CodeSnuffler Forgejo End-to-End historical review range codesnuffler-forgejo-live-20260710T171114901Z-e597f6c7-e91 #54
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "change_forgejo_end_to_end"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Exercise the live Forgejo webhook review pipeline against a stable historical CodeSnuffler diff.
Run marker: codesnuffler-forgejo-live-20260710T171114901Z-e597f6c7-e91.
Run started at: 2026-07-10T17:11:14.901Z.
Fixture range: f9d210eccd0075b6b39b606cea9b1376719aa062..d8a3fc420b055e04df1d203706b89b1f1261a9c1.
This stable two-commit AI Harness range is expected to produce actionable findings.
CodeSnuffler Review Findings
Findings
1. Dev shell auth commands ignore selected instance
app/dev_shell.py:320Details for this finding were posted as an inline review comment on the changed line.
Open finding in CodeSnuffler
Fix via CodeSnuffler
2. AI review policy API still exposes persona_id
app/settings/ai_review_policy/schemas.py:72-77The PR removes
persona_idfrom the main AI tool status/auth contracts, butAiReviewPolicyAiToolInstanceChoiceResponsestill publishes onlypersona_idand the generated frontend type plus settings UI still consume it. This leaves a public schema and frontend path on the removed identity name, contrary to the repository cleanup rule for schema field standardization.Open finding in CodeSnuffler
Fix via CodeSnuffler
Suggested fix: Replace
persona_idwith the current identity fields needed by the UI, at minimuminstance_idand likelyplugin_id/driver_id; updateservice.py, regenerate frontend API types, and changeAiReviewPolicySettings.vuelabels/lookups to useinstance_id.3. Auth container env names no longer match runtime contract
container_image_controller/api.py:971-973Details for this finding were posted as an inline review comment on the changed line.
Open finding in CodeSnuffler
Fix via CodeSnuffler
@ -316,3 +318,3 @@async def dev_shell_websocket(websocket: WebSocket) -> None:command_id = websocket.query_params.get("command", "bash")persona_id = websocket.query_params.get("persona_id")instance_id = websocket.query_params.get("instance_id")CodeSnuffler finding: Dev shell auth commands ignore selected instance
Severity: Medium Category: Correctness
dev_shell_websocketnow reads only theinstance_idquery parameter, but the dev-shell frontend still sendspersona_idfromDevShellTerminal.vue. For non-primary personas/instances, runner auth websocket commands will fall back toprimaryand operate on the wrong auth storage. Update the frontend query parameter toinstance_idand adjust prop/type naming as needed rather than accepting both names.Commit: Open commit
d8a3fc420b05Open finding in CodeSnuffler
Fix via CodeSnuffler
Suggested fix: Change
frontend/src/dev-shell/components/DevShellTerminal.vueto sendinstance_idinstead ofpersona_id, and update any related frontend naming/types.@ -945,3 +970,2 @@env = [f"TOOL_ID={profile.tool_id}",f"TOOL_PERSONA_ID={session.persona_id}",f"DRIVER_ID={profile.tool_id}",CodeSnuffler finding: Auth container env names no longer match runtime contract
Severity: Medium Category: Correctness
The controller now injects
DRIVER_IDbut noTOOL_IDorAI_TOOL_DRIVER_ID, while the documented auth-container contract still specifiesTOOL_ID,PLUGIN_ID,PLUGIN_INSTANCE_ID, andAI_TOOL_DRIVER_ID. Any auth adapter or external plugin built against that contract will stop seeing the documented tool/driver identifiers.Commit: Open commit
d8a3fc420b05Open finding in CodeSnuffler
Fix via CodeSnuffler
Suggested fix: Either emit the documented current names (
TOOL_IDandAI_TOOL_DRIVER_ID) withPLUGIN_ID/PLUGIN_INSTANCE_ID, or update the contract and all adapter consumers in the same change so there is only one current env shape.Pull request closed