Skip to content

feat(miner): add PreToolUse-style deny-hook primitives#2700

Merged
JSONbored merged 1 commit into
JSONbored:mainfrom
dhgoal:feat/miner-deny-hook-primitives
Jul 3, 2026
Merged

feat(miner): add PreToolUse-style deny-hook primitives#2700
JSONbored merged 1 commit into
JSONbored:mainfrom
dhgoal:feat/miner-deny-hook-primitives

Conversation

@dhgoal

@dhgoal dhgoal commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds the PreToolUse-style deny-hook primitives to @jsonbored/gittensory-miner: a pure, deterministic evaluateDenyHooks(toolCall, rules) decision function plus a non-empty built-in DEFAULT_DENY_RULES set, so the miner package has a checked, testable place to enforce house rules before any later phase wires a real coding-agent tool-call loop through it.

This is the deterministic rule-evaluator only — there is no live tool-call interception in this phase (that needs a real coding-agent driver, out of scope here). The module never executes, intercepts, or mutates anything; a later phase's real hook wiring calls the verdict.

A DenyRule is { matcher, pathPattern?, inputIncludesAll?, reason }. A rule fires when its tool-name matcher matches and every constraint it declares matches: pathPattern (a glob) against any path-shaped string in the tool-call input, and/or inputIncludesAll (substrings that must all appear in one string field, e.g. a shell command). Path globs are tested against both the whole input value and each whitespace-separated token of it, so a protected path embedded as a command argument (e.g. git add .github/workflows/ci.yml) is caught without relying on a later caller to tokenize the command first. The built-in rules mirror the forbidden-path regex in scripts/check-mcp-package.mjs — block .github/workflows/**, .env*, **/secret*/**, **/*private*key* — plus a conservative git force-push guard (a command carrying both push and --force). An empty rule set, or a call matching no rule, always allows.

inputIncludesAll is a minimal, data-driven extension of the example DenyRule shape: the required force-push guard is a command-content check that a path glob cannot express, so it is modeled generally (order-independent substring set) rather than as a one-off special case.

Closes #2295.

Follow-up (not in scope here)

The issue also lists wiring a status line into gittensory-miner doctor. That command does not exist yet — it comes from the CLI-entry-point issue (#2288), which is still open (and #2614 is an open PR for the laptop-mode doctor). Adding a doctor command here would duplicate/overlap that work, so the one-line "deny-hook module loads, default rule set non-empty" check is deferred to land alongside the CLI entry point. The primitive and its default set are complete and ready to wire; the non-empty invariant is already pinned by a test here.

Scope

Validation

  • git diff --check
  • npm run typecheck
  • npm run test:coverage locally — the new test/unit/miner-deny-hooks.test.ts passes; the whole suite is green. (This change lives entirely in packages/**, which Codecov does not measure, so it carries no codecov/patch obligation; the logic is nonetheless covered on both sides of every built-in rule.)
  • node --check lib/deny-hooks.js via npm run --workspace @jsonbored/gittensory-miner build
  • npm audit --audit-level=moderate — this PR adds no dependencies, so dependency-review has nothing new to evaluate.
  • New behavior has unit tests for new branches (each built-in rule fires and does not fire; empty-rule-set and no-match allow paths; matcher/pathPattern/array-field/force-push-order composition; malformed-input degrade-to-allow).

If any required check was skipped, explain why:

  • UI/OpenAPI/migration/workers checks are not applicable: this change is a single pure module in packages/gittensory-miner/lib plus its test — no src/**, UI, API schema, DB, or Cloudflare-binding surface is touched.

Safety

  • No secrets, wallet details, hotkeys, coldkeys, user PATs, private keys, raw trust scores, private rankings, or private maintainer evidence are exposed. (The built-in rules reference secret-bearing path patterns as deny targets; no secret values appear.)
  • Public GitHub text stays sanitized, low-noise, and does not imply compensation guarantees or optimization tactics.
  • Auth, cookie, CORS, GitHub App, Cloudflare, or session changes include negative-path tests. — n/a: pure decision function, no auth/session/network surface.
  • API/OpenAPI/MCP behavior is updated and tested where needed. — n/a: no API/OpenAPI/MCP surface changed.
  • UI changes use live API data or real states. — n/a: no UI change.
  • Visible UI changes include a UI Evidence section. — n/a: no visible UI, frontend, docs, or extension change.
  • Public docs/changelogs are updated where needed; changelogs are only edited for release-prep PRs.

Notes

Additive: two new files (lib/deny-hooks.js + its lib/deny-hooks.d.ts) mirroring the package's existing hand-authored JS+.d.ts pattern (lib/opportunity-fanout.*), one line added to the package build (node --check) gate, and one new test file. No existing code is modified.

Add a pure, deterministic evaluateDenyHooks(toolCall, rules) decision function
plus a non-empty DEFAULT_DENY_RULES set to @jsonbored/gittensory-miner, so the
package has a checked, testable place to enforce house rules before a later
phase wires a real coding-agent tool-call loop through it. No live interception
in this phase — the module never executes, intercepts, or mutates anything.

Built-in rules mirror the forbidden paths in scripts/check-mcp-package.mjs
(.github/workflows/**, .env*, secret-bearing paths, private key material) plus a
conservative git force-push guard (a command carrying both push and --force). An
empty rule set, or a call matching no rule, always allows.

Closes JSONbored#2295.
@dhgoal
dhgoal requested a review from JSONbored as a code owner July 3, 2026 06:41
@superagent-security superagent-security Bot added the contributor:flagged Contributor flagged for review by trust analysis. label Jul 3, 2026
@superagent-security

Copy link
Copy Markdown
Contributor

🚨 Contributor flagged. Click here for more info: Superagent Dashboard

@codecov

codecov Bot commented Jul 3, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 96.13%. Comparing base (a2ea220) to head (171dbc0).
⚠️ Report is 9 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #2700      +/-   ##
==========================================
- Coverage   96.15%   96.13%   -0.03%     
==========================================
  Files         240      240              
  Lines       26867    26985     +118     
  Branches     9751     9792      +41     
==========================================
+ Hits        25833    25941     +108     
- Misses        424      433       +9     
- Partials      610      611       +1     

see 2 files with indirect coverage changes

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@loopover-orb

loopover-orb Bot commented Jul 3, 2026

Copy link
Copy Markdown

Warning

🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨

⏸️ Gittensory review result - manual review recommended

Review updated: 2026-07-03 07:22:38 UTC

4 files · 1 AI reviewer · no blockers · readiness 80/100 · CI green · clean

⏸️ Suggested Action - Manual Review

Review summary
This adds a small pure deny-rule evaluator, publishes its type surface, wires the new JS file into the miner build check, and covers the default rules plus custom-rule composition. The implementation is coherent for the stated no-live-interception phase, and the tests exercise the important built-in allow/block paths. The main maintainability concern is that runtime leniency and the TypeScript contract do not quite line up, but nothing in the visible diff will break as written.

Nits — 5 non-blocking
  • nit: packages/gittensory-miner/lib/deny-hooks.d.ts:17 types `input` as a required `Record<string, unknown>`, while packages/gittensory-miner/lib/deny-hooks.js:108 intentionally tolerates malformed or missing input; either loosen the public type or make the runtime contract stricter so callers know what is supported.
  • nit: packages/gittensory-miner/lib/deny-hooks.js:83 treats `inputIncludesAll: []` as a matching constraint because `every()` on an empty array is true, so invalid empty substring rules silently behave like matcher-only rules.
  • nit: packages/gittensory-miner/lib/deny-hooks.js:76 recompiles matcher and path globs on every rule evaluation; this is fine for the tiny default set, but custom larger rule sets would benefit from precompiled rules or documented small-rule-set expectations.
  • In packages/gittensory-miner/lib/deny-hooks.d.ts:17, change `input: Record<string, unknown>` to `input?: Record<string, unknown>` if malformed/missing input is intentionally allowed by the exported API.
  • In packages/gittensory-miner/lib/deny-hooks.js:83, reject empty `inputIncludesAll` arrays or require `needles.length > 0` before considering that constraint satisfied.
Signal Result Evidence
Code review ✅ No blockers 1 reviewer
Linked issue ✅ Linked #2295
Related work ✅ No active overlap found No same-issue or scoped active PR overlap found.
Change scope ✅ 20/20 Low review scope from cached public metadata (1 linked issue).
Validation posture ❌ 5/25 Preflight is holding this PR: the review lane is unavailable, so it is not ready for automated review.
Contributor workload ✅ 10/10 Author activity: 0 registered-repo PR(s), 0 merged, 0 issue(s).
Contributor context ❌ No public Gittensor match dhgoal; not a blocker.
Gate result ✅ Passing No configured blocker found.
Review context
  • Author: dhgoal
  • Role context: outside_contributor
  • Public audience mode: oss maintainer
  • Lane context: Repository registration is not available in the local Gittensory cache.
  • Public profile languages: not available
  • Contributor context: Public profile only; not a blocker.
  • PR-specific overlap: none found.
Contributor next steps
  • Await review-lane availability.
  • Refresh registry data or choose a registered active repo.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

  • Re-run Gittensory review

@JSONbored
JSONbored merged commit 60c85c8 into JSONbored:main Jul 3, 2026
10 checks passed
@JSONbored JSONbored added gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. gittensor labels Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

contributor:flagged Contributor flagged for review by trust analysis. gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier.

Development

Successfully merging this pull request may close these issues.

feat(miner-foundation): PreToolUse-style deny-hook primitives for gittensory-miner

2 participants