refactor(proxy): consolidate adaptive-upgrade emissions; fix TMPDIR-dependent policy hash#644
Merged
Merged
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (7)
✅ Files skipped from review due to trivial changes (2)
🚧 Files skipped from review as they are similar to previous changes (3)
📝 WalkthroughWalkthroughThis PR consolidates adaptive-enforcement telemetry recording by introducing a ChangesCanonical Policy Hash Environment Independence
Adaptive Upgrade Telemetry Consolidation
Minor Test Improvements and Error Handling
Estimated Code Review Effort🎯 4 (Complex) | ⏱️ ~60 minutes Possibly Related PRs
Suggested Labels
Suggested Reviewers
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
internal/config/canonical_golden_test.go (1)
208-208:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winDon’t bump
goldenHashRichConfig;QuarantineDiris excluded from the canonical policy hash view
MCPToolPolicy.QuarantineDirdefaults to anos.TempDir()-derived path, butinternal/config/canonical.goexplicitly removes it from the canonical hashing view (view.MCPToolPolicy.QuarantineDir = ""). Therefore omittingmcp_tool_policy.quarantine_dirin the rich YAML fixtures shouldn’t changeTestCanonicalPolicyHash_GoldenRichConfig—the PR rationale should be updated to reflect the exclusion (not “fixture pins its own quarantine_dir”).🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@internal/config/canonical_golden_test.go` at line 208, The golden hash was incorrectly updated—do not change goldenHashRichConfig; MCPToolPolicy.QuarantineDir is explicitly excluded from the canonical hashing view (see internal/config/canonical.go where view.MCPToolPolicy.QuarantineDir = ""), so omitting mcp_tool_policy.quarantine_dir in rich YAML should not alter TestCanonicalPolicyHash_GoldenRichConfig; revert the bump to goldenHashRichConfig, restore the original expected hash, and update the PR description to state that QuarantineDir is excluded from the canonical policy hash rather than claiming the fixture pins its own quarantine_dir.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In `@internal/config/canonical_golden_test.go`:
- Line 208: The golden hash was incorrectly updated—do not change
goldenHashRichConfig; MCPToolPolicy.QuarantineDir is explicitly excluded from
the canonical hashing view (see internal/config/canonical.go where
view.MCPToolPolicy.QuarantineDir = ""), so omitting
mcp_tool_policy.quarantine_dir in rich YAML should not alter
TestCanonicalPolicyHash_GoldenRichConfig; revert the bump to
goldenHashRichConfig, restore the original expected hash, and update the PR
description to state that QuarantineDir is excluded from the canonical policy
hash rather than claiming the fixture pins its own quarantine_dir.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 4c999d16-9ae4-40f2-909d-3245b33c0a06
📒 Files selected for processing (12)
internal/cli/contain/install_review_fixes_test.gointernal/config/canonical.gointernal/config/canonical_golden_test.gointernal/config/canonical_test.gointernal/envelope/signer_test.gointernal/proxy/adaptive_upgrade.gointernal/proxy/adaptive_upgrade_test.gointernal/proxy/forward.gointernal/proxy/intercept.gointernal/proxy/proxy.gointernal/proxy/websocket.gointernal/sentry/scrub_test.go
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
…PDIR-dependent policy hash Adaptive-enforcement upgrades emitted an audit log line (LogAdaptiveUpgrade) immediately followed by a Prometheus counter (RecordAdaptiveUpgrade) at 28 sites across the fetch, forward, CONNECT, WebSocket, and TLS-intercept paths. Each site recomputed the escalation label and repeated the from/to actions for both calls, so the log and metric could drift apart in a future edit. Route all 28 sites through one recordAdaptiveUpgrade helper fed by a single adaptiveUpgrade value, making log/metric consistency structural. The metrics handle is nil-safe so the TLS-intercept optional-proxy path keeps its behavior. Adds a parity test for the wiring and the nil-metrics case. No behavioral change to deny paths. Also exclude mcp_tool_policy.quarantine_dir from the canonical policy hash. Its default is derived from os.TempDir(), so it made the hash depend on the ambient TMPDIR: identical policy produced different hashes across environments, which violates the admission-grade contract and made the golden-defaults hash test fail anywhere TMPDIR != /tmp. The quarantine path is operational, not policy. Golden defaults hash bumped accordingly; the rich-config golden is unchanged because that fixture pins its own quarantine_dir. Plus three lint-hygiene fixes from the tech-debt sweep: extract repeated test literals to consts (drops two nolint:goconst), use errors.Is for a sentinel comparison (drops nolint:errorlint), rename a snake_case test helper (drops nolint:revive).
Add tests driving the three WebSocket relay warn->block adaptive-upgrade branches (client-text DLP, address-protection, and request-body findings) with an escalated session in audit mode, where escalation flips the warn action to block. Raises codecov/patch on the adaptive-upgrade helper consolidation from 70% to ~94%, over the 75% target. The remaining uncovered recordAdaptiveUpgrade sites are secondary session_deny recheck branches reached only after an earlier identical block_all check returns first; covering them in isolation is not feasible without disabling the prior check.
luckyPipewrench
force-pushed
the
refactor/proxy-deny-consolidation
branch
from
f86b9c4 to
02c7228
Compare
BlueAceFrost
approved these changes
May 31, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-on to the
sessionKeyForextraction (#643), completing the proxy deny-path consolidation from the tech-debt sweep.Adaptive-upgrade helper
Every adaptive-enforcement upgrade emitted an audit log line (
LogAdaptiveUpgrade) immediately followed by a Prometheus counter (RecordAdaptiveUpgrade), duplicated across 28 call sites in the fetch, forward, CONNECT, WebSocket, and TLS-intercept paths. Each site recomputed the escalation label and repeated the from/to actions for both calls, so the audit trail and the metric could silently drift apart in a future edit. All 28 sites now route through onerecordAdaptiveUpgradehelper fed by a singleadaptiveUpgradevalue, making log/metric consistency structural. The metrics handle is nil-safe so the TLS-intercept optional-proxy path keeps its exact prior behavior. A parity test covers the wiring and the nil-metrics case. No behavioral change to the deny paths: same emissions, same order, same arguments.Canonical policy hash TMPDIR fix
The default
mcp_tool_policy.quarantine_diris derived fromos.TempDir(), and it was flowing into the canonical policy hash. That made the hash depend on the ambientTMPDIR, so identical policy produced a different hash across environments. The operational quarantine path is now excluded from the policy view (alongside the other operational paths already excluded there), restoring the admission-grade property that identical policy yields an identical hash. The defaults golden hash is bumped accordingly; the rich-config golden is unchanged because that fixture pins its ownquarantine_dir. A regression test asserts the hash is invariant across two differentTMPDIRvalues, plus a noise-field table entry.Lint hygiene
Three suppressions from the tech-debt sweep removed with real fixes: extract repeated test literals to consts (two
nolint:goconst), useerrors.Isfor a sentinel comparison (nolint:errorlint), rename a snake_case test helper (nolint:revive).Summary by CodeRabbit
Bug Fixes
Chores