Skip to content

fix: align finding field prose with v2 schema; harden webhook misconfiguration handling#35

Closed
BunsDev with Copilot wants to merge 3 commits into
mainfrom
copilot/fix-code-comments
Closed

fix: align finding field prose with v2 schema; harden webhook misconfiguration handling#35
BunsDev with Copilot wants to merge 3 commits into
mainfrom
copilot/fix-code-comments

Conversation

Copilot AI commented Jul 6, 2026

Copy link
Copy Markdown

Two contract consistency/safety issues from the Copilot review of PR #31.

Changes

  • docs/headless-contract.mdline and recommendation were described as optional on findings, but the v2 JSON schema lists both in required with nullable types. Updated prose to "required, may be null" to prevent consumers from treating absent fields as valid.

  • deploy/coven-github/coven_github_adapter.pyverify_webhook_signature() raises RuntimeError when the webhook secret is missing, but route_signed_delivery() didn't catch it. Wraps the call so a misconfigured deployment returns a structured 500 instead of an unhandled exception:

try:
    verified = verify_webhook_signature(webhook_secret or WEBHOOK_SECRET, raw_body, signature)
except RuntimeError:
    return {"ok": False, "status": 500, "error": "webhook secret not configured"}
if not verified:
    return {"ok": False, "status": 401, "error": "invalid signature"}

Copilot AI added 2 commits July 6, 2026 12:10
- docs/headless-contract.md: clarify that `line` and `recommendation`
  on findings are required (present in every finding) but may be null,
  matching the v2 JSON schema which lists them in `required` with
  nullable types.

- deploy/coven-github/coven_github_adapter.py: catch RuntimeError from
  verify_webhook_signature() in route_signed_delivery() and return a
  structured 500 response instead of propagating an unhandled exception
  when the webhook secret is not configured.
Copilot AI changed the title [WIP] Fix code based on review comments fix: align finding field prose with v2 schema; harden webhook misconfiguration handling Jul 6, 2026
Copilot AI requested a review from BunsDev July 6, 2026 12:12
@BunsDev BunsDev marked this pull request as ready for review July 6, 2026 12:15
Copilot AI review requested due to automatic review settings July 6, 2026 12:15

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the headless contract documentation to match the v2 schema’s “required but nullable” finding fields and hardens the Python hosted adapter’s webhook routing so a missing webhook secret produces a structured 500 response instead of an unhandled exception.

Changes:

  • Update docs/headless-contract.md to v2 contract wording, including “required, may be null” semantics for finding line and recommendation.
  • Add/expand the hosted Python adapter implementation, including structured review result validation and safer webhook signature routing.
  • Add Python unit tests covering mention boundary behavior and stale PR head evidence rejection.

Reviewed changes

Copilot reviewed 3 out of 5 changed files in this pull request and generated 4 comments.

File Description
docs/headless-contract.md Updates contract version and clarifies v2 structured review/result requirements, including required-but-nullable finding fields.
deploy/coven-github/coven_github_adapter.py Implements/updates hosted adapter logic (webhook routing hardening, result contract validation, review-context capture).
deploy/coven-github/test_coven_github_adapter.py Adds unit tests for mention parsing and PR head evidence mismatch handling.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +386 to +389
if action == "labeled" and not labels_include_trigger(issue.get("labels"), policy):
return ignored(base, "issue_label_not_enabled")
if action == "labeled" and not trigger_enabled(policy, "issue_label"):
return ignored(base, "issue_label_not_enabled")
Comment on lines +470 to +474
def route_signed_delivery(headers, body, debug, webhook_secret=None):
raw_body = body.encode("utf-8") if isinstance(body, str) else body
if raw_body is None:
raw_body = b""

Comment on lines +7 to +12
def load_adapter():
path = Path(__file__).with_name("coven_github_adapter.py")
spec = importlib.util.spec_from_file_location("coven_github_adapter", path)
module = importlib.util.module_from_spec(spec)
spec.loader.exec_module(module)
return module
Comment on lines +476 to +480
try:
verified = verify_webhook_signature(webhook_secret or WEBHOOK_SECRET, raw_body, signature)
except RuntimeError:
return {"ok": False, "status": 500, "error": "webhook secret not configured"}
if not verified:
@BunsDev

BunsDev commented Jul 6, 2026

Copy link
Copy Markdown
Member

Closing as superseded by #31 (merged as b21d10e).

#35 and #31 were parallel implementations of the same contract-v2 work. Comparing this PR's adapter against the now-merged version on main, the only difference is an ~11-line stylistic refactor of the route_signed_delivery webhook-signature error handling — #31 already implements the same guard (invalid signature → 401, missing secret → 500). #31's version returns the underlying error detail (str(exc)), which is at least as informative as this PR's hardcoded message.

This PR also commits __pycache__/*.pyc binaries, which #31's .gitignore now excludes. No unique value to salvage over #31. Thanks for the parallel effort!

@BunsDev BunsDev closed this Jul 6, 2026
@BunsDev BunsDev deleted the copilot/fix-code-comments branch July 6, 2026 19:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants