Skip to content

security: fail closed when upload scanning is unavailable#9

Merged
MerverliPy merged 2 commits into
mainfrom
audit/F-002-fail-closed-upload-scanning
Jun 17, 2026
Merged

security: fail closed when upload scanning is unavailable#9
MerverliPy merged 2 commits into
mainfrom
audit/F-002-fail-closed-upload-scanning

Conversation

@MerverliPy

Copy link
Copy Markdown
Owner

Summary

  • replace the implicit clean no-op scanner fallback with a fail-closed unavailable-scanner provider
  • quarantine uploads and suppress ingestion when no scanner is configured
  • retain the no-op provider only for explicit deterministic test injection
  • persist SCAN_PROVIDER_NOT_CONFIGURED scan provenance
  • add focused provider and upload-workflow coverage
  • add the F-002 remediation run record

Security impact

Before this change, the normal upload route treated every file as CLEAN when no scan provider was configured, despite recording scanned: false. This allowed unscanned content to enter ingestion.

After this change, the runtime fallback returns ERROR. The existing workflow records the result, transitions the version to QUARANTINED, and does not create or publish an ingestion request.

Validation

  • workspace build: 17/17 tasks passed
  • scanner provider tests: 2/2 passed
  • focused upload workflow: 18/18 passed
  • knowledge unit tests: 203/203 passed
  • API unit tests: 119/119 passed
  • knowledge and API typechecks passed
  • knowledge and API lint passed
  • repository formatting passed
  • secret scan passed
  • git diff --check passed

Compatibility

  • no database migration
  • no request or response schema change
  • no new dependency or external service
  • uploads without a configured scanner now return a quarantined result instead of entering ingestion

@MerverliPy

Copy link
Copy Markdown
Owner Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9842bdc4f8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread planning/runs/F-002.md Outdated
@MerverliPy

Copy link
Copy Markdown
Owner Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. What shall we delve into next?

Reviewed commit: 0d33995b33

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@MerverliPy MerverliPy merged commit 39f0d50 into main Jun 17, 2026
2 checks passed
MerverliPy added a commit that referenced this pull request Jun 18, 2026
)

* security: prevent production development-auth bypass (#8)

* security: prevent production development-auth bypass

Reject explicit development-auth bypass requests in production, use the real OIDC client by default, and add focused regression coverage for all supported application modes.

Remediates audit finding F-001.

* style: format F-001 remediation

* docs: document development auth bypass opt-in

* docs: keep development auth bypass opt-in

* security: require production oidc settings

* security: fail closed when upload scanning is unavailable (#9)

* security: fail closed when upload scanning is unavailable

* docs: anonymize F-002 run record

* security: enforce default-branch governance (#10)

* security: enforce default-branch governance

* docs: namespace repository audit finding record

* docs: disambiguate repository audit finding ID

* fix(audit): consolidate OpenCode project configuration (#11)
MerverliPy added a commit that referenced this pull request Jun 18, 2026
* security: prevent production development-auth bypass

Reject explicit development-auth bypass requests in production, use the real OIDC client by default, and add focused regression coverage for all supported application modes.

Remediates audit finding F-001.

* style: format F-001 remediation

* docs: document development auth bypass opt-in

* docs: keep development auth bypass opt-in

* security: require production oidc settings

* Enhance security measures and documentation for production settings (#12)

* security: prevent production development-auth bypass (#8)

* security: prevent production development-auth bypass

Reject explicit development-auth bypass requests in production, use the real OIDC client by default, and add focused regression coverage for all supported application modes.

Remediates audit finding F-001.

* style: format F-001 remediation

* docs: document development auth bypass opt-in

* docs: keep development auth bypass opt-in

* security: require production oidc settings

* security: fail closed when upload scanning is unavailable (#9)

* security: fail closed when upload scanning is unavailable

* docs: anonymize F-002 run record

* security: enforce default-branch governance (#10)

* security: enforce default-branch governance

* docs: namespace repository audit finding record

* docs: disambiguate repository audit finding ID

* fix(audit): consolidate OpenCode project configuration (#11)
MerverliPy added a commit that referenced this pull request Jun 20, 2026
* security: prevent production development-auth bypass

Reject explicit development-auth bypass requests in production, use the real OIDC client by default, and add focused regression coverage for all supported application modes.

Remediates audit finding F-001.

* style: format F-001 remediation

* docs: document development auth bypass opt-in

* docs: keep development auth bypass opt-in

* security: require production oidc settings

* Enhance security measures and documentation for production settings (#12)

* security: prevent production development-auth bypass (#8)

* security: prevent production development-auth bypass

Reject explicit development-auth bypass requests in production, use the real OIDC client by default, and add focused regression coverage for all supported application modes.

Remediates audit finding F-001.

* style: format F-001 remediation

* docs: document development auth bypass opt-in

* docs: keep development auth bypass opt-in

* security: require production oidc settings

* security: fail closed when upload scanning is unavailable (#9)

* security: fail closed when upload scanning is unavailable

* docs: anonymize F-002 run record

* security: enforce default-branch governance (#10)

* security: enforce default-branch governance

* docs: namespace repository audit finding record

* docs: disambiguate repository audit finding ID

* fix(audit): consolidate OpenCode project configuration (#11)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant