didericis/bot-bottle
1
0
Fork 0
Code Issues 7 Pull Requests 15 Actions Packages Projects Releases Wiki Activity

PRD: Gitleaks inline suppression supervision #228

Merged
didericis merged 4 commits from issue-208-gitleaks-allow-supervision into main 2026-06-23 17:44:25 -04:00
Conversation 1 Commits 4 Files Changed 7
+352 -6
didericis-codex commented 2026-06-10 03:26:32 -04:00
Collaborator
Copy Link
Copy Source

Closes #208.

PRD: Gitleaks inline suppression supervision

Summary

  • Adds a second git-gate gitleaks pass with --ignore-gitleaks-allow to expose findings hidden by inline suppression.
  • Queues suppressed findings as gitleaks-allow supervisor proposals with ref, file, line, rule, commit, and redacted code context.
  • Fails closed when supervisor routing is unavailable, approval is rejected or malformed, or approval times out.
  • Adds supervisor TUI handling that requires an approval reason and disables modification for this proposal type.

Schema

  • Adds gitleaks-allow to the existing supervisor tool enum; no manifest or storage schema changes.
Closes #208. [PRD: Gitleaks inline suppression supervision](https://gitea.dideric.is/didericis/bot-bottle/src/commit/ca8c5efc229aa6586c4e058969ea51836f2b7da2/docs/prds/prd-new-gitleaks-inline-suppression-supervision.md) ## Summary - Adds a second git-gate gitleaks pass with `--ignore-gitleaks-allow` to expose findings hidden by inline suppression. - Queues suppressed findings as `gitleaks-allow` supervisor proposals with ref, file, line, rule, commit, and redacted code context. - Fails closed when supervisor routing is unavailable, approval is rejected or malformed, or approval times out. - Adds supervisor TUI handling that requires an approval reason and disables modification for this proposal type. ## Schema - Adds `gitleaks-allow` to the existing supervisor tool enum; no manifest or storage schema changes.
didericis force-pushed issue-208-gitleaks-allow-supervision from ca8c5efc22 to 67773b3170 2026-06-10 22:27:41 -04:00 Compare
didericis force-pushed issue-208-gitleaks-allow-supervision from 67773b3170 to 842caf40fe 2026-06-19 21:58:33 -04:00 Compare
didericis force-pushed issue-208-gitleaks-allow-supervision from 842caf40fe to f58490b7fb 2026-06-22 20:30:25 -04:00 Compare
didericis reviewed 2026-06-22 22:01:59 -04:00
bot_bottle/git_gate.py Outdated
@@ -250,0 +364,4 @@
echo "git-gate: queued # gitleaks:allow supervisor approval $proposal_id" >&2
echo "git-gate: approve with './cli.py supervise' to continue this push" >&2
waited=0
while [ "$waited" -lt "$timeout" ]; do
didericis commented 2026-06-22 22:01:59 -04:00
Owner
Copy Link
Copy Source

I think there's a problem with this loop: when I approve a request and the push hangs while waiting for the accept to register, I never seem to get the push to actually finish.

I think there's a problem with this loop: when I approve a request and the push hangs while waiting for the accept to register, I never seem to get the push to actually finish.
didericis added 4 commits 2026-06-23 17:37:41 -04:00
Supervise gitleaks inline allow exceptions 33333ac4d9
docs(prd): add gitleaks allow supervision 83eb9e4041
fix: add TOOL_GITLEAKS_ALLOW to __all__ in supervise.py c666eaa63f
fix: don't archive gitleaks-allow response before gate reads it
test / unit (pull_request) Successful in 41s
Details
test / integration (pull_request) Successful in 18s
Details
lint / lint (push) Successful in 1m52s
Details
prd-number / assign-numbers (push) Successful in 45s
Details
test / unit (push) Successful in 36s
Details
test / integration (push) Successful in 21s
Details
Update Quality Badges / update-badges (push) Successful in 1m19s
Details
88c4f61901 
The TUI was calling archive_proposal for gitleaks-allow immediately
after write_response, moving the response file to processed/ within
microseconds. The git-gate shell loop polls queue_dir for the response
file every second — it never sees it and hangs until timeout.

capability-block is handled by the MCP sidecar which archives after
reading; gitleaks-allow is handled by the shell gate which archives
after processing. Let the gate own the archive step.
didericis force-pushed issue-208-gitleaks-allow-supervision from 09db0eda98 to 88c4f61901 2026-06-23 17:37:41 -04:00 Compare
didericis merged commit 88c4f61901 into main 2026-06-23 17:44:25 -04:00
didericis deleted branch issue-208-gitleaks-allow-supervision 2026-06-23 17:44:25 -04:00
Sign in to join this conversation.
Reviewers
No Reviewers
didericis
Labels
Clear labels
Compat/Breaking
Breaking change that won't be backward compatible
 Kind/Bug
Something is not working
 Kind/Documentation
Documentation changes
 Kind/Enhancement
Improve existing functionality
 Kind/Feature
New functionality
 Kind/Security
This is security issue
 Kind/Testing
Issue or pull request related to testing
Priority
Critical
1
The priority is critical
Priority
High
2
The priority is high
Priority
Low
4
The priority is low
Priority
Medium
3
The priority is medium
Reviewed
Confirmed
1
Issue has been confirmed
Reviewed
Duplicate
2
This issue or pull request already exists
Reviewed
Invalid
3
Invalid issue
Reviewed
Won't Fix
3
This issue won't be fixed
Status
Abandoned
3
Somebody has started to work on this but abandoned work
Status
Blocked
1
Something is blocking this issue or pull request
Status
Need More Info
2
Feedback is required to reproduce issue or to continue work
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
didericis-claude (didericis (claude)) didericis-codex (didericis (codex)) didericis-gemma (gemma) didericis
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: didericis/bot-bottle#228
Delete Branch "issue-208-gitleaks-allow-supervision"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?