fix: security audit

[pedronauck]

Summary by CodeRabbit

• Security Enhancements

  • Stronger URL/credential validation for integrations; credentialed requests reject redirects.
  • Environment filtering removes credential-like vars from spawned processes; logs and streamed prompt data redact secrets.
  • API request body size limits and stricter loopback-only API access.
  • Installer verifies releases via cosign provenance/signature checks.
  • Envelope/message validation rejects raw secret material and tightens replay freshness.

• Bug Fixes & Improvements

  • Webhook secret validation tightened for Telegram.
  • Approval tokens enforce scope and agent matching.
  • Managed extension install names validated to prevent path escapes.
  • Improved subprocess/process-group handling across platforms.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 425bda66-4381-4c2f-a79b-30aef9e54a65

📥 Commits

Reviewing files that changed from the base of the PR and between 83eb68b and 554eb93.

⛔ Files ignored due to path filters (1)

• .compozy/tasks/secaudit/reviews-003/issue_001.md is excluded by !**/*.md

📒 Files selected for processing (1)

• internal/network/validate_test.go

---

Walkthrough

Adds credentialed-URL validation and redirect-safe HTTP clients for bridges; filters sensitive environment variables and introduces process-group registration/cleanup; enforces API request body limits and stricter loopback guards; redacts prompt/tool payloads; tightens network envelope secret/proof checks; validates managed extension install names; adds installer provenance verification; tests and a .gitignore entry.

Changes

Bridge provider credential handling (Linear, Teams, Telegram)

Layer / File(s)	Summary
URL helpers extensions/bridges/linear/provider.go, extensions/bridges/teams/provider.go	Add valid*CredentialedURL and loopback-host helpers enforcing HTTPS for trusted hosts and allowing HTTP only for loopback addresses.
Config validation extensions/bridges/linear/provider.go, extensions/bridges/teams/provider.go, extensions/bridges/telegram/provider.go	Validate apiBaseURL, oauthTokenURL, openid_metadata_url, and token_url during provider config resolution; Telegram also requires webhook secret when listenAddr is set.
HTTP client behavior extensions/bridges/linear/api.go, extensions/bridges/teams/provider.go	Add credentialed HTTP client wrappers (force no-redirect) and use them for GraphQL/OpenID/JWKS/token requests; abort early on invalid credentialed URLs.
Tests extensions/bridges/linear/provider_test.go, extensions/bridges/teams/provider_test.go, extensions/bridges/telegram/provider_test.go	Add/adjust tests for credentialed-URL rules and that credentialed requests do not follow redirects; Telegram tests assert webhook-secret presence and update bound-secrets in runtime tests.

Environment filtering & process-group management

Layer / File(s)	Summary
Env utilities internal/procutil/env.go	Add FilteredDaemonEnv and SensitiveEnvName to remove credential-shaped env vars from a base environment.
Attach/redact logs internal/procutil/detached.go	Redact and bound captured detached command error text via diagnostics.RedactAndBound.
Process-group API internal/procutil/process_group_unix.go, internal/procutil/process_group_windows.go	Add RegisterCommandProcessGroup (unix stub) and full Windows Job Object-based registration/signaling/waiting/kill helpers.
Integration / registration internal/acp/handlers.go, internal/acp/process_tree_unix.go, internal/acp/process_tree_windows.go, internal/subprocess/*	Call registerManagedCommand post-start; centralize cleanup via cleanupStarted* helpers; map Windows implementations to procutil.
Session/terminal/env usage internal/session/manager_start.go, internal/acp/handlers.go	Use FilteredDaemonEnv when spawning sessions/terminal commands; discard request env for network-owned terminals.
Tests internal/procutil/env_test.go, internal/acp/handlers_test.go, internal/session/manager_start_test.go	Add tests asserting environment filtering and that network-owned terminals/session envs remove secrets.

HTTP API hardening and prompt redaction

Layer / File(s)	Summary
Middleware & constants internal/api/httpapi/middleware.go	Add maxAPIRequestBodyBytes, errRequestBodyTooLarge, requestBodyLimitMiddleware for /api/* (HTTP 413); rename/enforce loopbackAPIGuard with errLoopbackAPIRequired; remove special-case loopback CORS allowance.
Server wiring internal/api/httpapi/server.go, internal/api/httpapi/helpers_test.go	Install request-body-limit middleware into Gin engine and test router pipeline before error middleware.
Routes internal/api/httpapi/routes.go	Register webhook routes immediately on /api before applying loopback guard so webhooks remain reachable when guard is applied.
Prompt/event redaction internal/api/httpapi/prompt.go	Add redactPromptString, redactPromptValue, redactPromptRaw; apply redaction to textual fields and Raw payloads before SSE streaming.
Handler logic & validation internal/api/core/tools.go, internal/api/httpapi/handlers.go	Tool approval now computes/validates effective scope from request via approvalScopeFromRequest; handlers trim/derive boundHost.
Tests internal/api/httpapi/handlers_error_test.go, internal/api/httpapi/handlers_test.go, internal/api/httpapi/server_test.go, internal/api/core/tools_test.go	Update CORS/loopback expectations to 403, add request-body-limit test, update SSE tests to assert redaction, add approval-scope-mismatch test, and integrate middleware into test router.

Network envelope validation and replay handling

Layer / File(s)	Summary
Secret scanning & proof rules internal/network/validate.go	Add validateEnvelopeContainsNoRawSecrets scanning Body/Proof/Ext for raw secret material; require proof when peer_card includes privileged task-write capability; add future-TS window check.
Deadline clamping internal/network/router.go	Clamp replayDeadline to just-after-now when computed deadline would be in the past.
Tests internal/network/validate_test.go, internal/network/router_test.go	Add cases for future-TS rejection, missing proof for privileged capability, raw-secret detection in body/ext/proof, and replay-deadline behavior.

Tool approval token scope & matching

Layer / File(s)	Summary
Token record changes internal/tools/approval_token.go	Persist agent_name in stored approval records; normalize/validate request scope via fallible normalizeApprovalRequest and approvalScopeValue; require agent-name match on consume.
Tests internal/tools/approval_token_test.go	Add tests for agent-name mismatch rejection and creating approvals with mismatched session IDs.

Extension installation path validation

Layer / File(s)	Summary
Name validation & checked path internal/extension/install_managed.go	Add validateManagedInstallName, ManagedInstallPathChecked to validate/normalize names and prevent traversal/sep/absolute/reserved names; ManagedInstallPath falls back to _invalid-extension-name on error.
Install flows internal/extension/marketplace_lifecycle.go, internal/extension/install_managed.go	Use ManagedInstallPathChecked and return errors early instead of moving into unchecked paths.
Tests internal/extension/install_managed_test.go	Add tests verifying checked path succeeds for trimmed names and rejects unsafe names; test that InstallLocalManaged rejects unsafe manifest names and avoids path-escape.

Installer provenance verification & site tests

Layer / File(s)	Summary
Install script changes packages/site/public/install.sh	Hardcode RELEASE_REPO="compozy/agh", require cosign, add resolve_latest_release_tag(), download signature/certificate files, run cosign verify-blob on checksums.txt before checksum validation/extraction.
Contract tests packages/site/lib/public-install-contract.test.ts	Update env allowlist, assert presence and ordering of signature→certificate→provenance→checksum steps and that docs reference cosign.

.gitignore

Layer / File(s)	Summary
Ignore pattern .gitignore	Add .codex/security-reports/* to ignored paths.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• fix: security audit #90 — Contains overlapping credentialed-URL validation, redirect-strict HTTP clients, procutil env/process-group changes, and many identical file edits.
• refactor: project structure #7 — Modifies procutil and process lifecycle helpers used by the new process-group registration and Windows job-object work.
• refactor: daemon improvs compozy#121 — Overlaps on daemon/API surface and SSE/streaming changes related to prompt redaction and handler wiring.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 12.73% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'fix: security audit' is vague and does not clearly convey the specific security improvements made in this changeset, which include URL validation, credential isolation, secret redaction, and request body limits.	Consider using a more specific title that reflects the main security improvements, such as 'fix: add URL validation and credential isolation for bridge providers' or 'fix: implement security hardening with secret redaction and request limits'.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

---

_{Review rate limit: 4/5 reviews remaining, refill in 12 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 7

🧹 Nitpick comments (3)

internal/extension/install_managed_test.go (1)

66-72: 💤 Low value

Add t.Parallel() to subtests.

The subtests for unsafe name rejection are missing t.Parallel() calls. Per coding guidelines, subtests should use t.Parallel() by default.

♻️ Suggested fix

 	for _, name := range []string{"../escape", "nested/name", `nested\name`, ".", "..", "/abs"} {
 		t.Run("Should reject unsafe name "+name, func(t *testing.T) {
+			t.Parallel()
 			if got, err := ManagedInstallPathChecked(homePaths, name); err == nil {
 				t.Fatalf("ManagedInstallPathChecked(%q) = %q, nil; want error", name, got)
 			}
 		})
 	}

As per coding guidelines: "Use t.Run("Should ...") subtests with t.Parallel as default"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/extension/install_managed_test.go` around lines 66 - 72, The
subtests in the loop calling t.Run should call t.Parallel() and must capture the
loop variable to avoid concurrency races; update the anonymous func passed to
t.Run in internal/extension/install_managed_test.go to begin with t.Parallel()
and capture the loop variable (e.g., local := name) before using it in
ManagedInstallPathChecked; keep the rest of the assertion logic the same so each
subtest runs in parallel safely.

internal/api/core/tools.go (1)

428-464: ⚡ Quick win

Centralize this approval-scope normalization helper.

approvalScopeField now duplicates the same security rule already implemented in internal/tools/approval_token.go. Keeping both copies in sync is easy to miss later, and any drift would make mint-time and store-time validation disagree. Consider moving this helper into internal/tools and reusing it from both call sites.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/api/core/tools.go` around lines 428 - 464, The file defines
approvalScopeField (used by approvalScopeFromRequest) which duplicates logic in
internal/tools/approval_token.go; move the normalization/validation helper out
of internal/api/core/tools.go into internal/tools (e.g., export or add a
function in approval_token.go such as ApprovalScopeField or
NormalizeApprovalScopeField), update approvalScopeFromRequest to call that
centralized function, and replace the duplicate implementation wherever else it
exists so both mint-time and store-time use the same helper; ensure function
signature and returned toolspkg.NewValidationError behavior remain the same so
callers (approvalScopeFromRequest) continue to work without other changes.

internal/subprocess/process.go (1)

278-293: 💤 Low value

Consider consolidating duplicate cleanup implementations.

This function is nearly identical to cleanupStartedTerminalCommand in internal/acp/handlers.go. Both follow the same kill → wait → force-exit pattern. Consider extracting a shared helper in procutil to reduce duplication.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/subprocess/process.go` around lines 278 - 293, The cleanup logic in
cleanupStartedManagedCommand and cleanupStartedTerminalCommand is duplicated;
extract a shared helper (e.g., CleanupStartedCommand or
CleanupStartedProcessSequence) into procutil that accepts an *exec.Cmd and
defaultProcessGroupWait, and implements the kill → wait →
forceManagedProcessGroupExit sequence returning errors.Join(errs...); update
both cleanupStartedManagedCommand and cleanupStartedTerminalCommand to call this
new procutil helper to remove duplication while preserving existing error
wrapping messages and behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@extensions/bridges/linear/api.go`:
- Around line 295-298: The credentialed HTTP requests currently validate the
initial URL with validLinearCredentialedURL() but then use an http.Client that
can follow redirects, exposing bearer tokens or client credentials; update the
code paths that build requests (e.g., where http.NewRequestWithContext(...) is
called and the client used for GraphQL/token calls) to configure the
http.Client.CheckRedirect to either deny redirects or validate each redirect
target with validLinearCredentialedURL() before following; apply the same fix
for the other request block referenced around the code handling lines 368–376 so
no redirect can send sensitive headers to untrusted hosts.

In `@extensions/bridges/teams/provider.go`:
- Line 45: The client teamsAuthHTTPClient currently allows automatic redirects
which can forward credentialed bodies; update its redirect handling to block or
validate redirects: set teamsAuthHTTPClient.CheckRedirect to a function that
returns http.ErrUseLastResponse to reject all redirects, or implement logic that
calls validatedTeamsCredentialedURL on each redirect Location and only allows
the redirect when it returns true. Apply this change where teamsAuthHTTPClient
is used (and any other HTTP clients issuing credentialed requests) so
credentialed POST/PUT bodies are never blindly forwarded to unvalidated hosts.

In `@extensions/bridges/telegram/provider_test.go`:
- Around line 270-272: The current test only checks for a non-nil error from
verifyWebhookSecret; tighten it to assert the specific missing-secret failure by
asserting the returned error matches the expected sentinel or contains the
expected message. Update the assertion in provider_test.go where
verifyWebhookSecret is called to either use errors.Is(err, expectedErr) if there
is a package-level sentinel (e.g., ErrMissingSecret) or use a string containment
check (e.g., require.True/if !strings.Contains(err.Error(), "missing configured
secret") then t.Fatalf) to ensure the error is specifically the
configured-secret-missing case rather than any non-nil error.

In `@internal/network/router.go`:
- Around line 935-947: Clamp must use the envelope's original timestamp (TS)
when computing maxDeadline so dedupe entries aren't evicted based on current
now; change the logic that sets maxDeadline (currently maxDeadline :=
now.Add(maxReplayAge).UTC()) to compute the ceiling as
TS.Add(maxReplayAge).UTC() when the envelope timestamp is present (fall back to
now.Add(maxReplayAge) only if TS is missing), then continue the existing
expiresAt and deadline comparisons (using deadline, maxReplayAge,
envelope.ExpiresAt) and keep the final now check as-is.

In `@internal/network/validate.go`:
- Around line 373-382: The validation currently checks only Envelope.Body and
Envelope.Ext for raw secrets; extend validateEnvelopeContainsNoRawSecrets to
also inspect Envelope.Proof using the same helper envelopeRawValueContainsSecret
and return a wrapped ErrInvalidBody error when a raw secret is found.
Specifically, add a check for env.Proof (and iterate if Proof is a collection
similar to Ext) and produce the same error message pattern but reference
"network proof" (e.g., "%w: raw secret material is not allowed in network
proof") so raw claim_token/OAuth/PKCE/secret-binding values cannot be
transported via Proof.

In `@packages/site/public/install.sh`:
- Around line 130-131: The script currently builds SIGNATURE_URL and
CERTIFICATE_URL from BASE_URL which may contain "latest", risking mixed-release
downloads; modify the install flow to resolve "latest" once into a concrete tag
(store in a variable like RESOLVED_TAG or VERSION) before constructing all
download links, then rebuild ARCHIVE_URL, CHECKSUMS_URL, SIGNATURE_URL and
CERTIFICATE_URL using that pinned RESOLVED_TAG instead of BASE_URL so every
asset comes from the same resolved release (update the code around BASE_URL,
SIGNATURE_URL, CERTIFICATE_URL and any ARCHIVE_URL/CHECKSUMS_URL definitions
accordingly).
- Line 5: Update the COSIGN_CERT_IDENTITY_REGEXP in install.sh to remove
acceptance of refs/heads/main and only match tag-based release refs (e.g.,
refs/tags/v...); locate the COSIGN_CERT_IDENTITY_REGEXP variable definition and
adjust its regex so it no longer includes the |refs/(heads/main) alternative and
only allows the refs/tags/v[0-9]... pattern for release tags.

---

Nitpick comments:
In `@internal/api/core/tools.go`:
- Around line 428-464: The file defines approvalScopeField (used by
approvalScopeFromRequest) which duplicates logic in
internal/tools/approval_token.go; move the normalization/validation helper out
of internal/api/core/tools.go into internal/tools (e.g., export or add a
function in approval_token.go such as ApprovalScopeField or
NormalizeApprovalScopeField), update approvalScopeFromRequest to call that
centralized function, and replace the duplicate implementation wherever else it
exists so both mint-time and store-time use the same helper; ensure function
signature and returned toolspkg.NewValidationError behavior remain the same so
callers (approvalScopeFromRequest) continue to work without other changes.

In `@internal/extension/install_managed_test.go`:
- Around line 66-72: The subtests in the loop calling t.Run should call
t.Parallel() and must capture the loop variable to avoid concurrency races;
update the anonymous func passed to t.Run in
internal/extension/install_managed_test.go to begin with t.Parallel() and
capture the loop variable (e.g., local := name) before using it in
ManagedInstallPathChecked; keep the rest of the assertion logic the same so each
subtest runs in parallel safely.

In `@internal/subprocess/process.go`:
- Around line 278-293: The cleanup logic in cleanupStartedManagedCommand and
cleanupStartedTerminalCommand is duplicated; extract a shared helper (e.g.,
CleanupStartedCommand or CleanupStartedProcessSequence) into procutil that
accepts an *exec.Cmd and defaultProcessGroupWait, and implements the kill → wait
→ forceManagedProcessGroupExit sequence returning errors.Join(errs...); update
both cleanupStartedManagedCommand and cleanupStartedTerminalCommand to call this
new procutil helper to remove duplication while preserving existing error
wrapping messages and behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5a456ef9-bda8-48d4-a83e-790344273db3

📥 Commits

Reviewing files that changed from the base of the PR and between 65d0ca7 and d883301.

⛔ Files ignored due to path filters (1)

• packages/site/content/runtime/core/getting-started/installation.mdx is excluded by !**/*.mdx

📒 Files selected for processing (44)

• .gitignore
• extensions/bridges/linear/api.go
• extensions/bridges/linear/provider.go
• extensions/bridges/linear/provider_test.go
• extensions/bridges/teams/provider.go
• extensions/bridges/teams/provider_test.go
• extensions/bridges/telegram/provider.go
• extensions/bridges/telegram/provider_test.go
• internal/acp/handlers.go
• internal/acp/handlers_test.go
• internal/acp/process_tree_unix.go
• internal/acp/process_tree_windows.go
• internal/api/core/tools.go
• internal/api/core/tools_test.go
• internal/api/httpapi/handlers.go
• internal/api/httpapi/handlers_error_test.go
• internal/api/httpapi/handlers_test.go
• internal/api/httpapi/helpers_test.go
• internal/api/httpapi/middleware.go
• internal/api/httpapi/prompt.go
• internal/api/httpapi/routes.go
• internal/api/httpapi/server.go
• internal/api/httpapi/server_test.go
• internal/extension/install_managed.go
• internal/extension/install_managed_test.go
• internal/extension/marketplace_lifecycle.go
• internal/network/router.go
• internal/network/router_test.go
• internal/network/validate.go
• internal/network/validate_test.go
• internal/procutil/detached.go
• internal/procutil/env.go
• internal/procutil/env_test.go
• internal/procutil/process_group_unix.go
• internal/procutil/process_group_windows.go
• internal/session/manager_start.go
• internal/session/manager_start_test.go
• internal/subprocess/process.go
• internal/subprocess/signals_unix.go
• internal/subprocess/signals_windows.go
• internal/tools/approval_token.go
• internal/tools/approval_token_test.go
• packages/site/lib/public-install-contract.test.ts
• packages/site/public/install.sh

[coderabbitai]

Actionable comments posted: 6

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@extensions/bridges/teams/provider_test.go`:
- Around line 767-769: The test currently only checks for any non-nil error from
fetchTeamsOpenIDMetadata; change the assertion to specifically assert the error
is a *bridgesdk.HTTPError (use errors.As or require.ErrorAs) and that its
StatusCode equals http.StatusTemporaryRedirect (307) so we prove the client
stopped on the redirect response; update the same pattern in the sibling
assertions around the other subtests (the blocks at the other reported
locations) to use ErrorAs + check err.StatusCode == http.StatusTemporaryRedirect
instead of a generic non-nil check.

In `@extensions/bridges/teams/provider.go`:
- Around line 2823-2834: The validator validTeamsCredentialedURL currently
allows http loopback hosts which enables cleartext token_url endpoints and can
leak client_secret via accessToken(); change the validator to disallow any
"http" scheme for credentialed flows by removing or disabling the http case
(isLoopbackTeamsHost) and only accept "https" hosts (login.botframework.com or
login.microsoftonline.com); if loopback support is required for tests, add a
separate test-only gate (e.g. an explicit dev/test flag like
ENABLE_TEAMS_LOOPBACK_FOR_TESTING) or provide a separate test-only validator
function and ensure accessToken() continues to call the credentialed validator
that rejects plain-http loopback URLs.

In `@internal/network/router.go`:
- Around line 941-943: The branch that currently returns now.UTC() when
deadline.Before(now) causes expiresAt to be <= now and allows replay dedupe to
be bypassed; modify the if branch in the deadline handling (the code using
variables deadline and now, related to markSeen/replay-window) to return
now.Add(time.Second).UTC() instead so the computed expiry is strictly in the
future (one second) and cannot be treated as already expired by markSeen's
expiresAt <= now check.

In `@internal/network/validate.go`:
- Around line 404-407: The current envelopeValueContainsSecret function only
flags secrets when the value is a non-empty string, letting raw secret material
hide in JSON keys; update envelopeValueContainsSecret to also check the key
itself using envelopeKeyCarriesRawSecret and treat a matching key as a secret
regardless of the value type, and additionally ensure any recursion/redaction
logic (used elsewhere in the file around envelopeKeyCarriesRawSecret and
envelopeValueIsNonEmpty) is applied to map/object keys as well so that keys like
"agh_claim_*" immediately return true; locate and modify
envelopeValueContainsSecret, envelopeKeyCarriesRawSecret, and any recursive
redaction helpers to enforce key-based detection consistently.
- Around line 433-435: The function envelopeStringContainsSecret incorrectly
flags whitespace-only strings as secrets because diagnostics.Redact trims
blanks; update envelopeStringContainsSecret to early-return false for strings
that are only whitespace (e.g., if strings.TrimSpace(value) == "") before
calling taskpkg.RedactClaimTokens or diagnostics.Redact so whitespace-only
optional fields are not treated as secrets.

In `@packages/site/public/install.sh`:
- Around line 56-63: The case that checks resolved_tag uses the loose pattern
v[0-9]* which allows unwanted suffixes; update the validation in the install
script to use the stricter tag pattern used by the provenance policy (e.g.,
require v<major>.<minor>.<patch> and optional canonical suffix rules) so
malformed tags are rejected—modify the case for resolved_tag and the associated
fail call (which reports resolved_url) to use that stricter regex/pattern and
ensure the success branch only prints tags that fully match the policy.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a4e93947-923e-4f02-911f-5e257123b48a

📥 Commits

Reviewing files that changed from the base of the PR and between d883301 and 8293453.

⛔ Files ignored due to path filters (10)

• .compozy/tasks/secaudit/reviews-001/issue_001.md is excluded by !**/*.md
• .compozy/tasks/secaudit/reviews-001/issue_002.md is excluded by !**/*.md
• .compozy/tasks/secaudit/reviews-001/issue_003.md is excluded by !**/*.md
• .compozy/tasks/secaudit/reviews-001/issue_004.md is excluded by !**/*.md
• .compozy/tasks/secaudit/reviews-001/issue_005.md is excluded by !**/*.md
• .compozy/tasks/secaudit/reviews-001/issue_006.md is excluded by !**/*.md
• .compozy/tasks/secaudit/reviews-001/issue_007.md is excluded by !**/*.md
• .compozy/tasks/secaudit/reviews-001/issue_008.md is excluded by !**/*.md
• .compozy/tasks/secaudit/reviews-001/issue_009.md is excluded by !**/*.md
• .compozy/tasks/secaudit/reviews-001/issue_010.md is excluded by !**/*.md

📒 Files selected for processing (12)

• extensions/bridges/linear/api.go
• extensions/bridges/linear/provider_test.go
• extensions/bridges/teams/provider.go
• extensions/bridges/teams/provider_test.go
• extensions/bridges/telegram/provider_test.go
• internal/extension/install_managed_test.go
• internal/network/router.go
• internal/network/router_test.go
• internal/network/validate.go
• internal/network/validate_test.go
• packages/site/lib/public-install-contract.test.ts
• packages/site/public/install.sh

✅ Files skipped from review due to trivial changes (1)

• packages/site/lib/public-install-contract.test.ts

🚧 Files skipped from review as they are similar to previous changes (4)

• internal/network/validate_test.go
• extensions/bridges/linear/api.go
• internal/extension/install_managed_test.go
• extensions/bridges/linear/provider_test.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@internal/network/validate_test.go`:
- Around line 327-407: The table-driven test entries use plain names like
"future timestamp outside replay window" and must follow the t.Run "Should ..."
pattern; update each case's name field (the struct entries with name: "...") to
a descriptive "Should ..." form (e.g., "Should reject future timestamp outside
replay window", "Should reject greet task write without proof", "Should reject
raw secret in body", etc.) so all cases in the table (the entries that mutate
Envelope, set wantErr/wantMatch) conform to the required t.Run naming
convention.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b3492932-89fb-45c4-b5c9-0af7ab58f98b

📥 Commits

Reviewing files that changed from the base of the PR and between 8293453 and 83eb68b.

⛔ Files ignored due to path filters (6)

• .compozy/tasks/secaudit/reviews-002/issue_001.md is excluded by !**/*.md
• .compozy/tasks/secaudit/reviews-002/issue_002.md is excluded by !**/*.md
• .compozy/tasks/secaudit/reviews-002/issue_003.md is excluded by !**/*.md
• .compozy/tasks/secaudit/reviews-002/issue_004.md is excluded by !**/*.md
• .compozy/tasks/secaudit/reviews-002/issue_005.md is excluded by !**/*.md
• .compozy/tasks/secaudit/reviews-002/issue_006.md is excluded by !**/*.md

📒 Files selected for processing (8)

• extensions/bridges/teams/provider.go
• extensions/bridges/teams/provider_test.go
• internal/network/router.go
• internal/network/router_test.go
• internal/network/validate.go
• internal/network/validate_test.go
• packages/site/lib/public-install-contract.test.ts
• packages/site/public/install.sh

✅ Files skipped from review due to trivial changes (1)

• internal/network/validate.go

🚧 Files skipped from review as they are similar to previous changes (3)

• internal/network/router_test.go
• packages/site/public/install.sh
• packages/site/lib/public-install-contract.test.ts