Skip to content

fix: preflight unavailable security providers#190

Merged
saagpatel merged 1 commit into
mainfrom
codex/security-eligibility-preflight
Jul 17, 2026
Merged

fix: preflight unavailable security providers#190
saagpatel merged 1 commit into
mainfrom
codex/security-eligibility-preflight

Conversation

@saagpatel

Copy link
Copy Markdown
Owner

What

Add an incremental GitHub account/repository eligibility preflight to the bounded security-coverage collector. Private user-owned repositories on Free/Pro are marked feature_unavailable for code and secret scanning from embedded provenance, and their known-doomed provider calls are skipped.

Why

The current collector repeats twelve endpoints that cannot succeed for the six private default-attention repositories, while secret scanning appears as generic not_found. The receipt should explain the plan/visibility boundary without spending calls or implying clean coverage.

Review Of What Was Built

  • Preflight runs only when prior receipt evidence identifies unavailable candidates.
  • Account plan and all candidate visibilities are fetched in two serial requests.
  • Eligibility evidence is embedded and validated before a provider may claim feature_unavailable.
  • Malformed, forbidden, quota-limited, and rate-limited preflight paths remain UNKNOWN and bounded.
  • The current 16-repository cohort drops from 48 to 38 total requests.

Cleanup Review

No repository visibility, GitHub security settings, scheduler configuration, or canonical output was changed. The live candidate remains temporary pending merge.

Verification Summary

  • uv run --extra dev ruff check .
  • uv run --extra dev mypy src/github_security_coverage.py --ignore-missing-imports
  • 146 focused security and PortfolioTruth tests passed.
  • Canonical full suite: 2,928 passed, 2 skipped.
  • Live non-promoted receipt validated fresh at 38/38 requests with six provenance-backed feature_unavailable code-scanning states and six matching secret-scanning states.

Shipped Summary

The branch has a fail-closed, incremental eligibility path that reduces requests without converting unavailable coverage into zero risk.

Next Phase

After merge, pin the canonical runtime to the merge commit, perform one bounded conditional collection, regenerate and independently validate PortfolioTruth, then update the scheduler pin only after those checks pass.

Remaining Roadmap

Track accepted-risk dispositions separately so dismissed alerts remain visible without being counted as open findings.

@saagpatel
saagpatel merged commit fd5d434 into main Jul 17, 2026
4 checks passed
@saagpatel
saagpatel deleted the codex/security-eligibility-preflight branch July 17, 2026 05:43

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f2a601afec

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment on lines +513 to +514
repository = _mapping(data.get(f"repo{index}"))
full_name = _canonical_repo(repository.get("nameWithOwner"))

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Fall back when preflight repo evidence is missing

When a prior unavailable candidate has since been renamed/deleted or the token loses visibility and the GraphQL alias is returned as null or without nameWithOwner, _mapping turns it into {} and _canonical_repo(None) raises out of collect_security_coverage. That bypasses the intended malformed-preflight fallback and can leave no fresh receipt at all, instead of recording the preflight as malformed and continuing with bounded provider calls.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant