Skip to content

test(fuzz): Atheris + Hypothesis fuzzing for untrusted-input surfaces#512

Open
seonghobae wants to merge 8 commits into
mainfrom
feat/add-fuzzing
Open

test(fuzz): Atheris + Hypothesis fuzzing for untrusted-input surfaces#512
seonghobae wants to merge 8 commits into
mainfrom
feat/add-fuzzing

Conversation

@seonghobae

Copy link
Copy Markdown
Collaborator

What

Adds fuzzing for the service's untrusted-input surfaces: DB-introspection snapshots, DSNs, and driver error messages. Two complementary layers, permissive-licensed only:

  • Atheris (Apache-2.0) coverage-guided harnesses in backend/fuzz/
  • Hypothesis (MPL-2.0) property tests in backend/tests/test_fuzz_properties.py

Surfaces were located with CodeGraph (codegraph init + codegraph explore "DSN redaction parse sanitize identifier untrusted input", "snapshot_json_to_sql DDL export dialect mapping", "generate_reversing_spec index_design naming_lint snapshot", "validate_postgres_dsn_target dsn guard SSRF host port parse").

Targets

Harness Target Invariant
fuzz_dsn_redaction.py dsn_redaction.redact_dsn_error_message no crash; DSN password never leaks verbatim into the redacted message
fuzz_dsn_guard.py pg_introspect.dsn_guard parse helpers only DsnTargetError raised; IP-literal parsing total
fuzz_ddl_export.py ddl.export.snapshot_json_to_sql total (bad dialect → ValueError only); deterministic
fuzz_spec_generators.py spec.reversing / index_design / naming_lint / wide_tables total; deterministic; report summary counts self-consistent

backend/fuzz/_snapshot.py turns fuzzer bytes into snapshot-shaped dicts; each corpus dir seeds the loop.

Bugs the harnesses found (fixed + regression-covered here)

  1. Unbounded recursion / DoSddl.export._postgres_type_to_snowflake recursed forever on a column whose domain_base_type is a string (it re-mapped data_type but never cleared domain_base_type). This triggers on real domain-typed columns during Snowflake export. Fixed by clearing domain_base_type in the recursive call so the domain→base remap terminates.
  2. Crash on malformed snapshotddl.export, spec.naming_lint, and spec.wide_tables raised AttributeError/TypeError when a top-level snapshot key (relations/columns/…) was a non-list value. Now they use the isinstance-guarded _rows() contract already used by spec.reversing / spec.index_design.

CI

.github/workflows/fuzz.yml runs each harness for a short bounded budget (60s per target on PRs, 300s on the optional nightly) plus the Hypothesis suite — cheap by design. Permissive deps only, no runtime secrets, pinned action SHAs. The Hypothesis tests are importorskip-guarded, so the existing pinned pytest job stays green (Hypothesis isn't in the runtime lock).

Verification

  • 80k+ iterations of a local random-input driver across the four surfaces: no crashes, all invariants held (after the two fixes above).
  • pytest tests/test_fuzz_properties.py — 8 property tests pass (~38s).
  • Existing tests for the touched modules (test_ddl_export, test_naming_lint, test_wide_tables, test_reversing_spec, test_index_design) — 20 pass.
  • mypy clean on the changed app modules.

Paper

docs/papers/fuzzing-art-science-engineering-survey.pdf — Manès et al., The Art, Science, and Engineering of Fuzzing: A Survey (arXiv:1812.00140, open access), covering the coverage-guided model (AFL/libFuzzer) that Atheris implements.

🤖 Generated with Claude Code

https://claude.ai/code/session_01RTAMs4bpSZS77Xe3RQjv9P

Comment thread .github/workflows/fuzz.yml Fixed
Comment thread .github/workflows/fuzz.yml Fixed
Comment thread .github/workflows/fuzz.yml Fixed
Comment thread .github/workflows/fuzz.yml Fixed
Comment thread .github/workflows/fuzz.yml Fixed
Comment thread .github/workflows/fuzz.yml Fixed
@opencode-agent

opencode-agent Bot commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

OpenCode Review Overview

  • Head SHA: 773faf9d072efcdbc21a8063460b7670952da94b
  • Workflow run: 29173405733
  • Workflow attempt: 1
  • Gate result: APPROVE (approval step)

Pull request overview

OpenCode reviewed the current-head bounded evidence and found no blocking issues.

Findings

No blocking findings.

Summary

Approval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including backend/app/ddl/export.py, backend/app/dsn_redaction.py, backend/app/spec/naming_lint.py, backend/app/spec/wide_tables.py, backend/fuzz/README.md, and 8 more.
Linter/static: workflow/static review evidence is bounded by the current-head GitHub Checks gate and changed-file evidence.
TDD/regression: coverage execution evidence and focused changed hunks were reviewed from bounded-review-evidence.md.
Coverage: coverage execution evidence reports supported repository test suites passed.
Docstring coverage: coverage execution evidence reports configured repository docstring gates passed or docstring coverage was advisory.
DAG: CodeGraph/source-backed behavior map connects backend/app/ddl/export.py to the affected review, runtime, or workflow path and required checks.
PoC/execution: coverage-evidence job executed on the current head and reported PASS.
DDD/domain: workflow and repository-governance invariants were reviewed against changed files in bounded evidence.
CDD/context: CodeGraph evidence, changed-file history, and focused hunks were reviewed from bounded-review-evidence.md.
Similar issues: changed-file history evidence was reviewed for comparable local precedents.
Claim/concept check: bounded evidence, repository source, current-head workflow evidence, and, where numeric, scientific, statistical, or literature-backed claims are affected, original-paper/formula evidence and parameter-recovery expectations were used for claims.
Standards search: standards and external-source checks are delegated to configured OpenCode web_search/Context7/DeepWiki sources when applicable; no evidence-backed standards blocker is present in bounded evidence.
Compatibility/convention: changed workflow/script conventions, object naming, and reserved-word safety for schema/API/config/code surfaces were checked in bounded evidence.
Breaking-change/backcompat: deployment evidence and changed-file history were checked for backward-compatibility risk.
Performance: changed surfaces were checked for performance risk in bounded evidence.
Developer experience: changed automation, review, test, setup, and maintenance surfaces were checked for helpful or obstructive DX impact in bounded evidence.
User experience: connected user, operator, API, CLI, documentation, review-comment, status-check, rendering, and workflow-reader behavior was checked for contradictions against code, docs, and tests in bounded evidence.
Visual/DOM: Playwright visual, DOM locator, ARIA snapshot, console, and responsive evidence were checked when a web UI surface was present; for non-web surfaces, API/CLI/log/docs/workflow interaction evidence was reviewed instead.
Accessibility/i18n: accessibility, localization, and human-readable text surfaces were checked where UI, CLI, API message, docs, logs, or review text changed.
Supply-chain/license: dependency, package, model, container, and external-tool changes were checked in bounded evidence.
Packaging: package, build, test, lint, and security contracts were checked in bounded evidence.
Security/privacy: workflow-token, review-gate, and repository-automation security/privacy boundaries were checked in bounded evidence.

  • Result: APPROVE
  • Reason: No blocking issues found in current-head evidence
  • Head SHA: 773faf9d072efcdbc21a8063460b7670952da94b
  • Workflow run: 29173405733
  • Workflow attempt: 1

Changed-File Evidence Map

flowchart LR
  PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
  Evidence --> S1["Backend (33 files)"]
  S1 --> I1["API and service runtime"]
  I1 --> R1["Review risk: Backend (33 files)"]
  R1 --> V1["backend tests"]
  Evidence --> S2["Docs: README.md"]
  S2 --> I2["operator or user guidance"]
  I2 --> R2["Review risk: Docs: README.md"]
  R2 --> V2["docs review"]
Loading

@opencode-agent opencode-agent Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

OpenCode reviewed the current-head bounded evidence and found no blocking issues.

Findings

No blocking findings.

Summary

Approval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including backend/app/ddl/export.py, backend/app/dsn_redaction.py, backend/app/spec/naming_lint.py, backend/app/spec/wide_tables.py, backend/fuzz/README.md, and 8 more.
Linter/static: workflow/static review evidence is bounded by the current-head GitHub Checks gate and changed-file evidence.
TDD/regression: coverage execution evidence and focused changed hunks were reviewed from bounded-review-evidence.md.
Coverage: coverage execution evidence reports supported repository test suites passed.
Docstring coverage: coverage execution evidence reports configured repository docstring gates passed or docstring coverage was advisory.
DAG: CodeGraph/source-backed behavior map connects backend/app/ddl/export.py to the affected review, runtime, or workflow path and required checks.
PoC/execution: coverage-evidence job executed on the current head and reported PASS.
DDD/domain: workflow and repository-governance invariants were reviewed against changed files in bounded evidence.
CDD/context: CodeGraph evidence, changed-file history, and focused hunks were reviewed from bounded-review-evidence.md.
Similar issues: changed-file history evidence was reviewed for comparable local precedents.
Claim/concept check: bounded evidence, repository source, current-head workflow evidence, and, where numeric, scientific, statistical, or literature-backed claims are affected, original-paper/formula evidence and parameter-recovery expectations were used for claims.
Standards search: standards and external-source checks are delegated to configured OpenCode web_search/Context7/DeepWiki sources when applicable; no evidence-backed standards blocker is present in bounded evidence.
Compatibility/convention: changed workflow/script conventions, object naming, and reserved-word safety for schema/API/config/code surfaces were checked in bounded evidence.
Breaking-change/backcompat: deployment evidence and changed-file history were checked for backward-compatibility risk.
Performance: changed surfaces were checked for performance risk in bounded evidence.
Developer experience: changed automation, review, test, setup, and maintenance surfaces were checked for helpful or obstructive DX impact in bounded evidence.
User experience: connected user, operator, API, CLI, documentation, review-comment, status-check, rendering, and workflow-reader behavior was checked for contradictions against code, docs, and tests in bounded evidence.
Visual/DOM: Playwright visual, DOM locator, ARIA snapshot, console, and responsive evidence were checked when a web UI surface was present; for non-web surfaces, API/CLI/log/docs/workflow interaction evidence was reviewed instead.
Accessibility/i18n: accessibility, localization, and human-readable text surfaces were checked where UI, CLI, API message, docs, logs, or review text changed.
Supply-chain/license: dependency, package, model, container, and external-tool changes were checked in bounded evidence.
Packaging: package, build, test, lint, and security contracts were checked in bounded evidence.
Security/privacy: workflow-token, review-gate, and repository-automation security/privacy boundaries were checked in bounded evidence.

  • Result: APPROVE
  • Reason: Fuzzing implementation complete with passing tests
  • Head SHA: fb1055686f197e02b3149d0039596c8695efde9c
  • Workflow run: 29131505180
  • Workflow attempt: 1

Changed-File Evidence Map

flowchart LR
  PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
  Evidence --> S1["Backend (33 files)"]
  S1 --> I1["API and service runtime"]
  I1 --> R1["Review risk: Backend (33 files)"]
  R1 --> V1["backend tests"]
  Evidence --> S2["Docs: README.md"]
  S2 --> I2["operator or user guidance"]
  I2 --> R2["Review risk: Docs: README.md"]
  R2 --> V2["docs review"]
Loading

@seonghobae seonghobae enabled auto-merge July 11, 2026 00:29

@opencode-agent opencode-agent Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

OpenCode reviewed the current-head bounded evidence and found no blocking issues.

Findings

No blocking findings.

Summary

Approval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including backend/app/ddl/export.py, backend/app/dsn_redaction.py, backend/app/spec/naming_lint.py, backend/app/spec/wide_tables.py, backend/fuzz/README.md, and 8 more.
Linter/static: workflow/static review evidence is bounded by the current-head GitHub Checks gate and changed-file evidence.
TDD/regression: coverage execution evidence and focused changed hunks were reviewed from bounded-review-evidence.md.
Coverage: coverage execution evidence reports supported repository test suites passed.
Docstring coverage: coverage execution evidence reports configured repository docstring gates passed or docstring coverage was advisory.
DAG: CodeGraph/source-backed behavior map connects backend/app/ddl/export.py to the affected review, runtime, or workflow path and required checks.
PoC/execution: coverage-evidence job executed on the current head and reported PASS.
DDD/domain: workflow and repository-governance invariants were reviewed against changed files in bounded evidence.
CDD/context: CodeGraph evidence, changed-file history, and focused hunks were reviewed from bounded-review-evidence.md.
Similar issues: changed-file history evidence was reviewed for comparable local precedents.
Claim/concept check: bounded evidence, repository source, current-head workflow evidence, and, where numeric, scientific, statistical, or literature-backed claims are affected, original-paper/formula evidence and parameter-recovery expectations were used for claims.
Standards search: standards and external-source checks are delegated to configured OpenCode web_search/Context7/DeepWiki sources when applicable; no evidence-backed standards blocker is present in bounded evidence.
Compatibility/convention: changed workflow/script conventions, object naming, and reserved-word safety for schema/API/config/code surfaces were checked in bounded evidence.
Breaking-change/backcompat: deployment evidence and changed-file history were checked for backward-compatibility risk.
Performance: changed surfaces were checked for performance risk in bounded evidence.
Developer experience: changed automation, review, test, setup, and maintenance surfaces were checked for helpful or obstructive DX impact in bounded evidence.
User experience: connected user, operator, API, CLI, documentation, review-comment, status-check, rendering, and workflow-reader behavior was checked for contradictions against code, docs, and tests in bounded evidence.
Visual/DOM: Playwright visual, DOM locator, ARIA snapshot, console, and responsive evidence were checked when a web UI surface was present; for non-web surfaces, API/CLI/log/docs/workflow interaction evidence was reviewed instead.
Accessibility/i18n: accessibility, localization, and human-readable text surfaces were checked where UI, CLI, API message, docs, logs, or review text changed.
Supply-chain/license: dependency, package, model, container, and external-tool changes were checked in bounded evidence.
Packaging: package, build, test, lint, and security contracts were checked in bounded evidence.
Security/privacy: workflow-token, review-gate, and repository-automation security/privacy boundaries were checked in bounded evidence.

  • Result: APPROVE
  • Reason: No blocking issues found in the PR adds fuzzing for untrusted-input surfaces with Atheris and Hypothesis.
  • Head SHA: 64f813ef8c1f3a60b01e2b3bf4a18258fd902430
  • Workflow run: 29151432698
  • Workflow attempt: 1

Changed-File Evidence Map

flowchart LR
  PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
  Evidence --> S1["Backend (33 files)"]
  S1 --> I1["API and service runtime"]
  I1 --> R1["Review risk: Backend (33 files)"]
  R1 --> V1["backend tests"]
  Evidence --> S2["Docs: README.md"]
  S2 --> I2["operator or user guidance"]
  I2 --> R2["Review risk: Docs: README.md"]
  R2 --> V2["docs review"]
Loading

@opencode-agent opencode-agent Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

OpenCode reviewed the current-head bounded evidence and found no blocking issues.

Findings

No blocking findings.

Summary

Approval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including backend/app/ddl/export.py, backend/app/dsn_redaction.py, backend/app/spec/naming_lint.py, backend/app/spec/wide_tables.py, backend/fuzz/README.md, and 8 more.
Linter/static: workflow/static review evidence is bounded by the current-head GitHub Checks gate and changed-file evidence.
TDD/regression: coverage execution evidence and focused changed hunks were reviewed from bounded-review-evidence.md.
Coverage: coverage execution evidence reports supported repository test suites passed.
Docstring coverage: coverage execution evidence reports configured repository docstring gates passed or docstring coverage was advisory.
DAG: CodeGraph/source-backed behavior map connects backend/app/ddl/export.py to the affected review, runtime, or workflow path and required checks.
PoC/execution: coverage-evidence job executed on the current head and reported PASS.
DDD/domain: workflow and repository-governance invariants were reviewed against changed files in bounded evidence.
CDD/context: CodeGraph evidence, changed-file history, and focused hunks were reviewed from bounded-review-evidence.md.
Similar issues: changed-file history evidence was reviewed for comparable local precedents.
Claim/concept check: bounded evidence, repository source, current-head workflow evidence, and, where numeric, scientific, statistical, or literature-backed claims are affected, original-paper/formula evidence and parameter-recovery expectations were used for claims.
Standards search: standards and external-source checks are delegated to configured OpenCode web_search/Context7/DeepWiki sources when applicable; no evidence-backed standards blocker is present in bounded evidence.
Compatibility/convention: changed workflow/script conventions, object naming, and reserved-word safety for schema/API/config/code surfaces were checked in bounded evidence.
Breaking-change/backcompat: deployment evidence and changed-file history were checked for backward-compatibility risk.
Performance: changed surfaces were checked for performance risk in bounded evidence.
Developer experience: changed automation, review, test, setup, and maintenance surfaces were checked for helpful or obstructive DX impact in bounded evidence.
User experience: connected user, operator, API, CLI, documentation, review-comment, status-check, rendering, and workflow-reader behavior was checked for contradictions against code, docs, and tests in bounded evidence.
Visual/DOM: Playwright visual, DOM locator, ARIA snapshot, console, and responsive evidence were checked when a web UI surface was present; for non-web surfaces, API/CLI/log/docs/workflow interaction evidence was reviewed instead.
Accessibility/i18n: accessibility, localization, and human-readable text surfaces were checked where UI, CLI, API message, docs, logs, or review text changed.
Supply-chain/license: dependency, package, model, container, and external-tool changes were checked in bounded evidence.
Packaging: package, build, test, lint, and security contracts were checked in bounded evidence.
Security/privacy: workflow-token, review-gate, and repository-automation security/privacy boundaries were checked in bounded evidence.

  • Result: APPROVE
  • Reason: No blocking issues found in the current-head bounded evidence.
  • Head SHA: 399d56b91d308302a97772b20b349b0f41c4ab50
  • Workflow run: 29161414873
  • Workflow attempt: 1

Changed-File Evidence Map

flowchart LR
  PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
  Evidence --> S1["Backend (33 files)"]
  S1 --> I1["API and service runtime"]
  I1 --> R1["Review risk: Backend (33 files)"]
  R1 --> V1["backend tests"]
  Evidence --> S2["Docs: README.md"]
  S2 --> I2["operator or user guidance"]
  I2 --> R2["Review risk: Docs: README.md"]
  R2 --> V2["docs review"]
Loading

@opencode-agent opencode-agent Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

OpenCode reviewed the current-head bounded evidence and found no blocking issues.

Findings

No blocking findings.

Summary

Approval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including backend/app/ddl/export.py, backend/app/dsn_redaction.py, backend/app/spec/naming_lint.py, backend/app/spec/wide_tables.py, backend/fuzz/README.md, and 8 more.
Linter/static: workflow/static review evidence is bounded by the current-head GitHub Checks gate and changed-file evidence.
TDD/regression: coverage execution evidence and focused changed hunks were reviewed from bounded-review-evidence.md.
Coverage: coverage execution evidence reports supported repository test suites passed.
Docstring coverage: coverage execution evidence reports configured repository docstring gates passed or docstring coverage was advisory.
DAG: CodeGraph/source-backed behavior map connects backend/app/ddl/export.py to the affected review, runtime, or workflow path and required checks.
PoC/execution: coverage-evidence job executed on the current head and reported PASS.
DDD/domain: workflow and repository-governance invariants were reviewed against changed files in bounded evidence.
CDD/context: CodeGraph evidence, changed-file history, and focused hunks were reviewed from bounded-review-evidence.md.
Similar issues: changed-file history evidence was reviewed for comparable local precedents.
Claim/concept check: bounded evidence, repository source, current-head workflow evidence, and, where numeric, scientific, statistical, or literature-backed claims are affected, original-paper/formula evidence and parameter-recovery expectations were used for claims.
Standards search: standards and external-source checks are delegated to configured OpenCode web_search/Context7/DeepWiki sources when applicable; no evidence-backed standards blocker is present in bounded evidence.
Compatibility/convention: changed workflow/script conventions, object naming, and reserved-word safety for schema/API/config/code surfaces were checked in bounded evidence.
Breaking-change/backcompat: deployment evidence and changed-file history were checked for backward-compatibility risk.
Performance: changed surfaces were checked for performance risk in bounded evidence.
Developer experience: changed automation, review, test, setup, and maintenance surfaces were checked for helpful or obstructive DX impact in bounded evidence.
User experience: connected user, operator, API, CLI, documentation, review-comment, status-check, rendering, and workflow-reader behavior was checked for contradictions against code, docs, and tests in bounded evidence.
Visual/DOM: Playwright visual, DOM locator, ARIA snapshot, console, and responsive evidence were checked when a web UI surface was present; for non-web surfaces, API/CLI/log/docs/workflow interaction evidence was reviewed instead.
Accessibility/i18n: accessibility, localization, and human-readable text surfaces were checked where UI, CLI, API message, docs, logs, or review text changed.
Supply-chain/license: dependency, package, model, container, and external-tool changes were checked in bounded evidence.
Packaging: package, build, test, lint, and security contracts were checked in bounded evidence.
Security/privacy: workflow-token, review-gate, and repository-automation security/privacy boundaries were checked in bounded evidence.

  • Result: APPROVE
  • Reason: No blocking issues found in the current-head bounded evidence.
  • Head SHA: 0129fb83e0d27b5b5d0b02e8572d56810eccbc94
  • Workflow run: 29165565532
  • Workflow attempt: 1

Changed-File Evidence Map

flowchart LR
  PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
  Evidence --> S1["Backend (33 files)"]
  S1 --> I1["API and service runtime"]
  I1 --> R1["Review risk: Backend (33 files)"]
  R1 --> V1["backend tests"]
  Evidence --> S2["Docs: README.md"]
  S2 --> I2["operator or user guidance"]
  I2 --> R2["Review risk: Docs: README.md"]
  R2 --> V2["docs review"]
Loading

@opencode-agent opencode-agent Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

OpenCode reviewed the current-head bounded evidence and found no blocking issues.

Findings

No blocking findings.

Summary

Approval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including backend/app/ddl/export.py, backend/app/dsn_redaction.py, backend/app/spec/naming_lint.py, backend/app/spec/wide_tables.py, backend/fuzz/README.md, and 8 more.
Linter/static: workflow/static review evidence is bounded by the current-head GitHub Checks gate and changed-file evidence.
TDD/regression: coverage execution evidence and focused changed hunks were reviewed from bounded-review-evidence.md.
Coverage: coverage execution evidence reports supported repository test suites passed.
Docstring coverage: coverage execution evidence reports configured repository docstring gates passed or docstring coverage was advisory.
DAG: CodeGraph/source-backed behavior map connects backend/app/ddl/export.py to the affected review, runtime, or workflow path and required checks.
PoC/execution: coverage-evidence job executed on the current head and reported PASS.
DDD/domain: workflow and repository-governance invariants were reviewed against changed files in bounded evidence.
CDD/context: CodeGraph evidence, changed-file history, and focused hunks were reviewed from bounded-review-evidence.md.
Similar issues: changed-file history evidence was reviewed for comparable local precedents.
Claim/concept check: bounded evidence, repository source, current-head workflow evidence, and, where numeric, scientific, statistical, or literature-backed claims are affected, original-paper/formula evidence and parameter-recovery expectations were used for claims.
Standards search: standards and external-source checks are delegated to configured OpenCode web_search/Context7/DeepWiki sources when applicable; no evidence-backed standards blocker is present in bounded evidence.
Compatibility/convention: changed workflow/script conventions, object naming, and reserved-word safety for schema/API/config/code surfaces were checked in bounded evidence.
Breaking-change/backcompat: deployment evidence and changed-file history were checked for backward-compatibility risk.
Performance: changed surfaces were checked for performance risk in bounded evidence.
Developer experience: changed automation, review, test, setup, and maintenance surfaces were checked for helpful or obstructive DX impact in bounded evidence.
User experience: connected user, operator, API, CLI, documentation, review-comment, status-check, rendering, and workflow-reader behavior was checked for contradictions against code, docs, and tests in bounded evidence.
Visual/DOM: Playwright visual, DOM locator, ARIA snapshot, console, and responsive evidence were checked when a web UI surface was present; for non-web surfaces, API/CLI/log/docs/workflow interaction evidence was reviewed instead.
Accessibility/i18n: accessibility, localization, and human-readable text surfaces were checked where UI, CLI, API message, docs, logs, or review text changed.
Supply-chain/license: dependency, package, model, container, and external-tool changes were checked in bounded evidence.
Packaging: package, build, test, lint, and security contracts were checked in bounded evidence.
Security/privacy: workflow-token, review-gate, and repository-automation security/privacy boundaries were checked in bounded evidence.

  • Result: APPROVE
  • Reason: No blocking issues found in the current-head evidence.
  • Head SHA: 7956b913a22de8235e33562fc7f2a19d06c90f8e
  • Workflow run: 29168335562
  • Workflow attempt: 1

Changed-File Evidence Map

flowchart LR
  PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
  Evidence --> S1["Backend (33 files)"]
  S1 --> I1["API and service runtime"]
  I1 --> R1["Review risk: Backend (33 files)"]
  R1 --> V1["backend tests"]
  Evidence --> S2["Docs: README.md"]
  S2 --> I2["operator or user guidance"]
  I2 --> R2["Review risk: Docs: README.md"]
  R2 --> V2["docs review"]
Loading

@opencode-agent opencode-agent Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

OpenCode reviewed the current-head bounded evidence and found no blocking issues.

Findings

No blocking findings.

Summary

Approval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including backend/app/ddl/export.py, backend/app/dsn_redaction.py, backend/app/spec/naming_lint.py, backend/app/spec/wide_tables.py, backend/fuzz/README.md, and 8 more.
Linter/static: workflow/static review evidence is bounded by the current-head GitHub Checks gate and changed-file evidence.
TDD/regression: coverage execution evidence and focused changed hunks were reviewed from bounded-review-evidence.md.
Coverage: coverage execution evidence reports supported repository test suites passed.
Docstring coverage: coverage execution evidence reports configured repository docstring gates passed or docstring coverage was advisory.
DAG: CodeGraph/source-backed behavior map connects backend/app/ddl/export.py to the affected review, runtime, or workflow path and required checks.
PoC/execution: coverage-evidence job executed on the current head and reported PASS.
DDD/domain: workflow and repository-governance invariants were reviewed against changed files in bounded evidence.
CDD/context: CodeGraph evidence, changed-file history, and focused hunks were reviewed from bounded-review-evidence.md.
Similar issues: changed-file history evidence was reviewed for comparable local precedents.
Claim/concept check: bounded evidence, repository source, current-head workflow evidence, and, where numeric, scientific, statistical, or literature-backed claims are affected, original-paper/formula evidence and parameter-recovery expectations were used for claims.
Standards search: standards and external-source checks are delegated to configured OpenCode web_search/Context7/DeepWiki sources when applicable; no evidence-backed standards blocker is present in bounded evidence.
Compatibility/convention: changed workflow/script conventions, object naming, and reserved-word safety for schema/API/config/code surfaces were checked in bounded evidence.
Breaking-change/backcompat: deployment evidence and changed-file history were checked for backward-compatibility risk.
Performance: changed surfaces were checked for performance risk in bounded evidence.
Developer experience: changed automation, review, test, setup, and maintenance surfaces were checked for helpful or obstructive DX impact in bounded evidence.
User experience: connected user, operator, API, CLI, documentation, review-comment, status-check, rendering, and workflow-reader behavior was checked for contradictions against code, docs, and tests in bounded evidence.
Visual/DOM: Playwright visual, DOM locator, ARIA snapshot, console, and responsive evidence were checked when a web UI surface was present; for non-web surfaces, API/CLI/log/docs/workflow interaction evidence was reviewed instead.
Accessibility/i18n: accessibility, localization, and human-readable text surfaces were checked where UI, CLI, API message, docs, logs, or review text changed.
Supply-chain/license: dependency, package, model, container, and external-tool changes were checked in bounded evidence.
Packaging: package, build, test, lint, and security contracts were checked in bounded evidence.
Security/privacy: workflow-token, review-gate, and repository-automation security/privacy boundaries were checked in bounded evidence.

  • Result: APPROVE
  • Reason: No blocking issues found in the current-head evidence.
  • Head SHA: 1d0609613113922b1bf8dac4fd48d9d682bbeb2e
  • Workflow run: 29170069802
  • Workflow attempt: 1

Changed-File Evidence Map

flowchart LR
  PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
  Evidence --> S1["Backend (33 files)"]
  S1 --> I1["API and service runtime"]
  I1 --> R1["Review risk: Backend (33 files)"]
  R1 --> V1["backend tests"]
  Evidence --> S2["Docs: README.md"]
  S2 --> I2["operator or user guidance"]
  I2 --> R2["Review risk: Docs: README.md"]
  R2 --> V2["docs review"]
Loading

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

OpenCode reviewed the current-head bounded evidence and found source-backed failed-check findings that must be addressed before merge.

  • Result: REQUEST_CHANGES
  • Reason: failed current-head checks were mapped to line-specific findings below for c1ff19f9a364dd362a8b105b00b7af78a3d15d3b.
  • Head SHA: c1ff19f9a364dd362a8b105b00b7af78a3d15d3b
  • Workflow run: 29171795375
  • Workflow attempt: 1
Failed checks

Findings

1. HIGH tests/test_main_rate_limit_wiring.py:23 - Failed GitHub Check needs a source-backed pytest fix for test_logout_route_uses_tighter_revocation_rate_limit

  • Problem: GitHub Check failed in test step; pytest reported tests/test_main_rate_limit_wiring.py::test_logout_route_uses_tighter_revocation_rate_limit, so the review must explain the failing assertion instead of linking only to the Actions URL.
  • Root cause: The failed log maps the pytest failure to tests/test_main_rate_limit_wiring.py:23; OpenCode must inspect that source line and explain the assertion-level cause before approval.
  • Fix: Patch tests/test_main_rate_limit_wiring.py:23 to satisfy test_logout_route_uses_tighter_revocation_rate_limit, then rerun the focused pytest target.
  • Regression test: Run cd backend && python -m pytest tests/test_main_rate_limit_wiring.py::test_logout_route_uses_tighter_revocation_rate_limit -q when the repository has a backend test layout, then rerun the failed check.
  • Suggested edit: update tests/test_main_rate_limit_wiring.py:23 for test_logout_route_uses_tighter_revocation_rate_limit; do not approve or post a URL-only review until the exact failing assertion is explained with this file, line, command, and fix direction.
Failed check evidence for line-specific fixes

Failed GitHub Check Evidence

  • PR: #512
  • Head SHA: c1ff19f9a364dd362a8b105b00b7af78a3d15d3b
  • Repository: ContextualWisdomLab/pg-erd-cloud

Line-specific repair contract

  • Treat the check logs and annotations below as diagnostic evidence, not as a complete review.

  • For each actionable failed check, inspect the local source or diff and identify the exact file line that must change.

  • OpenCode REQUEST_CHANGES findings must include path, line, root_cause, fix_direction, regression_test_direction, and suggested_diff.

  • Do not request changes with only a GitHub Actions URL or a generic check name.

  • When Strix logs contain multiple Vulnerability Report or Model ... Vulnerabilities ... sections, include every model-reported vulnerability in the review evidence and findings, including model name, title, severity, endpoint, and Code Locations/path:line evidence when present.

  • Create one OpenCode finding per Strix model vulnerability report; do not satisfy two model reports with one combined finding, even when titles or locations match.

Failed check: ci/backend

Failed job steps

  • step 8: Tests (pytest) (failure)

Check annotations

  • .github:62-62 [failure] Process completed with exit code 1.

Failed log signal summary

backend	Tests (pytest)	2026-07-11T23:14:44.3859326Z =============================== warnings summary ===============================
backend	Tests (pytest)	2026-07-11T23:14:44.3860921Z   /opt/hostedtoolcache/Python/3.10.20/x64/lib/python3.10/site-packages/fastapi/testclient.py:1: StarletteDeprecationWarning: Using `httpx` with `starlette.testclient` is deprecated; install `httpx2` instead.
backend	Tests (pytest)	2026-07-11T23:14:44.3862649Z -- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html
backend	Tests (pytest)	2026-07-11T23:14:44.3864802Z 1 failed, 362 passed, 1 skipped, 1 warning in 3.40s
backend	Tests (pytest)	2026-07-11T23:14:44.5433254Z ##[error]Process completed with exit code 1.

Failed log excerpt

backend	Tests (pytest)	2026-07-11T23:14:40.1549052Z ##[group]Run pytest -q
backend	Tests (pytest)	2026-07-11T23:14:40.1549346Z ^[[36;1mpytest -q^[[0m
backend	Tests (pytest)	2026-07-11T23:14:40.1582168Z shell: /usr/bin/bash -e {0}
backend	Tests (pytest)	2026-07-11T23:14:40.1582680Z env:
backend	Tests (pytest)	2026-07-11T23:14:40.1582948Z   pythonLocation: /opt/hostedtoolcache/Python/3.10.20/x64
backend	Tests (pytest)	2026-07-11T23:14:40.1583401Z   PKG_CONFIG_PATH: /opt/hostedtoolcache/Python/3.10.20/x64/lib/pkgconfig
backend	Tests (pytest)	2026-07-11T23:14:40.1583833Z   Python_ROOT_DIR: /opt/hostedtoolcache/Python/3.10.20/x64
backend	Tests (pytest)	2026-07-11T23:14:40.1584218Z   Python2_ROOT_DIR: /opt/hostedtoolcache/Python/3.10.20/x64
backend	Tests (pytest)	2026-07-11T23:14:40.1584606Z   Python3_ROOT_DIR: /opt/hostedtoolcache/Python/3.10.20/x64
backend	Tests (pytest)	2026-07-11T23:14:40.1584986Z   LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/3.10.20/x64/lib
backend	Tests (pytest)	2026-07-11T23:14:40.1585322Z   PYTHONPATH: .
backend	Tests (pytest)	2026-07-11T23:14:40.1585520Z ##[endgroup]
backend	Tests (pytest)	2026-07-11T23:14:43.5809702Z ........................................................................ [ 19%]
backend	Tests (pytest)	2026-07-11T23:14:43.6882050Z ........................................................................ [ 39%]
backend	Tests (pytest)	2026-07-11T23:14:44.0184746Z .........................................F.............................. [ 59%]
backend	Tests (pytest)	2026-07-11T23:14:44.2029364Z ........................................................................ [ 79%]
backend	Tests (pytest)	2026-07-11T23:14:44.2997003Z ........................................................................ [ 99%]
backend	Tests (pytest)	2026-07-11T23:14:44.3827609Z ...                                                                      [100%]
backend	Tests (pytest)	2026-07-11T23:14:44.3828393Z =================================== FAILURES ===================================
backend	Tests (pytest)	2026-07-11T23:14:44.3829211Z _____________ test_logout_route_uses_tighter_revocation_rate_limit _____________
backend	Tests (pytest)	2026-07-11T23:14:44.3829847Z 
backend	Tests (pytest)	2026-07-11T23:14:44.3830853Z     def test_logout_route_uses_tighter_revocation_rate_limit() -> None:
backend	Tests (pytest)	2026-07-11T23:14:44.3831607Z         main_app._rate_limiter._buckets.clear()
backend	Tests (pytest)	2026-07-11T23:14:44.3832765Z         main_app._share_link_rate_limiter._buckets.clear()
backend	Tests (pytest)	2026-07-11T23:14:44.3833456Z         main_app._revoke_rate_limiter._buckets.clear()
backend	Tests (pytest)	2026-07-11T23:14:44.3834008Z     
backend	Tests (pytest)	2026-07-11T23:14:44.3834373Z         client = TestClient(main_app.app)
backend	Tests (pytest)	2026-07-11T23:14:44.3835076Z         headers = {CSRF_HEADER_NAME: generate_csrf_token(settings.app_secret)}
backend	Tests (pytest)	2026-07-11T23:14:44.3835753Z     
backend	Tests (pytest)	2026-07-11T23:14:44.3836070Z         for _ in range(10):
backend	Tests (pytest)	2026-07-11T23:14:44.3836500Z             assert client.post("/api/auth/logout", headers=headers).status_code != 429
backend	Tests (pytest)	2026-07-11T23:14:44.3836965Z     
backend	Tests (pytest)	2026-07-11T23:14:44.3837270Z         response = client.post("/api/auth/logout", headers=headers)
backend	Tests (pytest)	2026-07-11T23:14:44.3837668Z     
backend	Tests (pytest)	2026-07-11T23:14:44.3837901Z >       assert response.status_code == 429
backend	Tests (pytest)	2026-07-11T23:14:44.3838233Z E       assert 500 == 429
backend	Tests (pytest)	2026-07-11T23:14:44.3838594Z E        +  where 500 = <Response [500 Internal Server Error]>.status_code
backend	Tests (pytest)	2026-07-11T23:14:44.3838922Z 
backend	Tests (pytest)	2026-07-11T23:14:44.3839098Z tests/test_main_rate_limit_wiring.py:23: AssertionError
backend	Tests (pytest)	2026-07-11T23:14:44.3839586Z ------------------------------ Captured log call -------------------------------
backend	Tests (pytest)	2026-07-11T23:14:44.3840950Z ERROR    app.observability:observability.py:69 {"ts":"2026-07-11T23:14:43.867177+00:00","event":"http_request","request_id":"68f7ed68-4bd9-4fdd-badf-31c516147378","method":"POST","route":"/api/auth/logout","status":500,"duration_ms":61.175,"client_ip":"testclient"}
backend	Tests (pytest)	2026-07-11T23:14:44.3842901Z ERROR    app.observability:observability.py:69 {"ts":"2026-07-11T23:14:43.872731+00:00","event":"http_request","request_id":"fcddb861-aab5-4312-a9f4-2cad43c079c7","method":"POST","route":"/api/auth/logout","status":500,"duration_ms":2.58,"client_ip":"testclient"}
backend	Tests (pytest)	2026-07-11T23:14:44.3844563Z ERROR    app.observability:observability.py:69 {"ts":"2026-07-11T23:14:43.877038+00:00","event":"http_request","request_id":"372a206e-e25f-4b6d-bfbd-6ac359e6ada4","method":"POST","route":"/api/auth/logout","status":500,"duration_ms":1.416,"client_ip":"testclient"}
backend	Tests (pytest)	2026-07-11T23:14:44.3846209Z ERROR    app.observability:observability.py:69 {"ts":"2026-07-11T23:14:43.880962+00:00","event":"http_request","request_id":"fe6783af-e0b1-410b-9ed6-e1debf4d046e","method":"POST","route":"/api/auth/logout","status":500,"duration_ms":1.402,"client_ip":"testclient"}
backend	Tests (pytest)	2026-07-11T23:14:44.3848124Z ERROR    app.observability:observability.py:69 {"ts":"2026-07-11T23:14:43.884884+00:00","event":"http_request","request_id":"7aa2fb37-5663-4e35-9ceb-aeebe3779fad","method":"POST","route":"/api/auth/logout","status":500,"duration_ms":1.365,"client_ip":"testclient"}
backend	Tests (pytest)	2026-07-11T23:14:44.3849748Z ERROR    app.observability:observability.py:69 {"ts":"2026-07-11T23:14:43.888691+00:00","event":"http_request","request_id":"f1b4fe0b-7610-4afb-b357-3cfa91031f41","method":"POST","route":"/api/auth/logout","status":500,"duration_ms":1.268,"client_ip":"testclient"}
backend	Tests (pytest)	2026-07-11T23:14:44.3851366Z ERROR    app.observability:observability.py:69 {"ts":"2026-07-11T23:14:43.892506+00:00","event":"http_request","request_id":"2382a406-c128-4134-bb36-fc1d08eb079c","method":"POST","route":"/api/auth/logout","status":500,"duration_ms":1.317,"client_ip":"testclient"}
backend	Tests (pytest)	2026-07-11T23:14:44.3853301Z ERROR    app.observability:observability.py:69 {"ts":"2026-07-11T23:14:43.896342+00:00","event":"http_request","request_id":"2bbb38ae-5cb7-413b-9a9b-37c7f5f1e9d2","method":"POST","route":"/api/auth/logout","status":500,"duration_ms":1.3,"client_ip":"testclient"}
backend	Tests (pytest)	2026-07-11T23:14:44.3854934Z ERROR    app.observability:observability.py:69 {"ts":"2026-07-11T23:14:43.900289+00:00","event":"http_request","request_id":"849b41cd-f351-4bdd-adb1-85f34e4a6d0b","method":"POST","route":"/api/auth/logout","status":500,"duration_ms":1.328,"client_ip":"testclient"}
backend	Tests (pytest)	2026-07-11T23:14:44.3856554Z ERROR    app.observability:observability.py:69 {"ts":"2026-07-11T23:14:43.904714+00:00","event":"http_request","request_id":"e504aaf7-79b3-4480-838b-247e321ece5e","method":"POST","route":"/api/auth/logout","status":500,"duration_ms":1.714,"client_ip":"testclient"}
backend	Tests (pytest)	2026-07-11T23:14:44.3858325Z ERROR    app.observability:observability.py:69 {"ts":"2026-07-11T23:14:43.909050+00:00","event":"http_request","request_id":"65e69f9d-1637-4d3c-9c51-9c59d08e9264","method":"POST","route":"/api/auth/logout","status":500,"duration_ms":1.443,"client_ip":"testclient"}
backend	Tests (pytest)	2026-07-11T23:14:44.3859326Z =============================== warnings summary ===============================
backend	Tests (pytest)	2026-07-11T23:14:44.3859870Z ../../../../../../opt/hostedtoolcache/Python/3.10.20/x64/lib/python3.10/site-packages/fastapi/testclient.py:1
backend	Tests (pytest)	2026-07-11T23:14:44.3860921Z   /opt/hostedtoolcache/Python/3.10.20/x64/lib/python3.10/site-packages/fastapi/testclient.py:1: StarletteDeprecationWarning: Using `httpx` with `starlette.testclient` is deprecated; install `httpx2` instead.
backend	Tests (pytest)	2026-07-11T23:14:44.3861862Z     from starlette.testclient import TestClient as TestClient  # noqa
backend	Tests (pytest)	2026-07-11T23:14:44.3862147Z 
backend	Tests (pytest)	2026-07-11T23:14:44.3862649Z -- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html
backend	Tests (pytest)	2026-07-11T23:14:44.3863117Z =========================== short test summary info ============================
backend	Tests (pytest)	2026-07-11T23:14:44.3863828Z FAILED tests/test_main_rate_limit_wiring.py::test_logout_route_uses_tighter_revocation_rate_limit - assert 500 == 429
backend	Tests (pytest)	2026-07-11T23:14:44.3864427Z  +  where 500 = <Response [500 Internal Server Error]>.status_code
backend	Tests (pytest)	2026-07-11T23:14:44.3864802Z 1 failed, 362 passed, 1 skipped, 1 warning in 3.40s
backend	Tests (pytest)	2026-07-11T23:14:44.5433254Z ##[error]Process completed with exit code 1.

Changed-File Evidence Map

flowchart LR
  PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
  Evidence --> S1["Backend (33 files)"]
  S1 --> I1["API and service runtime"]
  I1 --> R1["Review risk: Backend (33 files)"]
  R1 --> V1["backend tests"]
  Evidence --> S2["Docs: README.md"]
  S2 --> I2["operator or user guidance"]
  I2 --> R2["Review risk: Docs: README.md"]
  R2 --> V2["docs review"]
Loading

@opencode-agent opencode-agent Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

OpenCode reviewed the current-head bounded evidence and found no blocking issues.

Findings

No blocking findings.

Summary

Approval sufficiency: bounded evidence supplied affirmative approval evidence for changed files, coverage/docstring posture, risk surfaces, and current-head verification; approval is not based merely on the absence of known blockers.
Verification posture: CodeGraph evidence was initialized and bounded current-head evidence reviewed for changed-file evidence including backend/app/ddl/export.py, backend/app/dsn_redaction.py, backend/app/spec/naming_lint.py, backend/app/spec/wide_tables.py, backend/fuzz/README.md, and 8 more.
Linter/static: workflow/static review evidence is bounded by the current-head GitHub Checks gate and changed-file evidence.
TDD/regression: coverage execution evidence and focused changed hunks were reviewed from bounded-review-evidence.md.
Coverage: coverage execution evidence reports supported repository test suites passed.
Docstring coverage: coverage execution evidence reports configured repository docstring gates passed or docstring coverage was advisory.
DAG: CodeGraph/source-backed behavior map connects backend/app/ddl/export.py to the affected review, runtime, or workflow path and required checks.
PoC/execution: coverage-evidence job executed on the current head and reported PASS.
DDD/domain: workflow and repository-governance invariants were reviewed against changed files in bounded evidence.
CDD/context: CodeGraph evidence, changed-file history, and focused hunks were reviewed from bounded-review-evidence.md.
Similar issues: changed-file history evidence was reviewed for comparable local precedents.
Claim/concept check: bounded evidence, repository source, current-head workflow evidence, and, where numeric, scientific, statistical, or literature-backed claims are affected, original-paper/formula evidence and parameter-recovery expectations were used for claims.
Standards search: standards and external-source checks are delegated to configured OpenCode web_search/Context7/DeepWiki sources when applicable; no evidence-backed standards blocker is present in bounded evidence.
Compatibility/convention: changed workflow/script conventions, object naming, and reserved-word safety for schema/API/config/code surfaces were checked in bounded evidence.
Breaking-change/backcompat: deployment evidence and changed-file history were checked for backward-compatibility risk.
Performance: changed surfaces were checked for performance risk in bounded evidence.
Developer experience: changed automation, review, test, setup, and maintenance surfaces were checked for helpful or obstructive DX impact in bounded evidence.
User experience: connected user, operator, API, CLI, documentation, review-comment, status-check, rendering, and workflow-reader behavior was checked for contradictions against code, docs, and tests in bounded evidence.
Visual/DOM: Playwright visual, DOM locator, ARIA snapshot, console, and responsive evidence were checked when a web UI surface was present; for non-web surfaces, API/CLI/log/docs/workflow interaction evidence was reviewed instead.
Accessibility/i18n: accessibility, localization, and human-readable text surfaces were checked where UI, CLI, API message, docs, logs, or review text changed.
Supply-chain/license: dependency, package, model, container, and external-tool changes were checked in bounded evidence.
Packaging: package, build, test, lint, and security contracts were checked in bounded evidence.
Security/privacy: workflow-token, review-gate, and repository-automation security/privacy boundaries were checked in bounded evidence.

  • Result: APPROVE
  • Reason: No blocking issues found in current-head evidence
  • Head SHA: 773faf9d072efcdbc21a8063460b7670952da94b
  • Workflow run: 29173405733
  • Workflow attempt: 1

Changed-File Evidence Map

flowchart LR
  PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
  Evidence --> S1["Backend (33 files)"]
  S1 --> I1["API and service runtime"]
  I1 --> R1["Review risk: Backend (33 files)"]
  R1 --> V1["backend tests"]
  Evidence --> S2["Docs: README.md"]
  S2 --> I2["operator or user guidance"]
  I2 --> R2["Review risk: Docs: README.md"]
  R2 --> V2["docs review"]
Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Todo

Development

Successfully merging this pull request may close these issues.

2 participants