Skip to main content

Parallel analysis lane

[← Source sessions](/audits/fable/key-sessions) · [Transcript archive](/audits/fable/transcripts) · [Executive summary](/audits/fable/findings-summary)
# Parallel analysis lane | Field | Value | | --- | --- | | Session ID | `749593e8-1fad-4a72-a099-547b6864c607` | | Lead session | `059adbec-9820-45a8-9c18-399e4a7f9870` | | Record type | Parallel workstream export | :::note[Appendix record] Readable export of a supplementary review session. Tool outputs and system context are omitted; download the [JSONL archive](/audits/fable-chats-4626-2026-06.zip) for the complete log. ::: ## Engagement brief

In the repo /home/akitav2/projects/4626, verify three CI audit findings:

H-4: In .github/workflows/security-scanning.yml (~lines 217-227), read the Semgrep step. Report the exact run block, whether shell: bash or set -o pipefail is present, whether there's any explicit exit-on-findings step after the | tee, and what the default shell for the job is.

H-5: Read .github/workflows/test.yml in full. Report which jobs exist and exactly which guard/check commands run (looking for guard:schema, guard:frontend-boundaries, guard:server-core-boundary, guard:canonical-csw, kpr typecheck). Then grep all of .github/workflows/ for "guard:frontend-boundaries", "guard:server-core-boundary", "guard:schema", and "kpr typecheck" to confirm which workflows (if any) run them.

Also verify the claimed committed violations: run these and report output:

  • pnpm -C frontend guard:frontend-boundaries — wait, you are read-only; instead read frontend/scripts/check-frontend-boundaries.mjs and check-server-core-boundary.mjs to understand what they check, and look at the flagged files: frontend/api/_handlers/deploy/_vanityPerVaultVersion.ts, _vanityShareOftSalt.ts, frontend/api/_handlers/deploy/v2/session/_createCore.ts, frontend/api/_handlers/onboarding/_preview-add-owner.ts (check imports from src/), and frontend/api/_handlers/admin/ethos/_health.ts, _indexes.ts, _refresh.ts, frontend/api/_handlers/v1/alfaclub/_counter-trade-status.ts (check imports of server/_lib directly), and frontend/server/_lib/agents/base-mcp/approvalFlow.ts (look for raw CREATE TABLE / ADD COLUMN DDL strings). Report the offending import/DDL lines with line numbers, and what the compliant pattern would be (e.g. what do neighboring compliant handlers import instead — check how other api handlers get server-core functionality, and how schemaBootstrap.ts ensureMigrationApplied is used).

H-6: Read .github/workflows/control-plane-stuck-scan.yml in full and .github/workflows/alfaclub-auth-health-monitor.yml (as the working pnpm reference). Report the exact broken install steps and the working pattern to mirror.

Be precise with file:line citations.

Analysis

Investigating the three CI audit findings by reading the workflow files and flagged source paths.

[REDACTED]

Tools invoked: UpdateCurrentStep, Read, Read, Read, Read, Grep

Analysis

[REDACTED]

Tools invoked: Read, Grep, Grep, Grep, Grep, Read, Read

Analysis

[REDACTED]

Tools invoked: Grep, Read, Read, Read, Read, Read, Read, Read, Read, Grep

Analysis

[REDACTED]

Tools invoked: Read, Read, Grep, Grep, Read, Grep

Analysis

[REDACTED]

Tools invoked: Grep, Glob, Read, Grep, Read, Grep

Analysis

[REDACTED]

Tools invoked: Grep, Grep, Glob, Read

Analysis

[REDACTED]

Tools invoked: Read, Grep, Grep, Read

Analysis

[REDACTED]

Tools invoked: Read, Grep, Read

Analysis

[REDACTED]

Tools invoked: Read, Grep

Analysis

[REDACTED]

Tools invoked: UpdateCurrentStep

Analysis

H-4 — Semgrep step (security-scanning.yml)

Job: semgrep-api (lines 208–236). No job-level defaults: and no shell: anywhere in .github/workflows/security-scanning.yml.

Exact scan step (lines 217–227):

      - name: Scan API handlers and shared server lib
run: |
docker run --rm -v "$GITHUB_WORKSPACE:/src" semgrep/semgrep:latest semgrep scan \
--metrics=off \
--timeout=5 \
--config=p/typescript \
--config=p/javascript \
/src/frontend/api \
/src/frontend/server/_lib \
/src/frontend/packages/server-core/src \
2>&1 | tee "$RUNNER_TEMP/semgrep.txt"
CheckResult
Explicit shell: bash on this step or jobNo
Explicit set -o pipefail in the run blockNo
Explicit exit-on-findings step after | teeNo — next step is summary-only with if: always() (lines 229–236), no grep/exit 1/Semgrep exit-code check
Job default shellNot set — inherits GitHub Actions platform default for ubuntu-latest run steps: bash with -eo pipefail (not declared in this file)

Nuance vs audit wording: The workflow file does not document pipefail, and there is no dedicated findings gate. With GHA’s default -o pipefail, a non-zero docker run exit should fail the pipeline step unless Semgrep exits 0 despite findings. The summary step text still claims blocking behavior (line 233: “Any finding fails the job”).


H-5 — test.yml jobs, guards, and workflow grep

Jobs in .github/workflows/test.yml

JobGuard/check commands
testbash scripts/check-forbidden-tracked-files.sh; forge build --skip test --sizes; amoe/tools/ci/check_manager_size_warn.sh (continue-on-error: true); forge test -vvv
api-testsguard:server-core-boundary (109); guard:schema (112); guard:canonical-csw (115); guard:output-contract (118); lint (121); check-no-todo-markers.sh (124); guard:generated-output (127); guard:runtime-boundaries (130); guard:api-readjsonbody-maxbytes (133); guard:api-nonv1-hardening (136); guard:test-file-placement (139); guard:arch-b-subaccount-alignment (142); typecheck (145); test (148); report:footprint (187); conditional check:agent-registration (191)
lottery-edge-casesFoundry lottery/edge-case tests only
test-summaryforge test --summary (summary job)
coverageforge coverage (continue-on-error: true)
strategy-reallocator-guardsnode scripts/check-vault-strategy-reallocator-wiring.mjs; pnpm -C kpr test …; Foundry rebalance tests — no kpr typecheck

Grep across .github/workflows/

PatternWorkflows
guard:frontend-boundariesNone (only in frontend/package.json and docs)
guard:server-core-boundarytest.yml line 109 only
guard:schematest.yml line 112 only
guard:canonical-cswtest.yml line 115 only
kpr typecheck / pnpm -C kpr typecheckNone (typecheck in workflows = frontend only, test.yml:145)

Audit claim confirmed: guard:server-core-boundary and guard:schema are wired; guard:frontend-boundaries and kpr typecheck are not.


H-5 — Guard scripts and committed violations (static analysis)

What the guards check

frontend/scripts/check-frontend-boundaries.mjs — three rules (lines 189–196):

  1. src/components/ui must not import src/features/*
  2. Cross-feature imports outside a small allowlist
  3. api/_handlers must not import src/… except ALLOWED_API_TO_SRC (lines 28–36):
    erc8004AgentUriPolicy, finalizeShareBridgeFee, shareBridgeOftWiring, phase1ModuleDeploy, contracts.defaults, bytecode.generated, swapQuoteSanitize

frontend/scripts/check-server-core-boundary.mjs — API handlers must not import banned server/_lib/… paths (e.g. server/_lib/db/postgres.js, server/_lib/auth/session.js); remediation: use @4626/server-core (lines 105–107).

frontend/scripts/guard-no-raw-schema-ddl.mjs — scans frontend/server/ for CREATE TABLE IF NOT EXISTS, CREATE SCHEMA IF NOT EXISTS, ALTER TABLE … ADD COLUMN IF NOT EXISTS (lines 19–23); excludes schemaBootstrap.ts.


guard:frontend-boundaries — 5 api-no-src violations

FileLine(s)Offending importAllowed?
frontend/api/_handlers/deploy/_vanityPerVaultVersion.ts12../../../src/lib/deploy/perVaultVanityVersionSearch.jsNo
frontend/api/_handlers/deploy/_vanityShareOftSalt.ts12sameNo
frontend/api/_handlers/deploy/v2/session/_createCore.ts20–23../../../../../src/lib/deploy/ovaultModuleIdentity.jsNo
frontend/api/_handlers/onboarding/_preview-add-owner.ts33../../../src/lib/relay/goldenRelayPart1Shape.jsNo
same34../../../src/lib/wallet/cswOwnerAbi.jsNo

Same file, allowed src/ imports (_createCore.ts): lines 18–19, 24–30, 77, 79 use allowlisted modules (contracts.defaults, finalizeShareBridgeFee, phase1ModuleDeploy, shareBridgeOftWiring, bytecode.generated).

Compliant pattern: Move helpers to packages/server-core, or add explicit entries to ALLOWED_API_TO_SRC in check-frontend-boundaries.mjs (lines 28–36) with justification.


guard:server-core-boundary — 7 violations

FileLine(s)Banned specifiers
frontend/api/_handlers/admin/ethos/_health.ts3–4server/_lib/db/postgres.js, server/_lib/auth/session.js
frontend/api/_handlers/admin/ethos/_indexes.ts3–4same
frontend/api/_handlers/admin/ethos/_refresh.ts3–4same
frontend/api/_handlers/v1/alfaclub/_counter-trade-status.ts15server/_lib/db/postgres.js only (lines 2–8 already use @4626/server-core)

Compliant pattern (e.g. frontend/api/_handlers/admin/waitlist/_list.ts lines 3–12, admin/userop/_health.ts lines 3–11):

import {
getDb,
getSessionAddress,
isAdminAddress,
// …
} from '@4626/server-core'

Domain-specific server/_lib/… imports remain OK when not on the banned list (e.g. _list.ts line 16: supabaseAdmin.js).


guard:schema — 1 violation

frontend/server/_lib/agents/base-mcp/approvalFlow.ts lines 115–127:

    await db.sql`
CREATE TABLE IF NOT EXISTS base_mcp_approval_requests (
request_id TEXT PRIMARY KEY,
client_request_id TEXT NOT NULL,
approval_url TEXT NOT NULL,
user_id TEXT NOT NULL,
execution_mode TEXT NOT NULL CHECK (execution_mode IN ('canonical', 'eoa')),
sender TEXT NOT NULL,
status TEXT NOT NULL CHECK (status IN ('pending', 'approved', 'rejected', 'expired')),
created_at TIMESTAMPTZ NOT NULL,
expires_at TIMESTAMPTZ NOT NULL,
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
`

No matching migration under supabase/migrations/ for base_mcp_approval_requests.

Compliant pattern: Add DDL in supabase/migrations/, then bootstrap via ensureMigrationApplied in schemaBootstrap.ts (see lines 226–261) inside a named ensure*Schema helper — same pattern as control-plane migrations at lines 282–283.


H-6 — control-plane-stuck-scan.yml vs alfaclub-auth-health-monitor.yml

Broken workflow — full file

name: Control Plane Stuck Scan

on:
schedule:
- cron: '*/30 * * * *'
workflow_dispatch:

jobs:
stuck-scan:
runs-on: ubuntu-latest
defaults:
run:
working-directory: frontend
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
cache: npm
cache-dependency-path: frontend/package-lock.json
- run: npm ci
- name: Run control-plane stuck scan
env:
DATABASE_URL: ${{ secrets.DATABASE_URL }}
CONTROL_PLANE_STUCK_FAIL_ON_FOUND: '1'
CONTROL_PLANE_ALERT_WEBHOOK_URL: ${{ secrets.CONTROL_PLANE_ALERT_WEBHOOK_URL }}
run: npm run control-plane:stuck-scan

Problems:

  1. cache: npm + cache-dependency-path: frontend/package-lock.json — no frontend/package-lock.json in repo (pnpm-only).
  2. npm ci — frontend uses pnpm-lock.yaml, not npm lockfile.
  3. Unpinned actions (@v4) vs pinned SHAs elsewhere.
  4. No pnpm/action-setup — script is "control-plane:stuck-scan": "tsx --env-file=.env scripts/control-plane-stuck-operations.ts" (frontend/package.json:76), so deps must be installed via pnpm.

Working reference — alfaclub-auth-health-monitor.yml

jobs:
probe:
name: Probe /api/v1/alfaclub/chat-auth-health
runs-on: ubuntu-latest
timeout-minutes: 3
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 1

- name: Use Node.js
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
with:
node-version: '20'

- name: Run health monitor
env:
ALFACLUB_HEALTH_CRON_SECRET: ${{ secrets.ALFACLUB_HEALTH_CRON_SECRET }}
ALFACLUB_HEALTH_URL: ${{ vars.ALFACLUB_HEALTH_URL }}
run: node frontend/scripts/alfaclub-auth-health-monitor.mjs

Why AlfaClub works: Zero-deps script run with plain node — no install step.

Pattern to mirror for control-plane (from test.yml api-tests, lines 95–106 — not AlfaClub’s no-install path):

- uses: pnpm/action-setup@a8198c4bff370c8506180b035930dea56dbd5288 # v5
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
with:
node-version: '20'
cache: 'pnpm'
cache-dependency-path: frontend/pnpm-lock.yaml
- run: pnpm --dir frontend install --frozen-lockfile
- run: pnpm --dir frontend run control-plane:stuck-scan
working-directory: ... # or drop defaults.run working-directory

Summary table (audit vs repo)

FindingVerified?Detail
H-4 Semgrep | tee / no explicit gatePartiallyNo explicit shell/pipefail/findings step; GHA default -o pipefail may still fail the step on non-zero docker exit
H-5 Guards not all in CIYesguard:frontend-boundaries and kpr typecheck absent; guard:server-core-boundary + guard:schema present in api-tests
H-5 Committed violationsYes5 api→src, 7 server-core-boundary, 1 raw DDL (static match to guard rules)
H-6 Control-plane cron brokenYesnpm + missing package-lock.json on a pnpm frontend

[REDACTED]