Skip to content

fix(miner-extension): guard the live-fetch sync path against the storage quota#7062

Merged
JSONbored merged 1 commit into
JSONbored:mainfrom
shin-core:fix/extension-live-fetch-quota-guard-7006
Jul 17, 2026
Merged

fix(miner-extension): guard the live-fetch sync path against the storage quota#7062
JSONbored merged 1 commit into
JSONbored:mainfrom
shin-core:fix/extension-live-fetch-quota-guard-7006

Conversation

@shin-core

Copy link
Copy Markdown
Contributor

What

syncRankedCandidatesFromMinerUi (apps/loopover-miner-extension/background.js) — the live-fetch replacement for manual paste — wrote fetched ranked candidates to chrome.storage.local with no size check. The manual-paste flow in options.js already guards against this: it measures the real serialized UTF-8 byte size (via TextEncoder, not JS string .length) against the shared 10 MiB QUOTA_BYTES limit, because an unbounded write can silently fail or leave storage in a partial state (#4863). The live-fetch path never got the equivalent guard, so the same #4863 failure mode could still happen through it.

How

Measure the serialized byte size of the fetched candidates before the chrome.storage.local.set(...) call, against the same 8 MiB ceiling options.js enforces. On an over-quota result, return the function's existing typed { ok: false, error, minerUiUrl } shape (matching every other failure branch and its documented "never throws" contract) rather than writing a partial payload.

Validation

Tests added to the existing test/background.test.ts: an over-quota live-fetch payload is rejected with ok: false and no chrome.storage.local.set call (localSetCalls stays empty), while a within-quota payload still writes normally. Confirmed the over-quota test fails against the unfixed code (it writes the partial payload) and passes with the fix. miner-extension:lint/typecheck and the extension test suite (26 tests) pass; the guard's lines are fully covered.

Closes #7006

…age quota

syncRankedCandidatesFromMinerUi wrote fetched ranked candidates to
chrome.storage.local with no size check, unlike options.js's manual-paste
flow which measures the real serialized UTF-8 byte size against the shared
10 MiB QUOTA_BYTES limit (JSONbored#4863). A large live-fetch result could silently
write a partial payload past the quota via this path.

Apply the same TextEncoder byte-size guard before the storage write,
returning the function's existing typed { ok: false, error, minerUiUrl }
shape on an over-quota result rather than writing a partial payload.

Closes JSONbored#7006
@shin-core
shin-core requested a review from JSONbored as a code owner July 17, 2026 20:13
@superagent-security superagent-security Bot added the contributor:flagged Contributor flagged for review by trust analysis. label Jul 17, 2026
@superagent-security

Copy link
Copy Markdown
Contributor

🚨 Contributor flagged. Click here for more info: Superagent Dashboard

@superagent-security

Copy link
Copy Markdown
Contributor

Superagent didn't find any vulnerabilities or security issues in this PR.

@loopover-orb loopover-orb Bot added the gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. label Jul 17, 2026
@loopover-orb

loopover-orb Bot commented Jul 17, 2026

Copy link
Copy Markdown

Warning

⏸️ LoopOver review result - manual review recommended

Review updated: 2026-07-17 20:22:22 UTC

2 files · 1 AI reviewer · no blockers · CI green · unstable

⏸️ Suggested Action - Manual Review

Review summary
This PR ports the existing options.js byte-size quota guard to the live-fetch path in background.js, adding an 8 MiB ceiling check via TextEncoder before the chrome.storage.local.set call, and returns the function's existing typed ok:false shape on overflow rather than writing a partial payload. The fix is correctly placed at the actual write site (not a symptom patch), the two new tests genuinely exercise the real code path (one oversized payload that must trip the check, one within-quota payload that must still write), and the described validation (test fails against unfixed code, passes with fix) is credible given the code shown. This closes #7006 as claimed and is a narrowly-scoped, low-risk change.

Nits — 2 non-blocking
  • The oversized test builds ~9k objects with a 1KB filler string plus JSON overhead to exceed 8 MiB — this is a reasonable but somewhat fragile way to hit the exact boundary; a comment noting the approximate resulting byte count would help future maintainers avoid accidentally shrinking it below the threshold.
  • background.js:14-16 hardcodes 8 MiB separately from options.js's own constant instead of importing/sharing one source of truth, so the two ceilings could silently drift apart in a future edit — consider extracting a shared constant if options.js's guard is in an importable module.
Flagged checks (non-blocking)
  • Contributor trust — Contributor flagged for review

Decision drivers

  • ✅ Code review — No blockers (1 reviewer)
  • ✅ Gate result — Passing (No configured blocker found.)
Context & advisory signals — never blocks the verdict
Signal Result Evidence
Linked issue ✅ Linked #7006
Related work ✅ No active overlap found No same-issue or scoped active PR overlap found.
Change scope ✅ 20/20 Low review scope from cached public metadata (1 linked issue).
Validation posture ✅ 25/25 PR body includes validation/test evidence.
Contributor workload ✅ 10/10 Author activity: 55 registered-repo PR(s), 33 merged, 0 issue(s).
Contributor context ✅ Confirmed Gittensor contributor shin-core; Gittensor profile; 55 PR(s), 0 issue(s).
Improvement ✅ Minor risk: clean · value: minor
Review context
  • Author: shin-core
  • Role context: outside_contributor
  • Public audience mode: oss maintainer
  • Lane context: Repository is configured for direct PR review.
  • Public profile languages: not available
  • Official Gittensor activity: 55 PR(s), 0 issue(s).
  • PR-specific overlap: none found.
Contributor next steps
  • Keep the PR focused and include validation evidence before maintainer review.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.
🧪 Chat with LoopOver

Ask LoopOver a question about this PR directly in a comment — grounded only in the same cached, public-safe facts shown above, never a new claim.

  • @loopover ask <question> answers contribution-quality Q&A with source citations and freshness.
  • @loopover chat <question> answers in natural prose from cached decision-pack facts via local inference (maintainer/collaborator; read-only).
  • A plain-language @loopover mention with a real question is routed to the closest matching read-only command automatically — no exact syntax required.

Full command reference: https://loopover.ai/docs/loopover-commands

🧪 Experimental — new and may change.

Visual preview
Route Viewport Before (production) After (this PR's preview) Diff
/ desktop before /
before /
after /
after /
/ mobile before / (mobile)
before / (mobile)
after / (mobile)
after / (mobile)

Click any thumbnail to open the full-size screenshot. Before = production · After = this PR's preview deploy.

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by LoopOver, a quiet PR intelligence layer for OSS maintainers.

  • Re-run LoopOver review

@loopover-orb loopover-orb Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LoopOver approves — the gate is satisfied and CI is green.

@JSONbored
JSONbored merged commit 0a2484f into JSONbored:main Jul 17, 2026
7 of 8 checks passed
galuis116 pushed a commit to galuis116/gittensory that referenced this pull request Jul 18, 2026
…ve-fetch vm sandbox

node:vm's createContext() is a fresh, isolated realm with none of the
outer process's globals. background.js's live-fetch path bounds its
fetch with AbortSignal.timeout(...) (#4c0b19f4) and measures the real
serialized byte size via TextEncoder for the quota guard (JSONbored#7062), but
the test harness never injected either global into the sandbox --
every call on the success path threw "<Global> is not defined",
caught by the function's own try/catch and silently misreported as a
typed failure result instead of a real one.

Confirmed this isn't CI flakiness: reproduced deterministically outside
CI, on every run, for any candidates payload that reaches the success
path (all 4 of the 7 originally-failing tests exercise that path; the
other 3 return early on a non-2xx/malformed/thrown-fetch branch before
ever touching either global).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

contributor:flagged Contributor flagged for review by trust analysis. gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Extension live-fetch sync path bypasses the storage-quota byte-size guard options.js enforces

2 participants