fix(evaos): require signed Mac-control runtime proof#708
Conversation
|
Warning Review limit reachedYou’ve reached a temporary PR review limit under our Fair Usage Limits Policy. Next review available in: 37 minutes Your organization has reached its usage spending cap. Adjust your spending cap in the billing tab. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (5)
📝 WalkthroughWalkthroughThis PR adds an OpenClaw desktop bridge, signed Mac-control runtime receipts, deployed-route proofs, native Ed25519 verification, expanded release checks, artifact scanning, and coverage for replay protection, redaction, candidate binding, cleanup, and packaging. ChangesMac-control bridge and proof pipeline
Estimated code review effort: 5 (Critical) | ~120 minutes Possibly related issues
Possibly related PRs
Suggested labels: 🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (3 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
@copilot review |
evaOS review status: stale headPR: #708 - fix(evaos): require signed Mac-control runtime proof evaOS review stopped because this queued head is no longer the live PR head. Automation note: agents should wait for this comment to reach PR URL: #708 Details: Superseded by a newer PR head. |
|
@copilot review |
evaOS review status: stale headPR: #708 - fix(evaos): require signed Mac-control runtime proof evaOS review stopped because this queued head is no longer the live PR head. Automation note: agents should wait for this comment to reach PR URL: #708 Details: live=efb53fef9054b72064ec86a61dda86bace496571 |
|
@copilot review |
evaOS review status: completedPR: #708 - fix(evaos): require signed Mac-control runtime proof evaOS review completed for this PR head. Automation note: agents should wait for this comment to reach PR URL: #708 Review URL: #708 (review) |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3e39c6dfab
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
Walkthrough
PR: #708 - fix(evaos): require signed Mac-control runtime proof
Head: efb53fef9054b72064ec86a61dda86bace496571 into evaos/beta-rc-20260612. Review event: COMMENT.
Provider: GLM/Z.ai through ZCode (zcode-glm, zcode, model GLM-5.2).
Estimated review effort: 5/5 (~70 min)
Changed Files
| File | Status | Churn | Purpose | Risk |
|---|---|---|---|---|
.github/workflows/evaos-live-canary-proof.yml |
modified | +9/-64 | Changed file | Moderate: validated P3 finding |
.github/workflows/workbench-functional-smoke.yml |
modified | +4/-0 | Changed file | Low |
scripts/afterSign.js |
modified | +1/-0 | Changed file | Low |
scripts/create-mock-release-artifacts.sh |
modified | +12/-1 | Changed file | Low |
scripts/evaosBetaReleaseGate.js |
modified | +124/-54 | Changed file | Moderate: validated P3 finding |
scripts/evaosBrokerLiveCanary.js |
modified | +216/-21 | Changed file | Elevated: large change |
scripts/evaosInstalledAppProductProof.js |
modified | +41/-0 | Changed file | Low |
scripts/evaosScanMacControlProofs.js |
added | +224/-0 | Changed file | Elevated: large change |
scripts/prepareEvaosDesktopBridgeResource.js |
modified | +61/-0 | Changed file | Low |
tests/unit/common-adapter/evaosIpcBridge.dom.test.ts |
modified | +61/-0 | Test coverage | Low |
tests/unit/evaos/evaosBrokerLiveCanary.test.ts |
modified | +172/-34 | Test coverage | Elevated: large change |
tests/unit/evaos/evaosDesktopBridgeReceipt.test.ts |
added | +304/-0 | Test coverage | Elevated: large change |
tests/unit/evaos/evaosInstalledAppProductProof.test.ts |
modified | +24/-0 | Test coverage | Low |
tests/unit/evaos/evaosLiveCanaryWorkflow.test.ts |
modified | +150/-2 | Test coverage | Low |
tests/unit/evaos/evaosNativeCompanionStatus.test.ts |
modified | +22/-0 | Test coverage | Low |
tests/unit/process/evaosBetaReleaseGate.test.ts |
modified | +194/-32 | Test coverage | Elevated: large change |
tests/unit/process/prepareEvaosDesktopBridgeResource.test.ts |
modified | +68/-3 | Test coverage | Low |
Review Signal
Validated inline findings: 3 (P0: 0, P1: 0, P2: 0, P3: 3).
Dropped findings before posting: 0. High-severity findings: 0.
Risk Taxonomy
- CI/build: 1
- Release regression: 2
Validation and Proof
2 required validation/proof recommendation(s) selected from changed files.
- required: TypeScript/web build or CI proof - Runtime TypeScript/web files or package/config files changed. Proof: npm run build; typecheck; focused Vitest; green GitHub check.
- required: CI/release smoke proof - CI, release, launchd, or package metadata changed. Proof: green GitHub check; release-status; coverage-audit; rollback note.
Proof status: missing - 1 required validation/proof recommendation(s) missing from PR metadata.
Profile validation hints: Do not ask for broad local suites when remote CI or fast-smoke proof is the right gate.
Profile proof expectations: Look for focused app smoke, packaged resource checks, or CI artifact proof when relevant.
Related Context
Related issues/PRs: none detected from PR metadata.
Suggested labels: tests.
Suggested reviewers: none from current metadata.
Review Settings Preview
- Profile: assertive
- Enabled sections: Review summary (inline_review); Walkthrough (inline_review); Changed-files table (walkthrough); Effort estimate (walkthrough); Related issues/PRs (walkthrough); Suggested labels (suggestion_only); Review status comment (sticky_status)
- Path instructions:
apps/eva-desktop-mac/**- Check macOS identity, helper path, TCC identity, and packaged resource shape risk. - Path instructions:
scripts/**- Treat release, packaging, and artifact-shape changes as high risk. - Label suggestions: workbench, macos, regression-hardening
- Reviewer suggestions: none
- Suggestion behavior: suggestions only; labels and reviewers are not auto-applied.
- Roadmap-only settings: auto-apply labels; auto-request reviewers; required status checks
Pre-merge checklist
- Inline comments target current RIGHT-side diff lines.
- No secret-like content survived into posted inline comments.
- REQUEST_CHANGES is only used when eligible P0/P1 findings survive validation.
- Required behavior proof is present or not applicable.
- Labels and reviewers are suggestions only; the bot did not auto-apply them.
|
@codex review |
|
@copilot review |
|
@coderabbitai review |
✅ Action performedReview finished.
|
evaOS review status: stale headPR: #708 - fix(evaos): require signed Mac-control runtime proof evaOS review stopped because this queued head is no longer the live PR head. Automation note: agents should wait for this comment to reach PR URL: #708 Details: Superseded by a newer PR head. |
evaOS review status: completedPR: #708 - fix(evaos): require signed Mac-control runtime proof evaOS review completed for this PR head. Automation note: agents should wait for this comment to reach PR URL: #708 Review URL: #708 (review) |
|
@codex review |
|
@copilot review |
|
@copilot review exact head 0241ee8 after deployed Mac-control proof integration. |
|
Note: CodeRabbit's incremental review system only evaluates changes since the last reviewed commit. If all prior threads are already resolved/terminal and no substantive new diff exists beyond that SHA, there may be nothing new to surface — but the review will confirm this. ✅ Action performedReview finished.
|
There was a problem hiding this comment.
Walkthrough
PR: #708 - fix(evaos): require signed Mac-control runtime proof
Head: 0241ee874095618c2195981692fda99ce8e4152a into evaos/beta-rc-20260612. Review event: COMMENT.
Provider: GLM/Z.ai through ZCode (zcode-glm, zcode, model GLM-5.2).
Estimated review effort: 5/5 (~70 min)
Changed Files
| File | Status | Churn | Purpose | Risk |
|---|---|---|---|---|
.github/workflows/evaos-live-canary-proof.yml |
modified | +15/-66 | Changed file | Low |
.github/workflows/pr-checks.yml |
modified | +33/-0 | Changed file | Moderate: validated P3 finding |
.github/workflows/release-distribute.yml |
modified | +3/-0 | Changed file | Low |
.github/workflows/workbench-functional-smoke.yml |
modified | +4/-0 | Changed file | Low |
.gitignore |
modified | +1/-0 | Changed file | Low |
CHANGELOG.md |
modified | +21/-0 | Documentation | Low |
scripts/afterSign.js |
modified | +1/-0 | Changed file | Low |
scripts/create-mock-release-artifacts.sh |
modified | +12/-1 | Changed file | Low |
scripts/evaosBetaReleaseGate.js |
modified | +235/-61 | Changed file | Elevated: large change |
scripts/evaosBrokerLiveCanary.js |
modified | +483/-23 | Changed file | Elevated: large change |
scripts/evaosInstalledAppProductProof.js |
modified | +41/-0 | Changed file | Low |
scripts/evaosLiveCanaryEnvInventory.js |
modified | +29/-0 | Changed file | Low |
scripts/evaosMacControlSignedProof.js |
added | +246/-0 | Changed file | Elevated: large change |
scripts/evaosScanMacControlProofs.js |
added | +366/-0 | Changed file | Elevated: large change |
scripts/evaosValidateLiveCanaryProofRun.sh |
modified | +9/-0 | Changed file | Moderate: validated P3 finding |
scripts/prepareEvaosDesktopBridgeResource.js |
modified | +61/-0 | Changed file | Low |
tests/unit/common-adapter/evaosIpcBridge.dom.test.ts |
modified | +61/-0 | Test coverage | Low |
tests/unit/evaos/evaosBrokerLiveCanary.test.ts |
modified | +308/-59 | Test coverage | Elevated: large change |
tests/unit/evaos/evaosDesktopBridgeControlSafetyP0.test.ts |
modified | +142/-0 | Test coverage | Low |
tests/unit/evaos/evaosDesktopBridgeReceipt.test.ts |
added | +423/-0 | Test coverage | Elevated: large change |
tests/unit/evaos/evaosInstalledAppProductProof.test.ts |
modified | +24/-0 | Test coverage | Low |
tests/unit/evaos/evaosLiveCanaryEnvInventory.test.ts |
modified | +10/-1 | Test coverage | Low |
tests/unit/evaos/evaosLiveCanaryWorkflow.test.ts |
modified | +338/-6 | Test coverage | Elevated: large change |
tests/unit/evaos/evaosNativeCompanionStatus.test.ts |
modified | +22/-0 | Test coverage | Low |
tests/unit/evaos/evaosQaCanaryLocalControl.test.ts |
modified | +161/-1 | Test coverage | Low |
3 additional changed files omitted from this walkthrough.
Review Signal
Validated inline findings: 2 (P0: 0, P1: 0, P2: 0, P3: 2).
Dropped findings before posting: 0. High-severity findings: 0.
Risk Taxonomy
- API compatibility: 1
- CI/build: 1
Validation and Proof
2 required validation/proof recommendation(s) selected from changed files.
- required: TypeScript/web build or CI proof - Runtime TypeScript/web files or package/config files changed. Proof: npm run build; typecheck; focused Vitest; green GitHub check.
- required: CI/release smoke proof - CI, release, launchd, or package metadata changed. Proof: green GitHub check; release-status; coverage-audit; rollback note.
Proof status: missing - 1 required validation/proof recommendation(s) missing from PR metadata.
Profile validation hints: Do not ask for broad local suites when remote CI or fast-smoke proof is the right gate.
Profile proof expectations: Look for focused app smoke, packaged resource checks, or CI artifact proof when relevant.
Related Context
Related issues/PRs: none detected from PR metadata.
Suggested labels: docs, tests.
Suggested reviewers: none from current metadata.
Review Settings Preview
- Profile: assertive
- Enabled sections: Review summary (inline_review); Walkthrough (inline_review); Changed-files table (walkthrough); Effort estimate (walkthrough); Related issues/PRs (walkthrough); Suggested labels (suggestion_only); Review status comment (sticky_status)
- Path instructions:
apps/eva-desktop-mac/**- Check macOS identity, helper path, TCC identity, and packaged resource shape risk. - Path instructions:
scripts/**- Treat release, packaging, and artifact-shape changes as high risk. - Label suggestions: workbench, macos, regression-hardening
- Reviewer suggestions: none
- Suggestion behavior: suggestions only; labels and reviewers are not auto-applied.
- Roadmap-only settings: auto-apply labels; auto-request reviewers; required status checks
Pre-merge checklist
- Inline comments target current RIGHT-side diff lines.
- No secret-like content survived into posted inline comments.
- REQUEST_CHANGES is only used when eligible P0/P1 findings survive validation.
- Required behavior proof is present or not applicable.
- Labels and reviewers are suggestions only; the bot did not auto-apply them.
|
Codex Review: Didn't find any major issues. Already looking forward to the next diff. Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@resources/evaos-beta/bridge/src/evaos_desktop_bridge/cli.py`:
- Around line 3321-3337: The normal customer connector plist path currently
invokes _connector_mac_control_canary_environment() unconditionally, so partial
ambient canary configuration can abort startup. Update _connector_plist_payload
and its callers, including _launchctl_start() → _ensure_connector_user_plist(),
to perform strict canary validation only when an explicit canary-mode marker is
enabled; otherwise omit the canary variables from the plist.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 6f7a5eac-128b-474b-98c7-9071c3ec8674
⛔ Files ignored due to path filters (1)
resources/evaos-beta/bridge/agent-tools/openclaw-plugin/dist/src/runtimeReceipt.jsis excluded by!**/dist/**
📒 Files selected for processing (12)
.github/workflows/evaos-live-canary-proof.ymlresources/evaos-beta/bridge/agent-tools/SOURCE.jsonresources/evaos-beta/bridge/agent-tools/openclaw-plugin/src/runtimeReceipt.tsresources/evaos-beta/bridge/agent-tools/openclaw-plugin/tests/runtimeReceipt.test.mjsresources/evaos-beta/bridge/src/evaos_desktop_bridge/cli.pyscripts/evaosBetaReleaseGate.jsscripts/evaosBrokerLiveCanary.jsscripts/evaosScanMacControlProofs.jstests/unit/evaos/evaosBrokerLiveCanary.test.tstests/unit/evaos/evaosDesktopBridgeReceipt.test.tstests/unit/evaos/evaosLiveCanaryWorkflow.test.tstests/unit/process/evaosBetaReleaseGate.test.ts
📜 Review details
🧰 Additional context used
📓 Path-based instructions (3)
**/*.{js,jsx,ts,tsx}
📄 CodeRabbit inference engine (AGENTS.md)
**/*.{js,jsx,ts,tsx}: Name utility files using camelCase, such as formatDate.ts.
Prefix unused parameters with_.
Format code with Oxfmt using Prettier-compatible rules: inline single-element arrays that fit on one line, require trailing commas in multiline arrays and objects, and use single quotes for strings.
Files:
scripts/evaosScanMacControlProofs.jstests/unit/evaos/evaosLiveCanaryWorkflow.test.tsscripts/evaosBetaReleaseGate.jstests/unit/evaos/evaosDesktopBridgeReceipt.test.tstests/unit/evaos/evaosBrokerLiveCanary.test.tstests/unit/process/evaosBetaReleaseGate.test.tsresources/evaos-beta/bridge/agent-tools/openclaw-plugin/src/runtimeReceipt.tsscripts/evaosBrokerLiveCanary.js
**/*.{ts,tsx}
📄 CodeRabbit inference engine (AGENTS.md)
**/*.{ts,tsx}: Use strict TypeScript; do not useanyand do not leave implicit returns.
Use the path aliases@/*,@process/*, and@renderer/*.
Prefertypeoverinterfaceaccording to the Oxlint configuration.
Write code comments in English and use JSDoc for public functions.
Files:
tests/unit/evaos/evaosLiveCanaryWorkflow.test.tstests/unit/evaos/evaosDesktopBridgeReceipt.test.tstests/unit/evaos/evaosBrokerLiveCanary.test.tstests/unit/process/evaosBetaReleaseGate.test.tsresources/evaos-beta/bridge/agent-tools/openclaw-plugin/src/runtimeReceipt.ts
**/*.{test,spec}.{js,jsx,ts,tsx}
📄 CodeRabbit inference engine (AGENTS.md)
Use Vitest 4 for tests and maintain at least 80% coverage.
Files:
tests/unit/evaos/evaosLiveCanaryWorkflow.test.tstests/unit/evaos/evaosDesktopBridgeReceipt.test.tstests/unit/evaos/evaosBrokerLiveCanary.test.tstests/unit/process/evaosBetaReleaseGate.test.ts
🪛 ast-grep (0.44.1)
scripts/evaosScanMacControlProofs.js
[warning] 299-299: Filesystem path is not a string literal; a request-/variable-derived path can enable path traversal. Validate and normalize the path before use.
Context: fs.readFileSync(proofPath, 'utf8')
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
(detect-non-literal-fs-filename)
tests/unit/evaos/evaosLiveCanaryWorkflow.test.ts
[warning] 313-320: Filesystem path is not a string literal; a request-/variable-derived path can enable path traversal. Validate and normalize the path before use.
Context: fs.writeFileSync(
path.join(proofDir, 'mac-control-session-cleanup.json'),
${JSON.stringify({ schema: 'evaos-mac-control-canary-session-cleanup/v1', sessionRevoked: false, sensitiveOutput: 'passed', })}\n
)
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
(detect-non-literal-fs-filename-typescript)
[warning] 342-350: Filesystem path is not a string literal; a request-/variable-derived path can enable path traversal. Validate and normalize the path before use.
Context: fs.writeFileSync(
path.join(proofDir, 'mac-control-session-cleanup.json'),
${JSON.stringify({ schema: 'evaos-mac-control-canary-session-cleanup/v1', sessionRevoked: false, sensitiveOutput: 'passed', connectorToken: 'opaque-token-value-123456', })}\n
)
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
(detect-non-literal-fs-filename-typescript)
[warning] 361-368: Filesystem path is not a string literal; a request-/variable-derived path can enable path traversal. Validate and normalize the path before use.
Context: fs.writeFileSync(
path.join(proofDir, 'mac-control-session-cleanup.json'),
${JSON.stringify({ schema: 'evaos-mac-control-canary-session-cleanup/v1', sessionRevoked: false, sensitiveOutput: 'failed', })}\n
)
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
(detect-non-literal-fs-filename-typescript)
[warning] 396-403: Filesystem path is not a string literal; a request-/variable-derived path can enable path traversal. Validate and normalize the path before use.
Context: fs.writeFileSync(
path.join(proofDir, 'mac-control-session-cleanup.json'),
${JSON.stringify({ schema: 'evaos-mac-control-canary-session-cleanup/v1', sessionRevoked: false, sensitiveOutput: 'passed', })}\n
)
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
(detect-non-literal-fs-filename-typescript)
tests/unit/evaos/evaosDesktopBridgeReceipt.test.ts
[warning] Importing child_process exposes a command-execution surface; ensure any command/argument built from input is validated, and prefer execFile/spawn with an argument array over exec.
Context: import { execFileSync } from 'node:child_process';
Note: [CWE-78] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection').
(detect-child-process-typescript)
scripts/evaosBrokerLiveCanary.js
[warning] 1478-1478: Filesystem path is not a string literal; a request-/variable-derived path can enable path traversal. Validate and normalize the path before use.
Context: fs.writeFileSync(descriptor, ${JSON.stringify(proof, null, 2)}\n, 'utf8')
Note: [CWE-22] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').
(detect-non-literal-fs-filename)
🔇 Additional comments (15)
resources/evaos-beta/bridge/agent-tools/SOURCE.json (1)
1-34: LGTM!tests/unit/evaos/evaosLiveCanaryWorkflow.test.ts (2)
10-16: LGTM!Also applies to: 37-110, 253-338, 340-410, 412-473
353-353: 🎯 Functional CorrectnessAssertions match the scanner error text.
.github/workflows/evaos-live-canary-proof.yml (1)
111-115: LGTM!Also applies to: 263-275, 298-298
scripts/evaosBetaReleaseGate.js (1)
3022-3025: LGTM!Also applies to: 3274-3556, 3696-3716
resources/evaos-beta/bridge/src/evaos_desktop_bridge/cli.py (1)
17-17: LGTM!Also applies to: 3285-3298, 3350-3350
scripts/evaosBrokerLiveCanary.js (2)
3-22: LGTM!Also applies to: 48-48, 171-235, 379-385, 553-558, 858-869, 902-990, 1159-1238, 1274-1388, 1449-1474, 1476-1484, 1508-1512
1240-1272: 🔒 Security & PrivacyNo issue:
deployed-stagingis handled server-sideThe runtime-receipt route branches on
proofModebefore any connector call and returns the negative-proof envelope withconnectorActionAttempted: falsefrom that path.> Likely an incorrect or invalid review comment.scripts/evaosScanMacControlProofs.js (1)
15-45: LGTM!Also applies to: 167-176, 211-215, 282-328, 330-358, 360-366
tests/unit/evaos/evaosDesktopBridgeReceipt.test.ts (1)
9-83: LGTM!tests/unit/evaos/evaosBrokerLiveCanary.test.ts (1)
39-104: LGTM!Also applies to: 668-692, 723-738, 797-815, 933-991
tests/unit/process/evaosBetaReleaseGate.test.ts (1)
47-51: LGTM!Also applies to: 842-954, 2699-2708
resources/evaos-beta/bridge/agent-tools/openclaw-plugin/tests/runtimeReceipt.test.mjs (1)
43-48: LGTM!Also applies to: 685-784
resources/evaos-beta/bridge/agent-tools/openclaw-plugin/src/runtimeReceipt.ts (2)
279-420: LGTM!Also applies to: 430-511, 1382-1393
513-576: 🩺 Stability & AvailabilityNo expiry-boundary bug here —
verifyAuthority()treatscontext.expires_at <= nowSecondsas expired, so passingauthority.context.expires_at * 1000still producesexecution_context_expiredat the boundary.> Likely an incorrect or invalid review comment.
|
Exact-head release blocker repair at 5b1308f: genuine Mac App Store Tailscale now uses the Apple Mac App Store signing OID while exact Tailscale TeamIdentifier, bundle identifier, approved path, and strict/deep verification remain required. Local genuine App Store proof changed codesign result from exit 3 to exit 0; 104 focused tests pass. The LaunchAgent signer settings are also now explicit-staging-only, with incomplete staging still fail-closed. |
|
@coderabbitai review exact head 5b1308f; prior actionable thread is fixed and resolved. |
|
@copilot review exact head 5b1308f after pristine-Mac Tailscale and staging-only LaunchAgent fixes. |
|
Note: CodeRabbit's incremental review only evaluates changes since the last reviewed commit. If no substantive new diff exists beyond confirming that fix, there may be nothing further to surface, but the review will confirm. ✅ Action performedReview finished.
|
evaOS review status: completedPR: #708 - fix(evaos): require signed Mac-control runtime proof evaOS review completed for this PR head. Automation note: agents should wait for this comment to reach PR URL: #708 Review URL: #708 (review) |
There was a problem hiding this comment.
Walkthrough
PR: #708 - fix(evaos): require signed Mac-control runtime proof
Head: 5b1308fadc481f83116c54de2b9713ab2363bed2 into evaos/beta-rc-20260612. Review event: COMMENT.
Provider: GLM/Z.ai through ZCode (zcode-glm, zcode, model GLM-5.2).
Estimated review effort: 5/5 (~70 min)
Changed Files
| File | Status | Churn | Purpose | Risk |
|---|---|---|---|---|
.github/workflows/evaos-live-canary-proof.yml |
modified | +15/-66 | Changed file | Moderate: validated P3 finding |
.github/workflows/pr-checks.yml |
modified | +33/-0 | Changed file | Low |
.github/workflows/release-distribute.yml |
modified | +3/-0 | Changed file | Low |
.github/workflows/workbench-functional-smoke.yml |
modified | +4/-0 | Changed file | Low |
.gitignore |
modified | +1/-0 | Changed file | Low |
CHANGELOG.md |
modified | +29/-0 | Documentation | Low |
scripts/afterSign.js |
modified | +1/-0 | Changed file | Low |
scripts/create-mock-release-artifacts.sh |
modified | +12/-1 | Changed file | Low |
scripts/evaosBetaReleaseGate.js |
modified | +235/-61 | Changed file | Elevated: large change |
scripts/evaosBrokerLiveCanary.js |
modified | +483/-23 | Changed file | Moderate: validated P2 finding |
scripts/evaosInstalledAppProductProof.js |
modified | +41/-0 | Changed file | Low |
scripts/evaosLiveCanaryEnvInventory.js |
modified | +29/-0 | Changed file | Low |
scripts/evaosMacControlSignedProof.js |
added | +246/-0 | Changed file | Moderate: validated P3 finding |
scripts/evaosScanMacControlProofs.js |
added | +366/-0 | Changed file | Elevated: large change |
scripts/evaosValidateLiveCanaryProofRun.sh |
modified | +9/-0 | Changed file | Low |
scripts/prepareEvaosDesktopBridgeResource.js |
modified | +61/-0 | Changed file | Low |
tests/unit/common-adapter/evaosIpcBridge.dom.test.ts |
modified | +61/-0 | Test coverage | Low |
tests/unit/evaos/evaosBrokerLiveCanary.test.ts |
modified | +308/-59 | Test coverage | Elevated: large change |
tests/unit/evaos/evaosDesktopBridgeControlSafetyP0.test.ts |
modified | +142/-0 | Test coverage | Low |
tests/unit/evaos/evaosDesktopBridgeReceipt.test.ts |
added | +438/-0 | Test coverage | Elevated: large change |
tests/unit/evaos/evaosInstalledAppProductProof.test.ts |
modified | +24/-0 | Test coverage | Low |
tests/unit/evaos/evaosLiveCanaryEnvInventory.test.ts |
modified | +10/-1 | Test coverage | Low |
tests/unit/evaos/evaosLiveCanaryWorkflow.test.ts |
modified | +338/-6 | Test coverage | Elevated: large change |
tests/unit/evaos/evaosNativeCompanionStatus.test.ts |
modified | +28/-1 | Test coverage | Low |
tests/unit/evaos/evaosQaCanaryLocalControl.test.ts |
modified | +161/-1 | Test coverage | Low |
3 additional changed files omitted from this walkthrough.
Review Signal
Validated inline findings: 4 (P0: 0, P1: 0, P2: 2, P3: 2).
Dropped findings before posting: 0. High-severity findings: 0.
Risk Taxonomy
- CI/build: 1
- Runtime correctness: 1
- Security boundary: 2
Validation and Proof
2 required validation/proof recommendation(s) selected from changed files.
- required: TypeScript/web build or CI proof - Runtime TypeScript/web files or package/config files changed. Proof: npm run build; typecheck; focused Vitest; green GitHub check.
- required: CI/release smoke proof - CI, release, launchd, or package metadata changed. Proof: green GitHub check; release-status; coverage-audit; rollback note.
Proof status: missing - 1 required validation/proof recommendation(s) missing from PR metadata.
Profile validation hints: Do not ask for broad local suites when remote CI or fast-smoke proof is the right gate.
Profile proof expectations: Look for focused app smoke, packaged resource checks, or CI artifact proof when relevant.
Related Context
Related issues/PRs: none detected from PR metadata.
Suggested labels: docs, tests.
Suggested reviewers: none from current metadata.
Review Settings Preview
- Profile: assertive
- Enabled sections: Review summary (inline_review); Walkthrough (inline_review); Changed-files table (walkthrough); Effort estimate (walkthrough); Related issues/PRs (walkthrough); Suggested labels (suggestion_only); Review status comment (sticky_status)
- Path instructions:
apps/eva-desktop-mac/**- Check macOS identity, helper path, TCC identity, and packaged resource shape risk. - Path instructions:
scripts/**- Treat release, packaging, and artifact-shape changes as high risk. - Label suggestions: workbench, macos, regression-hardening
- Reviewer suggestions: none
- Suggestion behavior: suggestions only; labels and reviewers are not auto-applied.
- Roadmap-only settings: auto-apply labels; auto-request reviewers; required status checks
Pre-merge checklist
- Inline comments target current RIGHT-side diff lines.
- No secret-like content survived into posted inline comments.
- REQUEST_CHANGES is only used when eligible P0/P1 findings survive validation.
- Required behavior proof is present or not applicable.
- Labels and reviewers are suggestions only; the bot did not auto-apply them.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5b1308fadc
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
v2.1.36 superseding checkpoint and Mac Access handoff — 2026-07-15Exact lineage
Connector contracts Mac Access must inherit
Remaining dependencies and proof boundary
#699 and #707 refresh decision#699 and #707 may safely refresh their contract analysis from f92d45f. That refresh does not grant Workbench ownership to Mac Access, does not freeze a standalone identity from this PR, and is not runtime or release proof. No packages/mac-access, packages/mac-connector-core, com.evaos.mac-access identities, standalone pairing, helper ownership, or Workbench-as-client refactor were started here. |
Durable v2.1.36 checkpoint for the separate Mac Access laneThe canonical GUI checkpoint has advanced by a metadata-only supersession. Mac Access may refresh from the merge SHA below without inheriting any new helper identity, standalone pairing, or extraction work from this lane. Exact lineage
PR #710 changes only five agent-tools provenance/version metadata files from 0.2.0 to 0.2.1. It does not change connector/runtime source, generated output, tool contracts, Workbench 2.1.36, bundle/helper identities, or any Mac Access surface. Connector contracts Mac Access must inherit
Server/ws-proxy dependencyNo ws-proxy source dependency remains unmerged. Review and proof state
The separate Mac Access lane may refresh from |
Summary
Release boundary
This PR is source and gate work only. It does not claim release or customer readiness. Publication remains blocked on current-head CI/review, signed/notarized installed-app proof, isolated-staging direct Mac-control proof, pristine-Mac proof, RC/live canaries, and verified public artifacts.
Focused proof
bunx vitest runon 7 affected suites: 243 passedjust typecheckjust lint-strict(0 errors)just fmt-checkruff checkon connector/receipt/QA modulesshellcheckon the Hermes adapteractionlint .github/workflows/evaos-live-canary-proof.ymlSummary by CodeRabbit