Parallel analysis lane
In the repo /home/akitav2/projects/4626, verify three CI audit findings:
H-4: In .github/workflows/security-scanning.yml (~lines 217-227), read the Semgrep step. Report the exact run block, whether shell: bash or set -o pipefail is present, whether there's any explicit exit-on-findings step after the | tee, and what the default shell for the job is.
H-5: Read .github/workflows/test.yml in full. Report which jobs exist and exactly which guard/check commands run (looking for guard:schema, guard:frontend-boundaries, guard:server-core-boundary, guard:canonical-csw, kpr typecheck). Then grep all of .github/workflows/ for "guard:frontend-boundaries", "guard:server-core-boundary", "guard:schema", and "kpr typecheck" to confirm which workflows (if any) run them.
Also verify the claimed committed violations: run these and report output:
- pnpm -C frontend guard:frontend-boundaries — wait, you are read-only; instead read frontend/scripts/check-frontend-boundaries.mjs and check-server-core-boundary.mjs to understand what they check, and look at the flagged files: frontend/api/_handlers/deploy/_vanityPerVaultVersion.ts, _vanityShareOftSalt.ts, frontend/api/_handlers/deploy/v2/session/_createCore.ts, frontend/api/_handlers/onboarding/_preview-add-owner.ts (check imports from src/), and frontend/api/_handlers/admin/ethos/_health.ts, _indexes.ts, _refresh.ts, frontend/api/_handlers/v1/alfaclub/_counter-trade-status.ts (check imports of server/_lib directly), and frontend/server/_lib/agents/base-mcp/approvalFlow.ts (look for raw CREATE TABLE / ADD COLUMN DDL strings). Report the offending import/DDL lines with line numbers, and what the compliant pattern would be (e.g. what do neighboring compliant handlers import instead — check how other api handlers get server-core functionality, and how schemaBootstrap.ts ensureMigrationApplied is used).
H-6: Read .github/workflows/control-plane-stuck-scan.yml in full and .github/workflows/alfaclub-auth-health-monitor.yml (as the working pnpm reference). Report the exact broken install steps and the working pattern to mirror.
Be precise with file:line citations.
Analysis
Investigating the three CI audit findings by reading the workflow files and flagged source paths.
[REDACTED]
Tools invoked: UpdateCurrentStep, Read, Read, Read, Read, Grep
Analysis
[REDACTED]
Tools invoked: Read, Grep, Grep, Grep, Grep, Read, Read
Analysis
[REDACTED]
Tools invoked: Grep, Read, Read, Read, Read, Read, Read, Read, Read, Grep
Analysis
[REDACTED]
Tools invoked: Read, Read, Grep, Grep, Read, Grep
Analysis
[REDACTED]
Tools invoked: Grep, Glob, Read, Grep, Read, Grep
Analysis
[REDACTED]
Tools invoked: Grep, Grep, Glob, Read
Analysis
[REDACTED]
Tools invoked: Read, Grep, Grep, Read
Analysis
[REDACTED]
Tools invoked: Read, Grep, Read
Analysis
[REDACTED]
Tools invoked: Read, Grep
Analysis
[REDACTED]
Tools invoked: UpdateCurrentStep
Analysis
H-4 — Semgrep step (security-scanning.yml)
Job: semgrep-api (lines 208–236). No job-level defaults: and no shell: anywhere in .github/workflows/security-scanning.yml.
Exact scan step (lines 217–227):
- name: Scan API handlers and shared server lib
run: |
docker run --rm -v "$GITHUB_WORKSPACE:/src" semgrep/semgrep:latest semgrep scan \
--metrics=off \
--timeout=5 \
--config=p/typescript \
--config=p/javascript \
/src/frontend/api \
/src/frontend/server/_lib \
/src/frontend/packages/server-core/src \
2>&1 | tee "$RUNNER_TEMP/semgrep.txt"
| Check | Result |
|---|---|
Explicit shell: bash on this step or job | No |
Explicit set -o pipefail in the run block | No |
Explicit exit-on-findings step after | tee | No — next step is summary-only with if: always() (lines 229–236), no grep/exit 1/Semgrep exit-code check |
| Job default shell | Not set — inherits GitHub Actions platform default for ubuntu-latest run steps: bash with -eo pipefail (not declared in this file) |
Nuance vs audit wording: The workflow file does not document pipefail, and there is no dedicated findings gate. With GHA’s default -o pipefail, a non-zero docker run exit should fail the pipeline step unless Semgrep exits 0 despite findings. The summary step text still claims blocking behavior (line 233: “Any finding fails the job”).
H-5 — test.yml jobs, guards, and workflow grep
Jobs in .github/workflows/test.yml
| Job | Guard/check commands |
|---|---|
test | bash scripts/check-forbidden-tracked-files.sh; forge build --skip test --sizes; amoe/tools/ci/check_manager_size_warn.sh (continue-on-error: true); forge test -vvv |
api-tests | guard:server-core-boundary (109); guard:schema (112); guard:canonical-csw (115); guard:output-contract (118); lint (121); check-no-todo-markers.sh (124); guard:generated-output (127); guard:runtime-boundaries (130); guard:api-readjsonbody-maxbytes (133); guard:api-nonv1-hardening (136); guard:test-file-placement (139); guard:arch-b-subaccount-alignment (142); typecheck (145); test (148); report:footprint (187); conditional check:agent-registration (191) |
lottery-edge-cases | Foundry lottery/edge-case tests only |
test-summary | forge test --summary (summary job) |
coverage | forge coverage (continue-on-error: true) |
strategy-reallocator-guards | node scripts/check-vault-strategy-reallocator-wiring.mjs; pnpm -C kpr test …; Foundry rebalance tests — no kpr typecheck |
Grep across .github/workflows/
| Pattern | Workflows |
|---|---|
guard:frontend-boundaries | None (only in frontend/package.json and docs) |
guard:server-core-boundary | test.yml line 109 only |
guard:schema | test.yml line 112 only |
guard:canonical-csw | test.yml line 115 only |
kpr typecheck / pnpm -C kpr typecheck | None (typecheck in workflows = frontend only, test.yml:145) |
Audit claim confirmed: guard:server-core-boundary and guard:schema are wired; guard:frontend-boundaries and kpr typecheck are not.
H-5 — Guard scripts and committed violations (static analysis)
What the guards check
frontend/scripts/check-frontend-boundaries.mjs — three rules (lines 189–196):
src/components/uimust not importsrc/features/*- Cross-feature imports outside a small allowlist
api/_handlersmust not importsrc/…exceptALLOWED_API_TO_SRC(lines 28–36):
erc8004AgentUriPolicy,finalizeShareBridgeFee,shareBridgeOftWiring,phase1ModuleDeploy,contracts.defaults,bytecode.generated,swapQuoteSanitize
frontend/scripts/check-server-core-boundary.mjs — API handlers must not import banned server/_lib/… paths (e.g. server/_lib/db/postgres.js, server/_lib/auth/session.js); remediation: use @4626/server-core (lines 105–107).
frontend/scripts/guard-no-raw-schema-ddl.mjs — scans frontend/server/ for CREATE TABLE IF NOT EXISTS, CREATE SCHEMA IF NOT EXISTS, ALTER TABLE … ADD COLUMN IF NOT EXISTS (lines 19–23); excludes schemaBootstrap.ts.
guard:frontend-boundaries — 5 api-no-src violations
| File | Line(s) | Offending import | Allowed? |
|---|---|---|---|
| frontend/api/_handlers/deploy/_vanityPerVaultVersion.ts | 12 | ../../../src/lib/deploy/perVaultVanityVersionSearch.js | No |
| frontend/api/_handlers/deploy/_vanityShareOftSalt.ts | 12 | same | No |
| frontend/api/_handlers/deploy/v2/session/_createCore.ts | 20–23 | ../../../../../src/lib/deploy/ovaultModuleIdentity.js | No |
| frontend/api/_handlers/onboarding/_preview-add-owner.ts | 33 | ../../../src/lib/relay/goldenRelayPart1Shape.js | No |
| same | 34 | ../../../src/lib/wallet/cswOwnerAbi.js | No |
Same file, allowed src/ imports (_createCore.ts): lines 18–19, 24–30, 77, 79 use allowlisted modules (contracts.defaults, finalizeShareBridgeFee, phase1ModuleDeploy, shareBridgeOftWiring, bytecode.generated).
Compliant pattern: Move helpers to packages/server-core, or add explicit entries to ALLOWED_API_TO_SRC in check-frontend-boundaries.mjs (lines 28–36) with justification.
guard:server-core-boundary — 7 violations
| File | Line(s) | Banned specifiers |
|---|---|---|
| frontend/api/_handlers/admin/ethos/_health.ts | 3–4 | server/_lib/db/postgres.js, server/_lib/auth/session.js |
| frontend/api/_handlers/admin/ethos/_indexes.ts | 3–4 | same |
| frontend/api/_handlers/admin/ethos/_refresh.ts | 3–4 | same |
| frontend/api/_handlers/v1/alfaclub/_counter-trade-status.ts | 15 | server/_lib/db/postgres.js only (lines 2–8 already use @4626/server-core) |
Compliant pattern (e.g. frontend/api/_handlers/admin/waitlist/_list.ts lines 3–12, admin/userop/_health.ts lines 3–11):
import {
getDb,
getSessionAddress,
isAdminAddress,
// …
} from '@4626/server-core'
Domain-specific server/_lib/… imports remain OK when not on the banned list (e.g. _list.ts line 16: supabaseAdmin.js).
guard:schema — 1 violation
frontend/server/_lib/agents/base-mcp/approvalFlow.ts lines 115–127:
await db.sql`
CREATE TABLE IF NOT EXISTS base_mcp_approval_requests (
request_id TEXT PRIMARY KEY,
client_request_id TEXT NOT NULL,
approval_url TEXT NOT NULL,
user_id TEXT NOT NULL,
execution_mode TEXT NOT NULL CHECK (execution_mode IN ('canonical', 'eoa')),
sender TEXT NOT NULL,
status TEXT NOT NULL CHECK (status IN ('pending', 'approved', 'rejected', 'expired')),
created_at TIMESTAMPTZ NOT NULL,
expires_at TIMESTAMPTZ NOT NULL,
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
`
No matching migration under supabase/migrations/ for base_mcp_approval_requests.
Compliant pattern: Add DDL in supabase/migrations/, then bootstrap via ensureMigrationApplied in schemaBootstrap.ts (see lines 226–261) inside a named ensure*Schema helper — same pattern as control-plane migrations at lines 282–283.
H-6 — control-plane-stuck-scan.yml vs alfaclub-auth-health-monitor.yml
Broken workflow — full file
name: Control Plane Stuck Scan
on:
schedule:
- cron: '*/30 * * * *'
workflow_dispatch:
jobs:
stuck-scan:
runs-on: ubuntu-latest
defaults:
run:
working-directory: frontend
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
cache: npm
cache-dependency-path: frontend/package-lock.json
- run: npm ci
- name: Run control-plane stuck scan
env:
DATABASE_URL: ${{ secrets.DATABASE_URL }}
CONTROL_PLANE_STUCK_FAIL_ON_FOUND: '1'
CONTROL_PLANE_ALERT_WEBHOOK_URL: ${{ secrets.CONTROL_PLANE_ALERT_WEBHOOK_URL }}
run: npm run control-plane:stuck-scan
Problems:
cache: npm+cache-dependency-path: frontend/package-lock.json— no frontend/package-lock.json in repo (pnpm-only).npm ci— frontend usespnpm-lock.yaml, not npm lockfile.- Unpinned actions (
@v4) vs pinned SHAs elsewhere. - No
pnpm/action-setup— script is"control-plane:stuck-scan": "tsx --env-file=.env scripts/control-plane-stuck-operations.ts"(frontend/package.json:76), so deps must be installed via pnpm.
Working reference — alfaclub-auth-health-monitor.yml
jobs:
probe:
name: Probe /api/v1/alfaclub/chat-auth-health
runs-on: ubuntu-latest
timeout-minutes: 3
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 1
- name: Use Node.js
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
with:
node-version: '20'
- name: Run health monitor
env:
ALFACLUB_HEALTH_CRON_SECRET: ${{ secrets.ALFACLUB_HEALTH_CRON_SECRET }}
ALFACLUB_HEALTH_URL: ${{ vars.ALFACLUB_HEALTH_URL }}
run: node frontend/scripts/alfaclub-auth-health-monitor.mjs
Why AlfaClub works: Zero-deps script run with plain node — no install step.
Pattern to mirror for control-plane (from test.yml api-tests, lines 95–106 — not AlfaClub’s no-install path):
- uses: pnpm/action-setup@a8198c4bff370c8506180b035930dea56dbd5288 # v5
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
with:
node-version: '20'
cache: 'pnpm'
cache-dependency-path: frontend/pnpm-lock.yaml
- run: pnpm --dir frontend install --frozen-lockfile
- run: pnpm --dir frontend run control-plane:stuck-scan
working-directory: ... # or drop defaults.run working-directory
Summary table (audit vs repo)
| Finding | Verified? | Detail |
|---|---|---|
H-4 Semgrep | tee / no explicit gate | Partially | No explicit shell/pipefail/findings step; GHA default -o pipefail may still fail the step on non-zero docker exit |
| H-5 Guards not all in CI | Yes | guard:frontend-boundaries and kpr typecheck absent; guard:server-core-boundary + guard:schema present in api-tests |
| H-5 Committed violations | Yes | 5 api→src, 7 server-core-boundary, 1 raw DDL (static match to guard rules) |
| H-6 Control-plane cron broken | Yes | npm + missing package-lock.json on a pnpm frontend |
[REDACTED]
Was this page helpful?