Skip to content

Audit remediation and production hardening#8

Merged
fraware merged 19 commits into
mainfrom
remediation/audit-hardening
Jul 16, 2026
Merged

Audit remediation and production hardening#8
fraware merged 19 commits into
mainfrom
remediation/audit-hardening

Conversation

@fraware

@fraware fraware commented Jul 16, 2026

Copy link
Copy Markdown
Member

Summary

  • Split audit remediation into layered hardening: shared types, queued analysis, durable spec store, AuthZ/rate limits, honest coverage digests, and safer Lean generation.
  • Consolidate the web dashboard, refresh the VS Code extension for .specsync, and expand Probot/fixture test coverage without live LLM dependence.
  • Strengthen CI (CodeQL, Lean/Node workflows, Dependabot) and document findings plus deploy/env updates.

Test plan

  • npm test (or CI Node workflow) passes on the branch
  • Lean CI / lake build for specs/ succeeds
  • Spot-check PR webhook path: analysis queues off-request and review comments use correct diff sides
  • Verify accept/ignore/edit persists via spec store and dashboard reflects digests
  • Confirm slash/command AuthZ + rate limits reject unauthorized or bursty actors

fraware added 19 commits July 16, 2026 09:45
Centralize suggestion and analysis shapes so modules agree on
confidence scaling and review comment metadata.
Give the app consistent observability hooks for analysis latency,
errors, and operational counters without scattering ad-hoc logs.
Map hunk lines to LEFT/RIGHT positions reliably so GitHub review
comments land on the correct side of the PR diff.
Throttle slash-command style actions per actor so abuse cannot
flood analysis or GitHub API calls.
Process work asynchronously with budgets and pagination so webhook
handlers return quickly and heavy analysis stays bounded.
Persist developer decisions so accepted specs and ignored findings
survive across PR updates instead of living only in memory.
Normalize confidence to a 0-1 scale, gate mock usage by policy,
and replace brittle live integration coverage with focused unit tests.
Improve symbol and language filtering so downstream analysis only
sees extractable, relevant code regions.
Emit safer Lean skeletons and sample closed proofs so generated
specs are checkable rather than placeholder-only stubs.
Track spec content identity so coverage reflects real accepted
contracts rather than stale or duplicate file names.
Wire analysis to persisted decisions and bounded work so results
stay consistent across PR pushes and re-runs.
Validate actors before mutating PR state and align review comments
with corrected diff sides and shared types.
Fold overlapping dashboard surfaces into one HTTP dashboard and
drop unused vscode/dashboard feedback shims from the app package.
Hook webhooks and CI into the analysis queue, store, and metrics so
push-time drift and PR events share one hardened path.
Update secondary surfaces to the shared types and logging so local
demos and alerts do not drift from production behavior.
Stabilize test setup and fixtures so webhook and policy regressions
are caught without relying on live LLM calls.
Read accepted specs from the workspace store layout, tighten the
proof runner, and ship the activity-bar icon and lockfile.
Add security scanning and tighten Node/Lean workflows so regressions
and dependency drift surface before merge.
Capture the repo audit findings, update env/app examples, and align
README with the hardened analysis and store workflows.
@cursor

cursor Bot commented Jul 16, 2026

Copy link
Copy Markdown

Bugbot is not enabled for your account, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@fraware
fraware merged commit cecc644 into main Jul 16, 2026
4 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant