Skip to content

fix(github-app): avoid leaking cached contributor counts#414

Merged
JSONbored merged 1 commit into
mainfrom
codex/propose-fix-for-pr-panel-vulnerability
Jun 5, 2026
Merged

fix(github-app): avoid leaking cached contributor counts#414
JSONbored merged 1 commit into
mainfrom
codex/propose-fix-for-pr-panel-vulnerability

Conversation

@JSONbored
Copy link
Copy Markdown
Owner

@JSONbored JSONbored commented Jun 5, 2026

Motivation

  • A recent default to oss_maintainer + detected_contributors_only widened public outputs and allowed login-only cached D1 queries to surface aggregated PR/issue counts for non-confirmed contributors, causing potential information disclosure.
  • The public PR panel and AI signal bundle should not reveal cached private/installation-scoped contributor activity unless the contributor is confirmed by the official Gittensor API.

Description

  • Require confirmed official detection before treating detected_contributors_only as publishable by changing shouldPublishPrComment to accept a minerStatus parameter and only return true for that mode when minerStatus === "confirmed" (src/signals/settings-preview.ts).
  • Prevent the live webhook path from loading login-only contributor caches for public comments by skipping listContributorPullRequests, listContributorIssues, and listContributorRepoStats except when the official snapshot confirms the contributor, and use contributorRepoStatsFromGittensor for authoritative repo stats (src/queue/processors.ts).
  • Redact contributor context and prior counts in public deterministic comments and the AI signal bundle unless the detection source is official_gittensor_api, and label the panel as Public profile only when unconfirmed (src/signals/engine.ts).
  • Update unit expectations to reflect the new gating and redaction behavior (test/unit/settings-preview.test.ts, test/unit/signals-coverage.test.ts).

Testing

  • Type checking was run with npm run typecheck and completed without errors.
  • Unit tests were run with npm run test:unit (and targeted vitest runs) and all unit tests passed.
  • Focused vitest runs for test/unit/settings-preview.test.ts, test/unit/signals.test.ts, test/unit/signals-coverage.test.ts, test/unit/signals-v2.test.ts, and test/unit/queue.test.ts were executed and passed.

Codex Task

@dosubot dosubot Bot added the size:S This PR changes 10-29 lines, ignoring generated files. label Jun 5, 2026
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented Jun 5, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 gittensory-ui 7eacf3e Commit Preview URL

Branch Preview URL		 Jun 05 2026, 11:13 PM

@github-actions github-actions Bot added the bug Something isn't working label Jun 5, 2026
@JSONbored JSONbored self-assigned this Jun 5, 2026
@gittensory gittensory Bot mentioned this pull request Jun 5, 2026
Merged
@JSONbored JSONbored force-pushed the codex/propose-fix-for-pr-panel-vulnerability branch from 5dc6e9d to 6543859 Compare June 5, 2026 23:05
@gittensory
Copy link
Copy Markdown

gittensory Bot commented Jun 5, 2026
edited
Loading

Note

Gittensory Gate skipped

PR closed before full evaluation. No late first comment was created.

Signal Result Evidence Action
Gate result ⚠️ Skipped #414 is no longer open. No action.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

@gittensory gittensory Bot added the gittensory:reviewed Gittensor contributor context label Jun 5, 2026
@JSONbored JSONbored force-pushed the codex/propose-fix-for-pr-panel-vulnerability branch from 6543859 to 7eacf3e Compare June 5, 2026 23:10
@github-actions github-actions Bot added the gittensor:bug Gittensor-scored bug fix label Jun 5, 2026
@JSONbored JSONbored merged commit 02cc41d into main Jun 5, 2026
8 of 9 checks passed
@JSONbored JSONbored deleted the codex/propose-fix-for-pr-panel-vulnerability branch June 5, 2026 23:11
@github-project-automation github-project-automation Bot moved this from Todo to Done in gittensory - v1 roadmap Jun 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@JSONbored JSONbored

Labels

aardvark bug Something isn't working codex gittensor:bug Gittensor-scored bug fix gittensory:reviewed Gittensor contributor context size:S This PR changes 10-29 lines, ignoring generated files.

Projects

gittensory - v1 roadmap
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JSONbored