fix(observability): avoid exposing live AMS ledgers#5471
Conversation
|
Superagent didn't find any vulnerabilities or security issues in this PR. |
|
Warning 🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨 ⏸️ Gittensory review result - manual review recommendedReview updated: 2026-07-12 22:38:29 UTC
⏸️ Suggested Action - Manual Review Review summary Blockers
Nits — 5 non-blocking
Concerns raised — review before merging
📋 Copy for AI agents — paste into your coding agent
Review context
Contributor next steps
Signal definitions
[BETA] Chat with GittensoryAsk Gittensory a question about this PR directly in a comment — grounded only in the same cached, public-safe facts shown above, never a new claim.
Full command reference: https://gittensory.aethereal.dev/docs/gittensory-commands 🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed 💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →. Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #5471 +/- ##
=======================================
Coverage 94.72% 94.72%
=======================================
Files 559 559
Lines 44664 44664
Branches 14664 14664
=======================================
Hits 42308 42308
Misses 1621 1621
Partials 735 735
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
3410f9b to
bab9f57
Compare
…rafana Completes the fix this PR only half-implemented: the datasource/docs already pointed at /reporting/ams-attempt-log.sqlite and /reporting/ams-prediction-ledger.sqlite, but nothing produced those files, and docker-compose.yml never mounted the live ledger directory anywhere -- the datasource was already inert out of the box. Adds scripts/export-ams-reporting-db.sh (mirrors export-grafana-reporting-db.sh's incremental-fingerprint + atomic-write shape, simplified for two independent SQLite-only, insert-only sources) and a new ams-reporting-exporter service under a dedicated ams-observability compose profile: it mounts the miner's live GITTENSORY_MINER_CONFIG_DIR read-only (Grafana never gets this mount), drops attempt_log_events' free-form reason/payload_json columns, and writes the redacted snapshot into the same shared reporting volume Grafana already reads. predictions/blocker_codes_json/warning_codes_json pass through unchanged -- already bounded, engine-defined codes, not free text. Also documents the new profile/env vars in .env.example and observability.md.
…serve-last-good (#5757) An instance whose ams-attempt-log source has never existed (an engine-only deployment with no co-located miner) creates its one-and-only export under whichever DDL was current at that moment, then export_ledger's "source missing, output already exists" fail-open path preserves it forever -- the fingerprint/SCRIPT_VERSION rebuild check is unreachable while the source stays absent, so a later DDL widening (PR #5637 added provider/cost_usd/tokens_used to attempt_log_events a day after PR #5471 first shipped this script) was previously invisible to such an instance permanently. Every miner-usage.json panel selecting those columns then hard-fails with "no such column" instead of just showing empty. Fixed by reconciling the preserved output's schema against the current DDL's declared columns (ALTER TABLE ADD COLUMN, mirroring packages/gittensory-miner/lib/attempt-log.js's own ensureOutcomeColumns pattern) whenever a preserve-last-good path fires -- additive only, so existing rows and their data are never touched.
Motivation
reason/payload_jsonand private prediction signals to any Grafana principal with query capability, creating a confidentiality risk.sqlite.yml), so the AMS datasources should follow that pattern instead of mounting live app files.Description
/reporting/ams-attempt-log.sqliteand/reporting/ams-prediction-ledger.sqliteingrafana/provisioning/datasources/ams-ledgers.yml.packages/gittensory-miner/docs/observability.mdto require publishing sanitized reporting exports into Grafana rather than mountingGITTENSORY_MINER_CONFIG_DIRinto Grafana.test/unit/ams-ledgers-datasource.test.tsto assert the provisioned datasource paths live under/reportingand do not reference/ams-ledgersor the raw ledger filenames.Testing
npm run selfhost:validate-observability, which completed successfully and reported valid dashboards/alert rules. (passed)npm test -- --run test/unit/ams-ledgers-datasource.test.ts, which ran the three tests and passed. (passed)npm run docs:drift-checkto verify documentation parity, which passed. (passed)npm run test:ci; it progressed through many checks but stopped at the Cloudflare typegen check becauseworker-configuration.d.tswas reported stale (this change did not modify Cloudflare bindings). (stopped/failure)npm audit --audit-level=moderatewas attempted but the registry audit endpoint returned403 Forbidden(external network/service issue), so the audit step could not complete. (skipped/failed)Codex Task