Skip to content

chore(azdext): apply post-6856 cleanup#5

Closed
jongio wants to merge 14 commits intofeature/ext-pr5-6948from
feature/ext-pr6-6949
Closed

chore(azdext): apply post-6856 cleanup#5
jongio wants to merge 14 commits intofeature/ext-pr5-6948from
feature/ext-pr6-6949

Conversation

@jongio
Copy link
Owner

@jongio jongio commented Mar 2, 2026
edited
Loading

Summary

  • Apply post-6856 cleanup for context ownership, package boundaries, and docs alignment.
  • Carries cumulative quality fixes from lower layers.

Why

Links

Stack position

  • Base: feature/ext-pr5-6948
  • Head: feature/ext-pr6-6949

Stack / Merge Plan (Uber Plan)

This PR is Step 6 of 6 in the full rollout.

Required merge order

  1. Azure/azure-dev#6856 (Step 1)
  2. feat(azdext): add integration helpers for keyvault and config (Step 2)
  3. feat(azdext): add output and logging helpers (Step 3)
  4. feat(azdext): add security validation and ssrf guard (Step 4)
  5. feat(azdext): add runtime utility helpers (Step 5)
  6. chore(azdext): apply post-6856 cleanup (Step 6) ← current PR

How to land this safely

  • Merge strictly in the order above.
  • After each merge, rebase/merge forward so the next PR only contains net-new changes.
  • Do not skip steps; each PR depends on prior stack layers.

jongio and others added 13 commits March 1, 2026 20:20
@jongio
feat(azdext): add integration helpers for keyvault and config
1e913cc 
Implements Azure#6945 (P1-5/P1-6).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
feat(azdext): add output and structured logging helpers
b747d95 
Implements Azure#6946 (P2-1/P2-2).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
feat(azdext): add security validation and ssrf guard helpers
5ef3592 
Implements Azure#6947 (P2-3/P2-4).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
feat(azdext): add runtime utility helpers
a6ee199 
Implements Azure#6948 (P3-1..P3-5).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
chore(azdext): document and finalize post-6856 cleanup
80836a0 
Implements Azure#6949 and related docs updates (Azure#6863/Azure#6855).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
fix: resolve PR2 lint issues
80f115f 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
fix: resolve PR4 lint issues
d746baa 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
fix: resolve PR5 lint and security findings
c0debf6 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
docs: add runtime utility reference details
d3f2966 
Document shell, tool discovery, interactive, and atomic file helpers with behavior notes.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
fix: share SSRF ip validation logic
986f2de 
Reuse shared SSRF host/CIDR and IP checks between guard and MCP policy to keep behavior aligned.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
fix: align runtime helpers with repo patterns
b5515f2 
Use osutil rename retry semantics, support project-local tool lookup, and sync agent env detection keys.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
security: harden sample extension and propagate all hack scan fixes
007ecaf 
- swap.go: validate slot names, add error context
- shell: sanitize command arguments and validate paths
- ssrf_guard: strengthen IP validation and blocklist enforcement
- Propagate all core and helper security fixes across stack
@jongio
fix: bounds-check prompt indices and harden pagination/staticcheck
4e44800 
- swap.go: validate prompt.GetValue() bounds before array access (3 sites)
- NewPagerFromHTTPClient: fall back to http.DefaultClient when nil passed
- keyvault_resolver_test.go: add //lint:ignore SA1012 for standalone staticcheck
This was referenced Mar 2, 2026
Closed
Closed
Closed
Closed
Merged
@jongio
fix: address profile review findings for stacked PR
82a8db8 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
Copy link
Owner Author

jongio commented Mar 6, 2026

Consolidated into single PR: Azure#7025

@jongio jongio closed this Mar 6, 2026
jongio added a commit that referenced this pull request Mar 13, 2026
@jongio
fix: address Copilot review feedback
179f60c 
- Use merged_at instead of merged for reliable merge detection (thread #1)
- Expand isDocOnlyPr to handle doc-adjacent assets (thread #2)
- Replace N+1 API calls with git.getTree for doc inventory (thread #3)
- Fix README trigger types to match actual workflow config (thread #5)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
jongio added a commit that referenced this pull request Mar 13, 2026
@jongio
security: comprehensive hardening from red team assessment
5b28419 
- Pin actions to commit SHAs (actions/checkout, azure/login)
- Cap all_open/list mode to MAX_PRS_PER_RUN=20
- Cap AI output: MAX_REASON_LENGTH=200, MAX_SUMMARY_LENGTH=500
- Add MAX_IMPACTS=15 to limit AI-generated impact count
- Add MAX_CONTENT_SIZE_BYTES=50KB per doc file
- Sanitize doc manifest content (titles, topics, headings)
- Reject unknown repos from AI output (not just warn)
- Validate repo format with regex (owner/repo)
- Block path traversal in AI-returned paths
- Sanitize PR title in log output (strip control chars)
- Strip HTML from existing PR body in closeCompanionPrs
- Remove error messages from tracking comment (prevent data leak)
- Upper-bound PR number input to 999999
- Rename TRUSTED_DOC_INVENTORY to DOC_INVENTORY tag

Red team findings addressed: #2, #5, Azure#6, Azure#8, Azure#9, Azure#10, Azure#11
Admin items remaining: #1 (env gating), #3 (token scope), #4 (OIDC vars)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wbreza wbreza Awaiting requested review from wbreza wbreza will be requested when the pull request is marked ready for review wbreza is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jongio