4 issues found across 12 files

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

Actionable comments posted: 8

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/commands/verify/finding.ts`:
- Around line 30-35: The endpoint and message values passed to
trackVerifyFinding are raw user input that may contain sensitive data like
emails, tokens, or URL query parameters, creating a PII/secrets leakage risk in
analytics. Create two helper functions in this file (sanitizeEndpoint and
sanitizeMessage) that remove query strings from endpoints and redact email
addresses and bearer tokens from messages using regex patterns, then apply these
functions to opts.endpoint and opts.message before passing them to the
trackVerifyFinding call.

In `@src/commands/verify/rls.ts`:
- Around line 47-67: The helper functions login, getAnonKey, rawsqlRows, and
recordsCount make live API calls without timeout or abort handling, which can
cause indefinite blocking if network calls hang and stall CI. For each of these
functions, implement AbortController with a reasonable timeout (e.g., 30
seconds), pass the abort signal to the fetch or HTTP calls, and add proper error
handling to catch and handle AbortError and timeout scenarios by throwing or
returning meaningful errors instead of hanging indefinitely.

In `@src/commands/verify/truth.ts`:
- Around line 30-42: The rawsqlRows() database call is executed before
validating that the required expectation flags are provided, causing unnecessary
database calls for invalid input. Move the validation check that throws CLIError
(checking that either opts.expectCount or opts.expect is defined) to execute
before the rawsqlRows() call. This ensures the function fails fast with
validation errors before attempting to query the database, avoiding wasted
resources on invalid requests.

In `@src/lib/analytics.ts`:
- Around line 149-167: The trackVerifyFinding function currently sends
potentially sensitive data in the endpoint and message fields, which can contain
emails, tokens, or query parameters. Instead of the current approach of
filtering safeEvidence and then sending all other fields, implement a whitelist
approach where you only include known-safe fields in the captureEvent call. Keep
only the safe structured fields like finding_type, passed, table, kind, and
status, and for the evidence data, explicitly whitelist only the safe evidence
keys (such as row count metrics) rather than filtering out unsafe ones. Remove
or transform the raw endpoint and message fields before sending them to avoid
leaking PII.

In `@src/lib/browser-mcp.ts`:
- Around line 90-92: The execAsync call in the MCP presence probe (checking for
MCP_SERVER_NAME using the "claude mcp get" command) lacks a timeout, which could
cause the install/link flow to hang indefinitely if the command becomes
unresponsive. Add a timeout option to the execAsync call to ensure it fails
after a reasonable duration (such as a few seconds) rather than waiting
indefinitely. This will allow the promise chain to proceed to the catch block if
the command times out.

In `@src/lib/skills.ts`:
- Around line 175-177: The log message in the clack.log.info call is too
assertive and inaccurate. The condition configured.length === 0 can result from
either no supported agent being found OR agent setup failure (with errors being
swallowed). Replace the message "No supported agent found to auto-configure the
browser MCP" with a non-assertive message that acknowledges both possibilities,
such as something that indicates the browser MCP could not be auto-configured
rather than definitively stating no agent was found. Keep the helpful Claude
configuration instruction at the end of the message.

In `@src/lib/verify-probe.ts`:
- Around line 99-145: Add timeout protection to prevent indefinite hangs in the
four fetch functions: login, getAnonKey, rawsqlRows, and recordsCount. For each
function, create an AbortController and set a timeout that aborts the fetch
operation if it exceeds a reasonable duration (e.g., 30 seconds). Pass the abort
signal to the fetch request via the signal option in the fetch options object,
and wrap each fetch call in a try-catch block to handle the AbortError that
occurs when the timeout fires, converting it to a meaningful error message that
includes the operation name and timeout details.
- Around line 61-67: The isReadOnlyQuery function allows dangerous SELECT ...
INTO statements that create or populate tables in PostgreSQL despite passing the
read-only check. Add a regex pattern to the guard that detects and rejects
queries containing the INTO keyword used in conjunction with SELECT statements,
similar to how the function currently rejects INSERT, UPDATE, DELETE, and other
write operations. This check should be added alongside the existing keyword
rejection pattern on line 66 to prevent database mutation through CREATE TABLE
AS SELECT or SELECT ... INTO constructs.

---

Nitpick comments:
In `@src/lib/verify-probe.test.ts`:
- Around line 52-78: The isReadOnlyQuery test suite does not have coverage for
PostgreSQL's SELECT ... INTO statement form which creates or modifies tables and
should be rejected. Add a new test case within the describe('isReadOnlyQuery')
block, after the existing rejection tests, that uses it() to test that
isReadOnlyQuery rejects various forms of SELECT ... INTO statements such as
SELECT ... INTO new_table, SELECT ... INTO TEMP table, and similar variations.
Ensure each expectation calls isReadOnlyQuery with these statements and expects
false to be returned.

Code review — feat/agent-e2e-verify (PoC)

Summary: A well-structured, defensively-coded PoC that adds hidden verify rls/truth/finding probes (pure, unit-tested verdict logic + thin fetch wiring), PII-stripping analytics, browser-MCP auto-setup, and Playwright deploy-exclude patterns — no blocking issues, a few convention/scope items worth addressing before this graduates from PoC.

Requirements context

No spec/plan under docs/specs/ matches this PR — the documents there cover diagnose and db-migrations, not agent-E2E/verify. Assessed against the PR description (cubic/Macroscope summaries) and the repo conventions in DEVELOPMENT.md. No invented requirements.

Critical

(none) — no correctness, security, data-loss, or behavior-breaking issues found.

Suggestion

Software engineering / telemetry — event name breaks the cli_<feature>_<action> convention. src/lib/analytics.ts:171 emits 'verify_finding', but every other helper in this file uses the cli_*_invoked shape (cli_diagnose_invoked, cli_config_invoked, …) per DEVELOPMENT.md §2 ("Use the cli_<feature>_<action> convention. Keep event names stable."). Recommend cli_verify_finding (or similar) for dashboard consistency. It's a new event so nothing breaks today, but the name should land right the first time.

Functionality / scope — installSkills(withBrowserMcp = true) is "opt-in" in the comment only. src/lib/skills.ts:88 defaults the new param to true and none of the six call sites (create.ts:443, link.ts:127/246/308/492/534) ever pass false, so the comment at skills.ts:156 ("Opt-in") doesn't match reality — every insforge link/create now mutates global, outside-the-project agent config (claude mcp add -s user, ~/.cursor/mcp.json, ~/.codex/config.toml). This also runs under --json (automation/CI) where output is suppressed but the writes still happen. The merges are careful (idempotent, malformed-JSON-safe, preserve other servers — nicely tested), so this is UX/scope rather than data-loss, but I'd wire a real opt-out (CLI flag or prompt) or make it genuinely opt-in before merge.

Security / testing — the redaction path has no direct tests. sanitizeEndpoint/sanitizeMessage (src/lib/analytics.ts:152-165) are the guard that keeps emails/tokens/PII out of PostHog, yet they have no unit tests, while the pure verdict helpers (classifyRls/classifyTruth/isReadOnlyQuery/isSafeIdentifier/isLikelyEmail) are thoroughly covered. The redaction regexes are exactly the kind of code a test should pin (e.g. token boundary, multiple emails, the 500-char truncation). Add cases for these.

Security — isReadOnlyQuery is keyword-based and won't catch side-effecting function calls. src/lib/verify-probe.ts (isReadOnlyQuery) blocks DML/DDL/chaining/INTO/CTE-DML well, but a query like SELECT some_mutating_fn() passes the guard and runs through runRawSql with the admin key (oss.ts:22, "superadmin access"). Acceptable for a hidden experimental probe, but worth a code comment acknowledging the gap (or routing reads through a lower-privilege path) before this is exposed more widely.

Information

• Convention — direct fetch in verify-probe.ts (login, recordsCount) deviates from DEVELOPMENT.md §1 ("Do not call fetch directly … add a typed wrapper to oss.ts"). Here it's justified — RLS probing needs per-user/anon tokens, and ossFetch hard-codes the admin api_key Bearer (oss.ts:113-125), so it genuinely can't be reused. Consider a small typed wrapper or a note so the deviation is intentional-on-the-record.
• Telemetry shape — trackVerifyFinding (analytics.ts:171) omits the standard project_name/org_id/region/oss_mode properties the other track* helpers all include; adding them keeps verify_finding groupable like the rest.
• Convention — flush in finally. verify/{rls,truth,finding}.ts call await shutdownAnalytics() inline after the capture rather than in a finally block (DEVELOPMENT.md §2). Functionally fine (it immediately follows the only capture), just not the documented pattern.
• SQL interpolation in rls.ts — the auth.users email lookup (rls.ts, select id from auth.users where email='...') interpolates after isLikelyEmail validation + single-quote escaping; safe given runRawSql has no parameter binding. Defense-in-depth is present; noted only because raw interpolation always deserves a second look.
• agent-skills sync (DEVELOPMENT.md §3) — the new hidden verify commands and the browser-MCP behavior should be reflected in the insforge-verify skill in InsForge/agent-skills; the PR doesn't mention a companion update.
• --expect-count is compared as a trimmed string (truth.ts → classifyTruth(rows.length, String(opts.expectCount))), so --expect-count 03 mismatches 3 rows. Minor.

Strengths worth calling out

• The empty-token guard (rls.ts) and assertOk (verify-probe.ts) both close genuinely subtle false-pass traps — an empty token or a non-2xx being silently read as "0 rows / isolation holds." That's the right instinct for a verification tool.
• Strong, well-tested input validation (isSafeIdentifier/isLikelyEmail/isReadOnlyQuery) and config-merge robustness (malformed/array/primitive JSON, idempotency).
• Deploy exclude patterns (deploy.ts:53) are correct and scoped.

Verdict

approved (informational — no Critical findings; posted as a COMMENT, a human still gives the GitHub green-check via the approve flow). The Suggestions, especially the default-on global-config mutation and the untested redaction path, are worth resolving before this PoC graduates to a shipped feature.

Summary
This PR adds useful verify/MCP plumbing, but the current implementation has one security blocker and one core correctness blocker in the new verify commands.

Requirements context
I could not find repo docs that define verify beyond this PR, so I assessed intent primarily from the PR description and the inline command descriptions in src/commands/verify/*.ts. For project conventions, I also used DEVELOPMENT.md, especially the command/error/output and analytics guidance. I was not able to execute the Vitest suite in this workspace because vitest is not installed (sh: vitest: not found).

Findings

Critical

• src/lib/verify-probe.ts:55-69, src/lib/api/oss.ts:13-29: verify truth is presented as a single read-only query, but the guard is only a regex over the SQL text before passing it to runRawSql, which executes with the project API key's superadmin privileges. That still allows side-effecting statements hidden behind SELECT/WITH via mutating SQL functions, so the command does not actually provide the safety guarantee it advertises.
• src/commands/verify/rls.ts:18-20, src/commands/verify/rls.ts:60-65: the anonymous control is checking the entire table (recordsCount(..., undefined, undefined, anon)) instead of checking the same owner-scoped filter used for user A. Any table that intentionally exposes some public rows will be reported as rls_leak even when B and anonymous users cannot read A's rows, which breaks the command's stated behavior of verifying "B cannot read A, A can read own".

Suggestion

• DEVELOPMENT.md:48-53, src/lib/analytics.ts:154-180, src/commands/verify/finding.ts:18-34: this change starts sending sanitized-but-still-free-form message and endpoint text to PostHog. That conflicts with the repo's telemetry guidance to never send user-entered free text, and the current redaction only covers query strings, emails, and long token-like substrings. I would strongly prefer reducing this event to structured fields (finding_type, kind, status, table, booleans/counts) and dropping the free-text properties entirely.
• src/commands/verify/finding.ts:11-47, src/commands/verify/rls.ts:15-84, src/commands/verify/truth.ts:9-68, src/lib/skills.ts:160-188: the added tests cover the pure helpers well, but there is still no command-level coverage for the new hidden CLI surface or for the installSkills browser-MCP side effects. That leaves argument parsing, exit-code behavior, and telemetry/flush behavior unverified.

Information

• (none)

Verdict
request_changes — the PR needs fixes for the read-only SQL guarantee and the anonymous RLS probe scope before it is safe to merge.

Actionable comments posted: 4

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/commands/verify/rls.test.ts`:
- Around line 51-56: The test assertions at lines 51-56 and 59-64 are too loose
- they only verify that an exit occurs with `/exit:/` but don't confirm the
rejection is specifically due to the `--owner` or `--user-a` validation guards.
Replace the generic `/exit:/` pattern matching in the toThrow() calls with more
specific validation error messages that confirm the actual validation failure
for each guard (the `--owner` parameter validation in the first test and
`--user-a` parameter validation in the second test) to ensure these tests are
hitting the intended rejection paths and not passing on unrelated early-exit
scenarios.
- Around line 70-75: The test currently validates only the 3rd recordsCount call
with a partial filter match using stringContaining, but the comment indicates
all three probes must use the same owner-scoped filter. Capture the filter
argument from the 1st call to recordsCount, then add assertions to verify that
both the 2nd and 3rd calls use the exact same filter string with strict equality
(not partial matching). This ensures consistency across all three probes as
intended.

In `@src/commands/verify/truth.test.ts`:
- Around line 75-80: The test case `flags false_pass (exit 1) when DB differs
from the claim` currently only validates the exit code but should also verify
analytics behavior on the failure path. Add expect assertions after the
parseAsync call to verify that trackVerifyFinding was called with the
appropriate finding details and that shutdownAnalytics was called to ensure
findings are properly emitted and analytics are properly flushed when
verification fails.
- Around line 59-63: The test for rejecting a non-integer --expect-count only
asserts that an error is thrown but does not verify that the database call to
runRawSql is prevented. Add a spy or mock for the runRawSql function before
calling makeProgram().parseAsync() and include an assertion that verifies
runRawSql was never called. This ensures the command validates the
--expect-count argument before attempting any database operations, preventing
unnecessary live-call leakage when invalid input is provided.

1 issue found across 7 files (changes from recent commits).

<sub>Tip: Review your code locally with the cubic CLI to iterate faster.

Re-trigger cubic</sub>

Summary
This PR mostly implements the stated hidden verification probes and browser-MCP setup as described, with good input validation and telemetry scrubbing, and I found no blocking issues.

Requirements context
I derived intent primarily from the PR description because I did not find repo documentation for the new hidden verify surface itself; for repo conventions and telemetry expectations, I used DEVELOPMENT.md, especially the command-layout and PostHog guidance.

Findings
Critical
(none)

Suggestion

• src/lib/browser-mcp.ts:104-116 — The Cursor/Codex auto-setup path is gated on ~/.cursor / ~/.codex already existing, even though mergeJsonMcp() and ensureCodexToml() already create parent directories themselves. In practice this means a fresh agent install can hit the “No supported agent found” path and never get the promised auto-configuration until the user has manually launched that agent once.
• src/lib/browser-mcp.ts:17-18, src/lib/skills.ts:175-184 — The generated MCP config hardcodes npx @playwright/mcp@latest --headless. Using @latest makes every future agent session depend on whatever was most recently published upstream, which is both a supply-chain risk and a reproducibility risk for the verification flow this PR is trying to stabilize.
• src/lib/browser-mcp.test.ts:1-109, src/lib/skills.ts:160-188 — The new tests cover the JSON/TOML helper functions, but not the actual configureBrowserMcp() / installSkills() integration path. That leaves the agent-detection logic and user-facing fallback behavior unverified, which is exactly where the .cursor / .codex existence-gate bug above lives.

Information

• src/commands/verify/rls.ts:31-66, src/commands/verify/truth.ts:20-58, src/lib/analytics.ts:143-172 — The new verify commands do a solid job on the main security-sensitive areas: identifier/email validation before SQL or PostgREST usage, non-2xx handling for probe requests, and dropping free-text / sensitive evidence fields before PostHog capture.
• src/commands/deployments/deploy.ts:27-52 — The deployment exclusion additions are low-risk and should reduce unnecessary upload size; I did not see a separate performance regression in the changed paths.

Verdict
approved — no Critical findings. I could not run the new test suites in this checkout because the workspace does not have dev dependencies installed (vitest: not found), so the review is based on static inspection.