Prevent code generation setting bypasses

[geoffg-sentry]

It's the second time we have a bypass of this organization setting which allowed for code gen, new branches, and new PRs. Fixing this upstream in chokepoints rather than in all the endpoints since RPC callbacks, on-complete hooks, and slack flows lacked enforcement too.

Added check to:

• coding_agent.py launch_coding_agents_for_run()
• autofix_agent.py trigger_coding_agent_handoff()
• autofix.py update_autofix()
• SeerExplorerClient.push_changes()
• group_autofix_update.py & organization_seer_explorer_update.py to inspect payload_type and request.data type to 403 when appropriate

Plus a bunch of tests

[github-actions]

Backend Test Failures

Failures on e6d2312 in this run:

tests/sentry/seer/autofix/test_autofix.py::UpdateAutofixTest::test_update_autofix_blocks_coding_payloads_when_disabled — log

/opt/hostedtoolcache/Python/3.13.1/x64/lib/python3.13/unittest/mock.py:1424: in patched
    return func(*newargs, **newkeywargs)
E   TypeError: UpdateAutofixTest.test_update_autofix_blocks_coding_payloads_when_disabled() missing 1 required positional argument: 'payload_type'

tests/sentry/seer/endpoints/test_group_autofix_update.py::TestGroupAutofixUpdate::test_coding_payload_blocked_when_coding_disabled — log

/opt/hostedtoolcache/Python/3.13.1/x64/lib/python3.13/unittest/mock.py:1424: in patched
    return func(*newargs, **newkeywargs)
E   TypeError: TestGroupAutofixUpdate.test_coding_payload_blocked_when_coding_disabled() missing 1 required positional argument: 'payload_type'

[sentry-warden]

TypeError when request.data is a list due to unvalidated dict unpacking (src/sentry/seer/endpoints/organization_seer_explorer_update.py:52)

Line 52 correctly handles non-dict request.data by checking isinstance(request.data, dict) before calling .get(), but line 66 uses **request.data without ensuring request.data is a dict. If a client sends a JSON array (e.g., [{"type": "create_pr"}]) instead of a JSON object, the dict unpacking will raise TypeError: 'list' object is not a mapping, causing a 500 error.

Identified by Warden sentry-backend-bugs

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Autofix Details

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: Missing create_branch in autofix coding payload guard
  • Updated CODING_UPDATE_PAYLOAD_TYPES in update_autofix() to include create_branch, aligning the chokepoint guard with endpoint-level coding payload checks.

Or push these changes by commenting:

@cursor push 0b1222bfcf

Preview (0b1222bfcf)

diff --git a/src/sentry/seer/autofix/autofix.py b/src/sentry/seer/autofix/autofix.py
--- a/src/sentry/seer/autofix/autofix.py
+++ b/src/sentry/seer/autofix/autofix.py
@@ -823,7 +823,7 @@
     )
 
 
-CODING_UPDATE_PAYLOAD_TYPES = frozenset({"select_solution", "create_pr"})
+CODING_UPDATE_PAYLOAD_TYPES = frozenset({"select_solution", "create_branch", "create_pr"})
 
 
 def update_autofix(

_{This Bugbot Autofix run was free. To enable autofix for future PRs, go to the Cursor dashboard.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Autofix Details

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: Unused constant added with no consumers
  • Confirmed the constant had no references and removed AUTOFIX_AUTOMATION_OCCURRENCE_THRESHOLD from the constants module.

Or push these changes by commenting:

@cursor push 1ab3d81c95

Preview (1ab3d81c95)

diff --git a/src/sentry/seer/autofix/constants.py b/src/sentry/seer/autofix/constants.py
--- a/src/sentry/seer/autofix/constants.py
+++ b/src/sentry/seer/autofix/constants.py
@@ -2,11 +2,7 @@
 
 CODING_PAYLOAD_TYPES = frozenset({"select_solution", "create_branch", "create_pr"})
 
-# An issue group must have >= this number of occurrences in order to be
-# a target for 'workflow' autofix.
-AUTOFIX_AUTOMATION_OCCURRENCE_THRESHOLD = 10
 
-
 class FixabilityScoreThresholds(enum.Enum):
     SUPER_HIGH = 0.76
     HIGH = 0.66

_{This Bugbot Autofix run was free. To enable autofix for future PRs, go to the Cursor dashboard.}

[github-actions]

Backend Test Failures

Failures on 01052dd in this run:

tests/sentry/seer/autofix/test_autofix_agent.py::TestTriggerCodingAgentHandoff::test_raises_permission_denied_when_coding_disabled — log

tests/sentry/seer/autofix/test_autofix_agent.py:807: in test_raises_permission_denied_when_coding_disabled
    trigger_coding_agent_handoff(
E   TypeError: trigger_coding_agent_handoff() missing 1 required positional argument: 'referrer'

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[github-actions]

Backend Test Failures

Failures on 54873ee in this run:

tests/sentry/seer/autofix/test_autofix_agent.py::TestTriggerCodingAgentHandoff::test_raises_permission_denied_when_coding_disabled — log

tests/sentry/seer/autofix/test_autofix_agent.py:807: in test_raises_permission_denied_when_coding_disabled
    trigger_coding_agent_handoff(
E   TypeError: trigger_coding_agent_handoff() missing 1 required positional argument: 'referrer'

[github-actions]

Backend Test Failures

Failures on ffb9319 in this run:

tests/sentry/seer/endpoints/test_group_ai_autofix.py::GroupAutofixEndpointExplorerRoutingTest::test_open_pr_permission_error — log

tests/sentry/seer/endpoints/test_group_ai_autofix.py:1079: in test_open_pr_permission_error
    assert response.status_code == 404, f"Failed for {flag}: {response.data}"
E   AssertionError: Failed for organizations:seer-explorer: {'detail': ErrorDetail(string='Seer permission error: Unknown run id for group', code='permission_denied')}
E   assert 403 == 404
E    +  where 403 = <Response status_code=403, "application/json">.status_code