ci: harden OSS leak checks by jonathanhaaswriter · Pull Request #628 · writer/cerebro

jonathanhaaswriter · 2026-05-22T04:36:56Z

Summary\n- expand OSS leak deny patterns and add inline allow handling\n- syntheticize public fixtures away from Writer-specific domains, tenants, and runtime IDs\n- add arch coverage for required leak-pattern categories\n\n## Validation\n- go test ./...\n- make lint check-structural check-structural-test check-arch oss-audit\n- ./scripts/leak_check.sh staged\n- ./scripts/leak_check.sh range origin/main...HEAD\n- actionlint .github/workflows/release.yml\n- git diff --cached --check

factory-droid · 2026-05-22T04:37:07Z

Droid finished @jonathanhaaswriter's task —— View job

I validated all three candidates against the diff and surrounding code, and each one points to a real regression introduced by this PR. The leak-check changes weaken coverage in two places, and the Jira fixture rewrite breaks both SDK Jira test suites by expecting the wrong tenant segment in generated URNs.

factory-droid · 2026-05-22T04:58:45Z

Droid finished @jonathanhaaswriter's task —— View job

I validated the empty candidate set against the full PR diff and the previously risky leak-check and Jira fixture areas, and I did not find any remaining high-confidence, line-anchored issues to post. The diff now looks like coordinated fixture sanitization with matching test updates.

factory-droid · 2026-05-22T05:21:21Z

Droid finished @jonathanhaaswriter's task —— View job

I validated both candidates against the full diff and surrounding behavior. One candidate is a real security regression introduced by this PR, while the dotted-ref issue is pre-existing behavior on an unchanged line and should not be posted as a PR comment.

factory-droid · 2026-05-22T05:51:42Z

Droid finished @jonathanhaaswriter's task —— View job

I validated both candidates against the full diff and surrounding code. Both are real, non-duplicate issues: the new inline-allow escape hatch still fails the repo's own local pre-commit flow, and the GitHub fixture now mixes example discovery URNs with writer read-event tenancy/org metadata.

factory-droid · 2026-05-22T13:50:13Z

Droid finished @jonathanhaaswriter's task —— View job

I validated both candidates against the full diff and surrounding code. Both are real, non-duplicate regressions: the public leak-pattern file now republishes Writer-specific literals that the scanners skip, and the VulnView token-url test no longer exercises the token URL validation path.

factory-droid · 2026-05-22T14:15:09Z

Droid finished @jonathanhaaswriter's task —— View job

Validated 1 review candidate for PR #628.

Approved 1 comment for posting.

The leak-check hardening is mostly sound, but the new shared git-diff helpers still include repository-root .pem/.crt files because the recursive exclude pathspecs only match nested paths. That can trigger false-positive leak-check failures in staged, range, and push scans whenever a root cert/key file is part of the diff.

factory-droid · 2026-05-22T14:46:49Z

Droid finished @jonathanhaaswriter's task —— View job

I validated both GCP fixture candidates against the full diff and surrounding source behavior. Both point to real, non-duplicate regressions: the service-account discovery and IAM role-assignment fixtures no longer match the live GCP source after this PR's sanitization updates.

Co-authored-by: Repo Agent <agent@writer.com>

factory-droid · 2026-05-22T16:30:58Z

Droid finished @jonathanhaaswriter's task —— View job

Validated 1 review candidate for PR #628.

Approved 1 comment for posting.

I validated the candidate against the full PR diff and surrounding code. The fixture sanitization is mostly consistent, but this test still asserts against the old writer tenant and no longer guards the Okta ephemeral-resource suppression path the PR is changing.

Co-authored-by: Repo Agent <agent@writer.com>

factory-droid · 2026-05-22T16:46:44Z

Droid finished @jonathanhaaswriter's task —— View job

Phase 2 Validation Complete

Validated 1 candidate comment for PR #628 and approved 0 for posting.

The candidate identified a real inline-allow CI bypass concern, but it duplicates an existing posted security finding, so no additional batched review comments were submitted.

Artifact written to /home/runner/work/_temp/droid-prompts/review_validated.json.

jonathanhaaswriter · 2026-05-30T01:06:21Z

Replaced by #715, which reapplies the mergeable leak-check hardening on top of current main without the stale fixture rewrites from this disconnected-history branch. #715 is merged.