Skip to content

fix(miner): catch undocumented LOOPOVER_MINER_* env vars in DEPLOYMENT.md audit (#6601)#6719

Closed
thomasalvaedison7777-lgtm wants to merge 2 commits into
JSONbored:mainfrom
thomasalvaedison7777-lgtm:fix/6601-deployment-docs-audit-reverse-env
Closed

fix(miner): catch undocumented LOOPOVER_MINER_* env vars in DEPLOYMENT.md audit (#6601)#6719
thomasalvaedison7777-lgtm wants to merge 2 commits into
JSONbored:mainfrom
thomasalvaedison7777-lgtm:fix/6601-deployment-docs-audit-reverse-env

Conversation

@thomasalvaedison7777-lgtm

Copy link
Copy Markdown
Contributor

Summary

  • Extend the miner DEPLOYMENT.md accuracy audit with a reverse-direction check: every real LOOPOVER_MINER_* read that is not _DB-suffixed and not documented fails CI by name (DEPLOYMENT.md accuracy audit never flags real env vars that are undocumented (one-directional only) #6601).
  • Expose reality.envReads from the existing scanEnvVarTokens scan (no new source walking) and document the thirteen previously missing operator env knobs in DEPLOYMENT.md.
  • Keep forward checks unchanged; bare MINER_* aliases stay reverse-exempt; the generic LOOPOVER_MINER_<NAME>_DB family stays reverse-exempt.

Closes #6601

Scope

  • The PR title follows type(scope): short summary Conventional Commit format, for example fix(api): restore profile access checks.
  • This PR is focused and does not mix unrelated backend, UI, MCP, docs, dependency, and deploy changes.
  • This follows CONTRIBUTING.md and does not reintroduce GitHub Pages, VitePress, site/, or CNAME.
  • I linked a currently open issue this PR resolves (e.g. Closes #123) — a linked open issue is required for every contributor PR.

Validation

  • git diff --check
  • npm run actionlint
  • npm run typecheck
  • npm run test:coverage locally; codecov/patch requires ≥99% coverage of the lines AND branches you changed (aim for 100% on your diff so CI variance does not fail near the threshold). Global coverage is a non-blocking trend with a loose 90% backstop, not the gate.
  • npm run test:workers
  • npm run build:mcp
  • npm run test:mcp-pack
  • npm run ui:openapi:check
  • npm run ui:lint
  • npm run ui:typecheck
  • npm run ui:build
  • npm audit --audit-level=moderate
  • New or changed behavior has unit/integration tests for new branches, fallback paths, and sanitizer boundaries

If any required check was skipped, explain why:

  • Full test:ci / coverage gate not run yet in this session; targeted unit tests (miner-deployment-docs-audit, check-miner-deployment-docs) and npm run test:miner-deployment-docs-audit passed. Run the full local gate before push.

Safety

  • No secrets, wallet details, hotkeys, coldkeys, user PATs, private keys, raw trust scores, private rankings, or private maintainer evidence are exposed.
  • Public GitHub text stays sanitized, low-noise, and does not imply compensation guarantees or optimization tactics.
  • Auth, cookie, CORS, GitHub App, Cloudflare, or session changes include negative-path tests.
  • API/OpenAPI/MCP behavior is updated and tested where needed.
  • UI changes use live API data or real empty/error/loading states, not production mock/demo fallbacks.
  • Visible UI changes include a UI Evidence section below with JPG/JPEG or PNG screenshots arranged as organized, captioned, clickable thumbnails. SVG screenshots are not used as review evidence. Review-only screenshots or recordings are not committed to the repository.
  • Public docs/changelogs are updated where needed; changelogs are only edited for release-prep PRs.

UI Evidence

N/A — markdown/docs-audit change only; no visible UI surface.

Notes

  • Reverse check scopes to LOOPOVER_MINER_ prefix and excludes *_DB (generic pattern already in the doc). Bare MINER_* remains forward-only.

- Updated DEPLOYMENT.md to include additional environment variable configurations for the loopover miner, enhancing operator guidance.
- Modified the deployment documentation audit to include a reverse check for undocumented LOOPOVER_MINER_* environment variables, ensuring all reads are documented.
- Added tests to validate the new audit functionality, confirming that undocumented environment variables are flagged appropriately.

Closes JSONbored#6601
@superagent-security

Copy link
Copy Markdown
Contributor

Test comment from superagent scan

@superagent-security superagent-security Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test review

@superagent-security superagent-security Bot added pr:flagged PR flagged for review by security analysis. and removed pr:flagged PR flagged for review by security analysis. labels Jul 16, 2026
@superagent-security

superagent-security Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Superagent didn't find any vulnerabilities or security issues in this PR.

Co-authored-by: Cursor <cursoragent@cursor.com>
@loopover-orb loopover-orb Bot added the gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. label Jul 16, 2026
@loopover-orb

loopover-orb Bot commented Jul 16, 2026

Copy link
Copy Markdown

Caution

🛑 LoopOver review result - fixes required

Review updated: 2026-07-16 23:47:16 UTC

6 files · 1 AI reviewer · no blockers · CI failing · blocked

🛑 Suggested Action - Fix Blockers

Review summary
This PR adds a reverse-direction check to the miner's DEPLOYMENT.md audit: any real LOOPOVER_MINER_* env var read (not _DB-suffixed) that isn't documented now fails CI, closing the one-directional gap in #6601. It backfills the thirteen previously-undocumented env vars into DEPLOYMENT.md and adds a reasonably thorough test suite covering the exemptions (bare MINER_* aliases, _DB family) and the new envReads surface. The logic in auditDeploymentDocs is straightforward and the new tests exercise both the forward and reverse paths against real reality objects, not just fabricated fixtures.

Nits — 5 non-blocking
  • scripts/check-miner-deployment-docs.mjs:39 comment says 'Enumerable copy of the same scan hasEnvRead queries' but envReads is the actual Set reference, not a copy — minor comment inaccuracy, not a defect.
  • The reverse check in deployment-docs-audit.js only exempts the generic _DB suffix, so any future non-_DB per-instance env var family added to the miner will need an explicit doc entry per name — worth a short note in the JSDoc for future maintainers, though this matches the PR's stated design.
  • DEPLOYMENT.md's new 'Other operator env knobs' list duplicates content that could drift from docs/env-reference.md; consider a single source of truth or an explicit cross-reference note (partially present already via the parenthetical).
  • Consider extracting the LOOPOVER_MINER_*_DB exemption regex/suffix check into a named constant (e.g. GENERIC_DB_SUFFIX) in deployment-docs-audit.js for readability, mirroring the existing pattern constants at the top of the file.
  • In check-miner-deployment-docs.mjs:39, tighten the comment to say 'reference to' rather than 'copy of' to avoid confusion about mutability/aliasing.

CI checks failing

  • validate
  • changes

Decision drivers

  • ✅ Code review — No blockers (1 reviewer)
  • ✅ Gate result — Passing (No configured blocker found.)
Context & advisory signals — never blocks the verdict
Signal Result Evidence
Linked issue ✅ Linked #6601
Related work ✅ No active overlap found No same-issue or scoped active PR overlap found.
Change scope ❌ 8/20 High review scope from cached public metadata (1 linked issue).
Validation posture ✅ 25/25 PR body includes validation/test evidence.
Contributor workload ✅ 10/10 Author activity: 0 registered-repo PR(s), 0 merged, 1 issue(s).
Contributor context ✅ Confirmed Gittensor contributor thomasalvaedison7777-lgtm; Gittensor profile; 0 PR(s), 1 issue(s).
Improvement ✅ Minor risk: clean · value: minor · LLM: moderate
Review context
  • Author: thomasalvaedison7777-lgtm
  • Role context: outside_contributor
  • Public audience mode: oss maintainer
  • Lane context: Repository is configured for direct PR review.
  • Public profile languages: JavaScript, TypeScript
  • Official Gittensor activity: 0 PR(s), 1 issue(s).
  • PR-specific overlap: none found.
Contributor next steps
  • Start here: Add a concise scope and risk note.
  • Then work through the remaining 1 step in the Signals table above.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.
🧪 Chat with LoopOver

Ask LoopOver a question about this PR directly in a comment — grounded only in the same cached, public-safe facts shown above, never a new claim.

  • @loopover ask &lt;question&gt; answers contribution-quality Q&A with source citations and freshness.
  • @loopover chat &lt;question&gt; answers in natural prose from cached decision-pack facts via local inference (maintainer/collaborator; read-only).
  • A plain-language @loopover mention with a real question is routed to the closest matching read-only command automatically — no exact syntax required.

Full command reference: https://loopover.ai/docs/loopover-commands

🧪 Experimental — new and may change.

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by LoopOver, a quiet PR intelligence layer for OSS maintainers.

  • Re-run LoopOver review

@loopover-orb

loopover-orb Bot commented Jul 16, 2026

Copy link
Copy Markdown

LoopOver is closing this pull request on the maintainer's behalf (CI is failing (validate, changes)). This is an automated maintenance action — to pursue this change, please open a new pull request with the issues resolved. Closed PRs may be analyzed later to improve review accuracy, but they are not automatically reopened or re-reviewed.

@loopover-orb loopover-orb Bot closed this Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

DEPLOYMENT.md accuracy audit never flags real env vars that are undocumented (one-directional only)

1 participant