOC T2 (#6), Platform Eng (#16).
Pattern verified working across 27 prior hub folds (ThreatActorsHub,
ForensicsHub, FinanceHub, etc.).
Plan: docs/UX_CONSOLIDATION_PLAN_2026-04-26.md §2.19
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
DevOpsMadDog
added a commit
that referenced
this pull request
May 1, 2026
…S9 (Asset metadata)
Folds 3 asset-metadata pages into a single tabbed hero per
docs/UX_CONSOLIDATION_PLAN_2026-04-26.md §2.9.
tab | source page | endpoint
-------------|------------------------------|----------------------------------------------
groups | AssetGroupsDashboard | /api/v1/asset-groups/groups
tags | AssetTagsDashboard | /api/v1/asset-tags/{tags,stats}
criticality | AssetCriticalityDashboard | /api/v1/asset-criticality/*
Wiring:
- App.tsx: add lazy import for AssetInventoryHub
- App.tsx: canonical route /discover/assets/inventory -> AssetInventoryHub
- App.tsx: 3 standalone routes (/asset-groups, /asset-tags, /asset-criticality)
converted to <Navigate ... ?tab=...> redirects (90-day muscle-memory preserved)
- 3 source pages: FOLDED markers added at top
Verification (Playwright, dev server :5173):
- Hub renders at /discover/assets/inventory?tab=groups (default)
- All 3 redirects land on hub with correct ?tab= query
- 16 real /api/v1/* calls fired on mount (asset-groups, asset-tags/tags,
asset-tags/stats, asset-criticality/*)
- Zero mock signatures (no MOCK_, lorem, Acme Corp, John Doe, demo-org)
- Console errors benign: 401s from headless (no auth token) + a pre-existing
unique-key warning in AssetGroupsDashboard (not introduced here)
- Screenshot: docs/ui-snapshots/ux-consolidation-asset-inventory-2026-05-02.png
Persona target: Asset Owner (#15), GRC Analyst (#12), Platform Eng (#16)
NO MOCKS rule satisfied per CLAUDE.md.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
DevOpsMadDog
added a commit
that referenced
this pull request
May 1, 2026
… API Security
Folds 3 standalone API security pages into a single tabbed hero per
docs/UX_CONSOLIDATION_PLAN_2026-04-26.md §2.10:
inventory | APISecurityDashboard | /api/v1/api-security/{inventory,vulns,anomalies}
management | APISecurityMgmtDashboard | /api/v1/api-security-engine/{stats,endpoints,abuse-events,scans}
discovery | APIDiscoveryDashboard | /api/v1/api-discovery/{stats,endpoints}
Route: /discover/api-security (canonical, ?tab= sync)
Old routes redirect:
/api-security -> /discover/api-security?tab=inventory
/api-security-mgmt -> /discover/api-security?tab=management
/api-discovery -> /discover/api-security?tab=discovery
Persona target: AppSec Engineer (#10), API Owner (#16), Sec Architect (#11).
Playwright verify (chromium domcontentloaded, 5173): 3 canonical tabs each
hit 7 / 9 / 5 real /api/v1/* calls; zero mock signatures; full-page screenshot
saved to docs/ui-snapshots/ux-consolidation-api-security-hub-2026-05-02.png.
(Note: /api-* old-route redirects are intercepted by Vite's `/api` dev proxy
to uvicorn — known infra quirk, not a regression of this fold; in built/prod
no proxy applies and the Navigate redirects work as expected.)
Source pages already carry top-of-file `// FOLDED into APISecurityHub` markers.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
DevOpsMadDog
added a commit
that referenced
this pull request
May 1, 2026
… 3 cluster S27 Webhook+Ingestion Health Folds 3 standalone webhook + connector-pipeline pages into a single tabbed hero per docs/UX_CONSOLIDATION_PLAN_2026-04-26.md §2.27 (S27 Integrations Hub — Webhook & Integration Health sub-cluster). tab | source page | endpoint -----------|--------------------------------|---------------------------------------------- catalogue | WebhookEventCatalogExplorer | GET /api/v1/webhooks/event-catalogue retry | WebhookRetryConsole | GET /api/v1/webhooks/retry-queue dry-run | UniversalIngestionTester | POST /api/v1/connectors/mapping/dry-run Canonical route: /connect/webhook-ingestion Persona target: DevOps Engineer (#18), Automation Eng (#25), SRE (#19), Backend Eng (#16) Old routes redirected (replaces stale /admin?tab=webhooks redirects + the standalone /connectors/mapping/dry-run route): - /webhooks/event-catalogue → /connect/webhook-ingestion?tab=catalogue - /webhooks/retry-queue → /connect/webhook-ingestion?tab=retry - /connectors/mapping/dry-run → /connect/webhook-ingestion?tab=dry-run Source pages preserved with `// FOLDED` headers (git-history intact, lazy-imported into hub so all real /api/v1/* calls + 501-graceful handling continue working). Verified per CLAUDE.md NO MOCKS rule: - Vite dev server returns 200 for /connect/webhook-ingestion (port 5173) - Hub module compiles cleanly (no TS errors against tsconfig.app.json) - All 3 folded pages already use real apiFetch against /api/v1/* endpoints Multica: #3657 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
DevOpsMadDog
added a commit
that referenced
this pull request
May 2, 2026
…endpoints Closed in this batch (class-c structured-empty envelope upgrade): - /api/v1/intel-enrichment/requests #6: canonical envelope shipped - /api/v1/risk-treatment/treatments #9: canonical envelope shipped - /api/v1/security-budget/allocations #11: canonical envelope shipped - /api/v1/access-requests/requests #12: canonical envelope shipped - /api/v1/cloud-governance/policies #16: canonical envelope shipped - /api/v1/security-chaos/experiments #26: canonical envelope shipped Pattern (class-c): all six list endpoints upgraded from minimal {items, total, hint} to the canonical batch-6 envelope: { "items": [...], "<legacy_key>": [...], # back-compat (requests/treatments/etc.) "total": int, "org_id": str, "limit": int, # ge=1, le=500 — defaults to 50 "offset": int, # ge=0 — defaults to 0 "filters_applied": {...} # echoes every filter param (None if unset) "hint": str # only present when total == 0 } Each endpoint now (1) accepts limit + offset query params with FastAPI ge/le validation, (2) echoes every filter back into filters_applied even when None (no missing keys), (3) always returns the full envelope shape even on hit (legacy clients keep their original key, new clients use items + pagination context), (4) preserves the actionable empty-state hint with a "this is correct for fresh tenants" framing. Verified: pytest tests/test_empty_endpoints_batch6.py 9/9 PASS. Beast Mode regression on phase4/phase7/trustgraph/pipeline_api: 170/170 PASS. Triage doc updated; class-c tally now 6 closed / 6 minor open. Total empty-endpoint progress: 17/29 closed across batches. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
DevOpsMadDog
added a commit
that referenced
this pull request
May 2, 2026
Per HANDOFF §15 safe-template (proven by Wave-B-pilot f72f5d1 + batch-2 eef79d6 + Wave-C-pilot 874399e). Each verified strict byte-equivalent (same prefix, same dependencies, same args) before delete. grc_app.py keeps canonical mount. Routers cleaned (kept canonical in grc_app.py, deleted from app.py): 1. data_security_router app:5491 EQ grc:901 (dep=_verify_api_key) 2. grc_router app:5809 EQ grc:328 (dep=_verify_api_key) 3. security_metrics_collector_router app:5911 EQ grc:605 (dep=_verify_api_key) 4. security_champions_router app:6040 EQ grc:559 (no deps) 5. policy_router app:6060 EQ grc:543 (no deps) 6. security_playbook_router app:6067 EQ grc:551 (no deps) 7. scheduled_reports_router app:6088 EQ grc:464 (no deps) 8. identity_governance_router app:6143 EQ grc:566 (no deps) 9. security_maturity_router app:6150 EQ grc:574 (no deps) 10. compliance_evidence_router app:6208 EQ grc:448 (no deps) 11. _evidence_chain_late app:6245 EQ grc:440 (no deps; late variant) 12. security_metrics_dashboard_router app:6290 EQ grc:589 (no deps) 13. kpi_tracking_router app:6297 EQ grc:597 (no deps) 14. risk_aggregator_router app:6317 EQ grc:581 (no deps) 15. fedramp_router app:7404 EQ grc:821 (dep=_verify_api_key) 16. license_compliance_router app:7415 EQ grc:949 (dep=_verify_api_key; log-string only diff) 17. regulatory_tracker_router app:7446 EQ grc:813 (dep=_verify_api_key; log-string only diff) 18. trust_center_router app:7471 EQ grc:621 (no deps; log-string only diff) 19. kpi_router app:5031 EQ grc:234 (no deps) 20. compliance_router app:6048 EQ grc:456 (no deps) For #16/17/18 the log strings differ between app.py and grc_app.py (e.g. /api/v1/regulatory vs /api/v1/regulatory-tracker), but the actual APIRouter prefix is defined in the router module itself — confirmed by inspecting trust_center_router.py / regulatory_tracker_router.py / license_compliance_router.py which use prefix="/api/v1/trust", "/api/v1/regulatory", "/api/v1/licenses" respectively. Log strings in grc_app.py are stale documentation, not actual mount changes. Net: app.py 7687 -> 7580 LOC (-107 LOC). Total app.routes: 8386 -> 8176 (-210 silent dups; ~10.5/router). Each cleaned router still has >=2 refs in grc_app.py (verified). Regression: 351/351 PASS (test_phase4/5/6/7/9/pipeline_api/trustgraph). Skipped (not strict byte-equivalent — auth-tightening): 57 routers where grc_app adds dependencies=[Depends(_verify_api_key)] but app.py mount is unauthenticated. Deleting the unauth app.py mount would CLOSE an auth bypass — proposed for Wave-B-batch-3b (security-tightening cleanup, needs separate review). Backlog: 59 remaining app<->grc (57 auth-mismatch + 2 prefix-different) + ~104 app<->ctem (Wave-C continues). Cumulative: 50/109 app<->grc dups closed (pilot 10 + batch-2 20 + batch-3 20). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
DevOpsMadDog
added a commit
that referenced
this pull request
May 2, 2026
…triage 248911b 18 FIX-IMPORT cases from suite-core/core triage (`docs/suite_core_silenced_imports_2026-05-03.md`). Each broken import was silently swallowed by a try/except wrapper, masking either a renamed/removed symbol or a never-implemented helper. Disposition was determined per-callsite — when both the import name AND the consumer-side method names had drifted, the safest correction is REMOVE (replace the unreachable try-arm with the same fallback the broad-except already produced) rather than RENAME (which would surface latent crashes through the new broad-except). Pattern matches Wave-A in 60a8ea9 and the top-9 commit 55adab9. Per-callsite dispositions (18 total): # 1 compliance_engine.py:958 get_latest_summary REMOVED — no canonical helper # 2 task_queue.py:269 MicroPentestEngine REMOVED — only Config/Result/Status # 3 task_queue.py:439 MicroPentestEngine REMOVED — same # 4 pipeline_orchestrator.py:655 compute_exploit_probability REMOVED — canonical compute_forecast has incompatible signature # 5 feed_correlator.py:293 abuseipdb get_by_cve REMOVED — never implemented # 6 feed_correlator.py:306 otx get_by_cve REMOVED — never implemented # 7 autofix_engine.py:1283 get_velocity_tracker/ REMOVED — only MaterialChangeDetector get_detector class exists; use class directly # 8 report_generator.py:337 ComplianceEngine REMOVED — renamed to ComplianceAutomationEngine, no .get_controls method # 9 unified_dashboard.py:163 ComplianceEngine REMOVED — same; no .get_summary #10 report_scheduler.py:526 ComplianceEngine REMOVED — same; no .get_compliance_status #11 unified_dashboard.py:262 AttackSurfaceAnalyzer REMOVED — renamed to AttackSurfaceMapper, returns Pydantic model not Dict #12 air_gap_bundle_engine.py:76 EmitEvent PRE-DONE in 55adab9 (verified) #13 brain_pipeline.py:881 blast_radius PRE-DONE in 55adab9 (verified) #14 graphql_schema.py:565 get_incident_manager REMOVED — only IncidentResponseManager #15 graphql_schema.py:593 get_compliance_automation RENAMED — use ComplianceAutomation class #16 graphql_schema.py:909 get_compliance_automation RENAMED — same #17 graphql_schema.py:874 get_incident_manager, REMOVED — neither symbol exists IncidentCreate #18 report_scheduler.py:499 CVEEnrichmentEngine REMOVED — renamed to CVEEnrichmentService, no .get_recent_cves method #19 aws_security_hub.py:422 SecurityHubNormalizer REMOVED — no AWS SH normalizer in scanner_parsers (33 vendor classes, none for SH) Files touched (per-file diff stats): - suite-core/core/autofix_engine.py (+10/-16) - suite-core/core/aws_security_hub.py (+ 8/-28) - suite-core/core/compliance_engine.py (+10/- 9) - suite-core/core/feed_correlator.py (+19/-24) - suite-core/core/graphql_schema.py (+38/-40) - suite-core/core/pipeline_orchestrator.py (+ 8/-15) - suite-core/core/report_generator.py (+ 9/- 7) - suite-core/core/report_scheduler.py (+15/-23) - suite-core/core/task_queue.py (+22/-20) - suite-core/core/unified_dashboard.py (+34/-32) Net delta: -21 LOC. Verified: - All 12 touched modules import clean (`importlib.import_module`). - py_compile clean on all 10 files. - 351/351 regression PASS on the 7 brief-specified suites (test_phase4/5/6/7/9 + test_pipeline_api + test_trustgraph) — identical to pre-edit baseline. Cumulative suite-core silenced-import cleanup: 27/47 (top-9 in 55adab9 + this batch of 18). Remaining: 20 INSTALL/RETIRE-DEP decisions (per-feature judgment — quantum_crypto, llm_guard, chromadb, celery, pomegranate/mchmm/ river, sentry_sdk, GCP/PKCS11/peft/llama_cpp). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Testing
https://chatgpt.com/codex/tasks/task_e_68de97d5ccb08329a222ceb1b8fb3a18