Skip to content

refactor(prompt): consolidate template context and add golden snapshot tests#630

Merged
wesm merged 10 commits intomainfrom
gotmpl-user-facing-structs
Apr 19, 2026
Merged

refactor(prompt): consolidate template context and add golden snapshot tests#630
wesm merged 10 commits intomainfrom
gotmpl-user-facing-structs

Conversation

@mariusvniekerk
Copy link
Copy Markdown
Collaborator

@mariusvniekerk mariusvniekerk commented Apr 6, 2026
edited by wesm
Loading

Summary

  • Consolidates the template-facing prompt data model under a single TemplateContext root; unifies prompt rendering, fitting, and range fallback selection through it.
  • Restores three regressions from the earlier template refactor: per-commit InRangeReviews section in range prompts, the tool-attempts / user-comments split in address prompts, and the codex "do not read files outside the repo checkout" guardrail.
  • Adds a golden-file snapshot test suite under internal/prompt/testdata/golden/ covering 18 scenarios across agents (default, codex, claude-code, gemini), review types (review, range, dirty, address, security, design), context injection (previous reviews, guidelines, additional context, severity filter), and diff-truncation fallbacks. Regenerate with go test -update-golden ./internal/prompt/.
  • Fixes template whitespace leaks (stray \n in empty sections, extra blank lines between range entries) surfaced by byte-diffing against the pre-refactor output.
  • Forces LF line endings for *.gotmpl templates via .gitattributes so the embedded FS produces identical output on Windows.

@roborev-ci
Copy link
Copy Markdown

roborev-ci Bot commented Apr 6, 2026

roborev: Combined Review (e6357ab)

Summary verdict: 1 medium-severity issue found; no high or critical findings.

Medium

  • internal/prompt/template_context.go:251, internal/prompt/templates/prompt_sections.md.gotmpl:71
    The new fallback model can silently render an empty diff section. diff_block now takes the fallback path whenever .Fallback.HasContent is true, but FallbackContext.Rendered() only renders Text and Dirty.Body. If callers populate Commit, Range, or Generic, the template suppresses .Diff.Body and emits no fallback content.

    Fix: either implement rendering for all structured fallback variants in Rendered()/templates, or make HasContent only report truly renderable content until those branches are supported. Add tests covering commit/range/generic fallback rendering.

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

@mariusvniekerk mariusvniekerk marked this pull request as draft April 6, 2026 23:18
@mariusvniekerk mariusvniekerk force-pushed the gotmpl-user-facing-structs branch from e6357ab to 1281801 Compare April 7, 2026 12:32
@roborev-ci
Copy link
Copy Markdown

roborev-ci Bot commented Apr 7, 2026

roborev: Combined Review (1281801)

Verdict: 2 medium-severity regressions in prompt behavior should be addressed before merge.

Medium

  • internal/prompt/prompt.go:821-839, internal/prompt/templates/prompt_sections.md.gotmpl:29-43
    Range-review prompts no longer include prior per-commit review context for commits inside the reviewed range. The removed InRangeReviews population/rendering path means range reviews can resurface issues that were already found earlier in the stack or fixed by later commits.

  • internal/prompt/prompt.go:1126-1139, internal/prompt/templates/prompt_sections.md.gotmpl:135-140
    BuildAddressPrompt now merges automated fix attempts and human developer comments into one PreviousAttempts block. That removes the distinct user-comment context and can cause developer guidance to be treated like another failed attempt instead of instructions to honor while fixing.

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

@roborev-ci
Copy link
Copy Markdown

roborev-ci Bot commented Apr 7, 2026

roborev: Combined Review (1281801)

Summary: 2 medium-severity issues found; no high or critical findings.

Medium

  • Range reviews lost in-range prior review context

    • Location: internal/prompt/prompt.go:821-839, internal/prompt/templates/prompt_sections.md.gotmpl:29-43
    • Finding: Range-review prompts no longer include prior per-commit review context for commits inside the selected range. With the old InRangeReviews population/rendering path removed, the reviewer loses the “already reviewed in this range” guidance and can resurface issues that were already identified or fixed later in the stack.
    • Suggested fix: Restore an equivalent InRangeReviews field in the consolidated context and render it from optional_sections for range prompts.

  • Developer comments are conflated with failed fix attempts

    • Location: internal/prompt/prompt.go:1126-1139, internal/prompt/templates/prompt_sections.md.gotmpl:135-140
    • Finding: BuildAddressPrompt now merges automated fix attempts and human developer comments into a single PreviousAttempts block. That removes the dedicated ## User Comments section and reframes operator guidance as just another failed attempt, which can cause the agent to underweight or misinterpret explicit developer instructions.
    • Suggested fix: Keep separate fields for tool attempts and user comments in the address-template context, or preserve the prior split behavior when building the prompt.

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

@roborev-ci
Copy link
Copy Markdown

roborev-ci Bot commented Apr 8, 2026

roborev: Combined Review (35f7bf6)

Summary verdict: Changes introduce 2 medium-severity prompt regressions that should be addressed before merge.

Medium

  • internal/prompt/prompt.go:806-823, internal/prompt/templates/prompt_sections.md.gotmpl:43
    Range prompts no longer include the prior "Per-Commit Reviews in This Range" context. This removes guidance that helped avoid re-raising issues already covered by commit-level reviews, which is a regression in range review quality. Restore the in-range review data in the consolidated context and render the corresponding section in the range prompt template.

  • internal/prompt/prompt.go:1100-1124, internal/prompt/templates/prompt_sections.md.gotmpl:135-140
    BuildAddressPrompt now folds all prior responses into a generic "Previous Addressing Attempt" bucket, and the separate "User Comments" section was removed. That causes developer comments to be mislabeled as prior fix attempts and removes guidance on how user feedback should be used, which can degrade refine/address behavior. Keep tool attempts and user comments distinct in the structured context and rendered prompt.

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

@mariusvniekerk mariusvniekerk force-pushed the gotmpl-user-facing-structs branch from 35f7bf6 to 97ec9a7 Compare April 9, 2026 01:32
@roborev-ci
Copy link
Copy Markdown

roborev-ci Bot commented Apr 9, 2026

roborev: Combined Review (97ec9a7)

Verdict: this refactor introduces 3 substantive regressions in prompt safety/context handling that should be addressed before merge.

High

  • Repository-boundary restriction removed
    Location: internal/prompt/templates/codex_review.md.gotmpl:5
    The Codex review prompt no longer explicitly forbids reading files outside the repository checkout. That weakens a defense-in-depth control against prompt-injection-driven exfiltration from untrusted repo content, because malicious diffs/comments can now try to steer the agent toward local secrets or unrelated files.
    Suggested fix: Restore the repo-boundary restriction, preserve the explicit allowlist for any provided diff snapshot path, and ensure any exceptional path is validated as repo-local or an approved snapshot.

  • Address prompts no longer distinguish developer comments from prior fix attempts
    Location: internal/prompt/prompt.go:1133, internal/prompt/templates/prompt_sections.md.gotmpl:132
    The refactor merges human developer comments into ## Previous Addressing Attempts, removing their distinct framing and the instruction that these comments may identify false positives or provide explicit guidance. That changes prompt semantics and risks the agent discounting important human feedback.
    Suggested fix: Restore separate handling for user comments vs. tool-generated attempts, either by reviving the split logic or by carrying response type through the template context and rendering distinct sections.

  • Range reviews lost prior per-commit review context
    Location: internal/prompt/prompt.go:836, internal/prompt/templates/prompt_sections.md.gotmpl:23
    The InRangeReviews / Per-Commit Reviews in This Range section was removed from both prompt construction and rendering. As a result, range reviews no longer see previously generated per-commit review context, increasing the risk of re-raising already reviewed issues or missing fixes that landed later in the range.
    Suggested fix: Reintroduce InRangeReviews in the consolidated template context and restore the corresponding template section in range prompts.

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

@mariusvniekerk mariusvniekerk force-pushed the gotmpl-user-facing-structs branch from 97ec9a7 to 12a09a8 Compare April 9, 2026 12:09
@roborev-ci
Copy link
Copy Markdown

roborev-ci Bot commented Apr 9, 2026

roborev: Combined Review (12a09a8)

Verdict: No medium-or-higher findings; the reviewed changes look clean.

All review outputs were consolidated and deduplicated. No Medium, High, or Critical issues were reported by any agent.

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

@mariusvniekerk mariusvniekerk force-pushed the gotmpl-user-facing-structs branch from 12a09a8 to ebdf660 Compare April 9, 2026 15:04
@roborev-ci
Copy link
Copy Markdown

roborev-ci Bot commented Apr 9, 2026

roborev: Combined Review (ebdf660)

Verdict: High-severity prompt-context regressions were introduced in range review and address prompt generation.

High

  • Range reviews lost per-commit review context

    • Locations: internal/prompt/prompt.go:816-831, internal/prompt/templates/prompt_sections.md.gotmpl:29-43
    • Problem: The InRangeReviews data-loading/rendering path was removed from range prompts. Range reviews no longer include existing reviews for commits inside the reviewed range, which can cause the reviewer to miss prior findings or re-raise issues that were already reviewed or fixed later in the range.
    • Fix: Restore InRangeReviews in the range prompt context, re-add the corresponding template block, and bring back the regression test covering this behavior.

  • Address prompts no longer distinguish user comments from prior tool attempts

    • Locations: internal/prompt/prompt.go:1124-1148, internal/prompt/templates/prompt_sections.md.gotmpl:135-140, internal/prompt/templates/assembled_address.md.gotmpl:1
    • Problem: BuildAddressPrompt now merges developer comments and prior tool attempts into a single PreviousAttempts section. That changes the meaning of user-authored feedback such as “false positive” or “use a different approach” by framing it as just another attempt instead of explicit guidance the model should follow.
    • Fix: Restore separate fields/sections for tool attempts and user comments, including the dedicated user-comment heading/guidance in the templates.

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

@mariusvniekerk mariusvniekerk marked this pull request as ready for review April 10, 2026 11:03
Base automatically changed from gotmpl to main April 17, 2026 22:35
@wesm wesm force-pushed the gotmpl-user-facing-structs branch from ebdf660 to 9c44399 Compare April 17, 2026 22:50
@roborev-ci
Copy link
Copy Markdown

roborev-ci Bot commented Apr 17, 2026

roborev: Combined Review (9c44399)

Verdict: Changes are directionally good, but there are two medium-severity prompt regressions that should be addressed before merge.

Medium

  • Range reviews lose prior in-range review context
    Location: internal/prompt/prompt.go:836-846, internal/prompt/templates/prompt_sections.md.gotmpl:23-43
    Problem: Range reviews no longer include per-commit reviews already recorded for commits inside the reviewed range. That context previously helped avoid re-raising issues that were already identified and possibly fixed later in the series. Without it, multi-commit reviews are more likely to produce duplicate or stale findings.
    Suggested fix: Restore the in-range review context in the range prompt model/template, or preserve an equivalent section carrying prior per-commit verdicts and findings into range reviews.

  • Address prompt now conflates developer comments with automated attempts
    Location: internal/prompt/prompt.go:1133-1147, internal/prompt/templates/prompt_sections.md.gotmpl:132-139
    Problem: BuildAddressPrompt now flattens user comments and tool-generated attempts into a single Previous Addressing Attempts section. That removes the explicit framing for developer-authored guidance, so false-positive notes or requested implementation direction may be presented as just another failed attempt.
    Suggested fix: Keep user-authored comments separate from automated/tool attempts, or at minimum preserve distinct labeling and instructions for developer comments.

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

@wesm
fix: force LF line endings for template files
ffec016 
Fixes Windows CI where CRLF line endings in .gotmpl files caused
string-contains assertions (expecting \n) to fail on prompt output.
Templates are embedded via go:embed, so checkout line endings are
baked into the binary.
@roborev-ci
Copy link
Copy Markdown

roborev-ci Bot commented Apr 17, 2026

roborev: Combined Review (ffec016)

Verdict: Changes are not ready as-is; there are 3 medium-severity prompt regressions to address.

Medium

  • internal/prompt/prompt.go:833-848, internal/prompt/templates/prompt_sections.md.gotmpl:14-43
    Range review prompts no longer include the previously supported per-commit review context for the selected range. That drops the guidance not to re-raise issues already found on individual commits, so range reviews can duplicate stale findings or ignore that an issue was already reviewed earlier in the range.

  • internal/prompt/prompt.go:1135-1147, internal/prompt/templates/prompt_sections.md.gotmpl:135-140
    BuildAddressPrompt now labels every prior storage.Response as a previous addressing attempt, and the dedicated user-comments section was removed. Because callers still pass the full comment stream, actual developer feedback is now misclassified as attempted fixes, and the prior guidance for treating user comments as context, false-positive reports, or constraints is lost.

  • internal/prompt/templates/codex_review.md.gotmpl:1-6
    The Codex review prompt no longer explicitly restricts review agents to the repository checkout (aside from an allowed diff-file exception). This is a defense-in-depth regression: it weakens the prompt-level guard against reading arbitrary local files and potentially exposing local secrets during review.

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

@wesm
fix(prompt): restore InRangeReviews, address response split, codex guard
0f8f07f 
Three regressions were introduced by the template consolidation:

- Range review prompts lost the 'Per-Commit Reviews in This Range'
  section, allowing agents to re-raise issues already surfaced on
  individual commits. Restored InRangeReviews population via a
  lookupReviewContexts helper and re-added the in_range_reviews
  template block.
- BuildAddressPrompt lumped all responses into a single
  'Previous Addressing Attempts' section, misclassifying developer
  comments as fix attempts. Restored the SplitResponses call and the
  separate address_tool_attempts / address_user_comments templates.
- The Codex review template dropped the explicit 'Do NOT search or
  read files outside the repository checkout' guardrail. Restored.
@roborev-ci
Copy link
Copy Markdown

roborev-ci Bot commented Apr 18, 2026

roborev: Combined Review (0f8f07f)

Verdict: Changes look mostly solid, but there is one medium-severity regression in range prompt context preservation that should be fixed before merge.

Medium

  • InRangeReviews can be dropped from oversized Codex range prompts, causing prior per-commit review context to be lost and increasing the risk of duplicate findings being re-raised.
    • Locations: internal/prompt/prompt.go:626-640, internal/prompt/prompt.go:901-907, internal/prompt/prompt_body_templates.go:424
    • Details: Multiple review passes identified that the fallback/truncation path does not consistently account for or preserve InRangeReviews. Specifically:
      • the optional-section loss heuristic does not treat dropped InRangeReviews as lost context
      • the truncated-range rebuild path restores PreviousReviews/PreviousAttempts but omits InRangeReviews
      • the optional-section trimming/view reconstruction path also appears to omit InRangeReviews
    • Impact: When a Codex range prompt is oversized and rebuilt, the reviewer can lose exactly the in-range review history intended to suppress already-addressed findings.
    • Suggested fix: Include InRangeReviews in optional-loss accounting and explicitly preserve/restore it in all rebuild/trim/view-construction paths. Add a regression test covering truncated Codex range prompts with stored in-range reviews.

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

wesm added 2 commits April 17, 2026 19:33
@wesm
test(prompt): add golden-file snapshot tests and fix whitespace regre…
94b7491 
…ssions

Golden-file snapshot tests under internal/prompt/testdata/golden cover
seven canonical scenarios (default/codex single review, in-range range
review, dirty review, address prompt with split responses, security
review, design review). A pre-refactor diff against commit c27d4dc
surfaced four more regressions from the template consolidation:

- Address prompt dropped the 4-line 'Previous Addressing Attempts'
  preamble explaining how to learn from prior fix attempts. Restored.
- Address prompt lost the blank line between the severity-filter
  instruction and '## Review Findings'. Restored.
- Templates for previous_reviews, in_range_reviews, and
  previous_review_attempts each emitted a stray '\n' when empty,
  accumulating into 3 extra blank lines before '## Current Commit'.
  Collapsed the trailing {{end}} onto the same line.
- In-range / previous-review entries emitted 2 blank lines between
  successive items instead of 1. Added {{- end}} trim on the range.
- review_comments template likewise emitted a stray '\n' when empty;
  collapsed its trailing {{end}}.

Regenerate goldens with: go test -update-golden ./internal/prompt/
@wesm
test(prompt): expand golden coverage to gemini, claude-code, context …
606bf5d 
…paths

Adds seven more snapshot scenarios:
- single-review with claude-code agent (agent-specific system prompt)
- single-review with gemini agent (agent-specific system prompt)
- single-review with previous-reviews context (contextCount=2, DB reviews)
- single-review with .roborev.toml review_guidelines
- single-review with additionalContext (PR discussion injection)
- single-review with severity filter (minSeverity=medium)
- single-review with truncated diff (cap=4000, generic commit fallback)

Brings golden coverage of the prompt matrix from ~40% to ~75%.
@roborev-ci
Copy link
Copy Markdown

roborev-ci Bot commented Apr 18, 2026

roborev: Combined Review (94b7491)

Summary verdict: 1 medium-severity issue needs to be addressed before merge.

Medium

  • internal/prompt/prompt.go:558-566, internal/prompt/templates/prompt_sections.md.gotmpl:111-132
    The Codex range fallback builds shell commands from rangeRef and renders them inside Markdown inline-code spans. While renderShellCommand shell-quotes unsafe refs, it does not escape Markdown backticks. Because Git ref names can legally contain backticks, a malicious branch or range name can break out of the code span and inject arbitrary prompt text into the review instructions when the diff is too large to inline. This creates an external-input prompt-injection path that can influence Codex’s review behavior.
    Suggested fix: sanitize rangeRef for Markdown before templating, not just for the shell. The safest options are to reject or replace refs containing backticks/control characters, or switch to a fenced code block with proper escaping instead of inline backticks.

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

@wesm
test(prompt): add 4 goldens for truncation variants and address baseline
eb664ad 
Closes the remaining coverage gap:
- single review truncated diff with codex agent (codex-specific fallback
  with git show / git diff commands)
- range review truncated diff (generic range fallback)
- dirty review truncated diff (partial snippet + truncated marker)
- address prompt without a severity filter (baseline rendering)

Golden coverage of the prompt matrix is now at roughly 100% of the
documented paths (18 scenarios total).
@roborev-ci
Copy link
Copy Markdown

roborev-ci Bot commented Apr 18, 2026

roborev: Combined Review (606bf5d)

Verdict: 3 medium-severity issues need attention before merge.

Medium

  • internal/prompt/prompt.go:558-565, internal/prompt/templates/prompt_sections.md.gotmpl:111-133
    The oversized-range Codex fallback interpolates rangeRef directly into commands rendered inside Markdown inline code spans. Git refs can legally contain backticks, so a malicious branch/tag name can break out of the code span and inject arbitrary instructions into the generated review prompt. Resolve the range to commit SHAs before rendering, or reject/escape Markdown-significant characters; fenced code blocks are safer than inline backticks here.

  • internal/prompt/prompt.go (buildRangePrompt, where ctx.optional is reconstructed)
    InRangeReviews is omitted when rebuilding ctx.optional from selectedCtx.Review.Optional. That drops in-range reviews from the final prompt on truncated Codex diff paths. Include InRangeReviews in the struct literal, or assign ctx.optional = selectedCtx.Review.Optional directly.

  • internal/prompt/prompt.go (measureOptionalSectionsLoss)
    Loss scoring does not account for InRangeReviews, so variants that drop those reviews can be ranked the same as variants that retain them. Add a loss check for InRangeReviews so fallback selection preserves that context appropriately.

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

@wesm wesm changed the title refactor(prompt): consolidate template context model refactor(prompt): consolidate template context and add golden snapshot tests Apr 18, 2026
@roborev-ci
Copy link
Copy Markdown

roborev-ci Bot commented Apr 18, 2026

roborev: Combined Review (eb664ad)

Verdict: Changes are mostly sound, but there is 1 high-severity regression and 1 medium-severity prompt-selection issue that should be fixed before merge.

High

  • internal/prompt/prompt.go:898-903
    In the Codex fallback path in buildRangePrompt, ctx.optional is rebuilt without InRangeReviews. When a range diff is truncated, this drops all in-range reviews from the generated prompt, changing review content silently.
    Fix: Include InRangeReviews: selectedCtx.Review.Optional.InRangeReviews in the optionalSectionsView literal.

Medium

  • internal/prompt/prompt.go:582
    measureOptionalSectionsLoss does not account for InRangeReviews. That makes the loss score incomplete, so selectRichestRangePromptView can choose a fallback variant that discards in-range reviews without being penalized for it.
    Fix: Add a loss check for InRangeReviews, e.g. increment loss when the original has them and the trimmed version does not.

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

wesm and others added 3 commits April 18, 2026 07:16
@wesm
fix(prompt): preserve InRangeReviews through truncation and trim paths
8f165ad 
Two places reconstructed ReviewOptionalContext field-by-field and
silently dropped the newly-restored InRangeReviews slice:

- buildRangePrompt rebuilt ctx.optional from the selected codex
  variant with a struct literal that omitted InRangeReviews. Replaced
  with ctx.optional = selectedCtx.Review.Optional.Clone() so any
  future field is carried through automatically.
- trimOptionalSections repopulated the view after TrimNext but left
  InRangeReviews stale, defeating a TrimNext call that cleared it.
  Replaced the field-by-field copy with *view = ctx.

Also adds InRangeReviews to measureOptionalSectionsLoss so fallback
variants that drop per-commit reviews are scored correctly. Removes
two now-unused conversion helpers.
@wesm @claude
fix(prompt): restore backtick sanitization, fix comment separator, ad…
5a893df 
…d regression tests

- renderShellCommand re-applies stripInlineCodeBreakers so backticks and
  control characters in git refs cannot escape the enclosing Markdown
  inline code span. The sanitizer pre-dated this branch (pr #558) but
  was dropped when renderShellCommand was refactored.

- review_comments template ends with an extra trailing blank line and
  drops its own leading blank, so comment-bearing entries in
  previous_reviews / in_range_reviews / previous_review_attempts keep
  a blank line separator before the next entry. Before this fix, the
  {{- end}} trim ate the only separator after the comment block and
  the following '--- Review ... ---' header butted against the last
  comment line.

Regression tests added:
- TestTrimOptionalSectionsPropagatesInRangeReviewsClear: locks in
  that trimOptionalSections (*view = ctx) propagates the cleared
  InRangeReviews slice back to the caller, which the field-by-field
  rebuild did not.
- TestMeasureOptionalSectionsLossCountsInRangeReviews: ensures the
  fallback selector treats dropped InRangeReviews as a loss.
- TestReviewOptionalContextTrimNextPreservesPriority: extended to
  cover the InRangeReviews priority slot.
- TestRenderShellCommandStripsInlineCodeBreakers: table-driven test
  that backticks and control bytes never survive rendering.
- TestGoldenPrompt_PreviousReviewsWithComments: golden-file snapshot
  proving the comment separator fix.
- TestGoldenPrompt_RangeTruncatedCodexPreservesInRangeReviews:
  golden-file snapshot for the truncated-codex-range path proving
  InRangeReviews survive and the codex fallback is selected.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@wesm @claude
fix: force LF line endings for golden snapshot files
1f2b6a8 
Golden snapshot tests compare prompt output byte-for-byte. Without this
rule, *.golden files are checked out as CRLF on Windows with core.autocrlf
while the renderer always emits LF, so the tests would fail even when
prompt rendering is correct.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@roborev-ci
Copy link
Copy Markdown

roborev-ci Bot commented Apr 18, 2026

roborev: Combined Review (5a893df)

Summary: No medium-or-higher issues found across the reviewed outputs.

All reviewers that produced substantive results agreed the changes look clean at Medium, High, and Critical severity.

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

@roborev-ci
Copy link
Copy Markdown

roborev-ci Bot commented Apr 18, 2026

roborev: Combined Review (1f2b6a8)

Verdict: Changes are mostly solid, but there are 2 medium-severity issues that should be addressed before merge.

Medium

  1. Fallback diff commands can review the wrong file set
    Location: internal/prompt/prompt.go around the Codex fallback command construction in buildSinglePrompt and buildRangePrompt
    The oversized-diff fallback commands are built from git.FormatExcludeArgs(excludes), which only includes caller-provided excludes. The normal diff path still applies roborev’s built-in exclusions, so the fallback commands can produce a different diff from the one roborev actually intended to review, including lockfiles or generated files that would normally be filtered out.
    Fix: Build fallback pathspecs from the full effective exclude set used by GetDiffLimited / GetRangeDiffLimited, including built-in defaults.

  2. Rendered fallback commands can be altered by markdown sanitization
    Location: internal/prompt/prompt.go:500-538
    The Codex fallback command rendering applies stripInlineCodeBreakers() after shell quoting. That prevents markdown break-out, but it also mutates the displayed ref/path text. In oversized-diff review flows, attacker-controlled git refs or paths could be changed into different or invalid values, causing the reviewer to inspect the wrong diff or fail to inspect the intended one.
    Fix: Do not mutate command arguments after quoting. Render commands in fenced code blocks or another markdown-safe format that preserves the exact quoted bytes.

Synthesized from 3 reviews (agents: codex, gemini | types: default, security)

@wesm
Copy link
Copy Markdown
Collaborator

wesm commented Apr 19, 2026

" ▎ Not acting on either: (1) conflicts with deliberate design in PR #558 that keeps fallback commands
▎ within prompt budgets (assertion in prompt_test.go:1295); (2) reverses the backtick-sanitization
▎ protection restored in 5a893df for an earlier security review on this branch."

@wesm wesm merged commit 60a4c77 into main Apr 19, 2026
8 checks passed
@wesm wesm deleted the gotmpl-user-facing-structs branch April 19, 2026 00:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mariusvniekerk @wesm