Add daily Sentinel v2.4 operational-check script, runbook, and tests#142
Add daily Sentinel v2.4 operational-check script, runbook, and tests#142OneFineStarstuff wants to merge 3 commits into
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
The files' contents are under analysis for test generation. |
Changed Files
|
|
Review these changes at https://app.gitnotebooks.com/OneFineStarstuff/OneFineStarstuff.github.io/pull/142 |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
View changes in DiffLens |
Reviewer's GuideAdds a new daily Sentinel v2.4 operational-check CLI that validates dashboard reachability, G-SRI evidence, PQC WORM Object Lock commits, and TEE/TPM attestation; wires it into the project entry points, documents runbook usage and expectations, and provides pytest coverage for core check logic and CLI behavior. Sequence diagram for daily Sentinel v2.4 operational-check CLI flowsequenceDiagram
actor Operator
participant daily_sentinel_operational_check_main as main
participant SentinelDashboard
participant EvidenceFS
Operator->>daily_sentinel_operational_check_main: main(argv)
daily_sentinel_operational_check_main->>daily_sentinel_operational_check_main: parse_args(argv)
alt dashboard_not_skipped
daily_sentinel_operational_check_main->>SentinelDashboard: check_dashboard(dashboard_url, dashboard_timeout, insecure_tls)
SentinelDashboard-->>daily_sentinel_operational_check_main: HTTP status code
else dashboard_skipped
daily_sentinel_operational_check_main->>daily_sentinel_operational_check_main: CheckResult("sentinel_dashboard", WARN, "dashboard reachability skipped by operator")
end
daily_sentinel_operational_check_main->>EvidenceFS: load_json(gsri_evidence_path)
EvidenceFS-->>daily_sentinel_operational_check_main: gsri_evidence
daily_sentinel_operational_check_main->>daily_sentinel_operational_check_main: result_from_check("gsri_threshold", check_gsri(gsri_evidence, max_age_minutes))
daily_sentinel_operational_check_main->>EvidenceFS: load_json(worm_evidence_path)
EvidenceFS-->>daily_sentinel_operational_check_main: worm_evidence
daily_sentinel_operational_check_main->>daily_sentinel_operational_check_main: result_from_check("pqc_worm_logger", check_worm(worm_evidence, max_age_minutes, worm_max_lag_seconds, expected_worm_bucket, require_compliance_object_lock))
daily_sentinel_operational_check_main->>EvidenceFS: load_json(attestation_evidence_path)
EvidenceFS-->>daily_sentinel_operational_check_main: attestation_evidence
daily_sentinel_operational_check_main->>daily_sentinel_operational_check_main: result_from_check("tee_tpm_attestation", check_attestation(attestation_evidence, max_age_minutes))
alt json_output
daily_sentinel_operational_check_main->>daily_sentinel_operational_check_main: render_json(results)
else markdown_output
daily_sentinel_operational_check_main->>daily_sentinel_operational_check_main: render_markdown(results)
end
daily_sentinel_operational_check_main->>Operator: exit(1 if any(result.is_failure) else 0)
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
|
View changes in DiffLens |
|
|
Overall Grade |
Security Reliability Complexity Hygiene |
Code Review Summary
| Analyzer | Status | Updated (UTC) | Details |
|---|---|---|---|
| Python | Jul 6, 2026 10:43a.m. | Review ↗ | |
| JavaScript | Jul 6, 2026 10:43a.m. | Review ↗ | |
| Shell | Jul 6, 2026 10:43a.m. | Review ↗ |
Important
AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.
|
Warning Review limit reached
Next review available in: 48 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (4)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Hey - I've left some high level feedback:
- Consider validating CLI numeric options like
--max-age-minutesand--worm-max-lag-secondsup front (e.g., enforcing non-negative values) so misconfiguration fails fast with a clearer error message. - In
result_from_check, the explicitnameparameter is only used on exception paths while successful results rely on the inner check’sCheckResult.name; simplifying this helper to derive the name from the inner result would reduce the chance of name mismatches between the caller and the check implementation.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- Consider validating CLI numeric options like `--max-age-minutes` and `--worm-max-lag-seconds` up front (e.g., enforcing non-negative values) so misconfiguration fails fast with a clearer error message.
- In `result_from_check`, the explicit `name` parameter is only used on exception paths while successful results rely on the inner check’s `CheckResult.name`; simplifying this helper to derive the name from the inner result would reduce the chance of name mismatches between the caller and the check implementation.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
Not up to standards ⛔🔴 Issues
|
| Category | Results |
|---|---|
| UnusedCode | 2 medium |
| Documentation | 30 minor |
| ErrorProne | 1 medium 1 high |
| Security | 39 high |
| CodeStyle | 18 minor |
| Complexity | 5 minor 1 critical 3 medium |
🟢 Metrics 104 complexity · 4 duplication
Metric Results Complexity 104 Duplication 4
NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.
There was a problem hiding this comment.
Blocking feedback
- Dashboard input validation can crash the CLI before any evidence report is emitted — scripts/daily_sentinel_operational_check.py#L129-L170
If you'd like me to push fixes, reply with item numbers (for example: please fix 1).
✅ Deploy Preview for onefinestarstuff canceled.
|
|
View changes in DiffLens |
|
View changes in DiffLens |
Motivation
Description
scripts/daily_sentinel_operational_check.pythat performs checks for dashboard reachability,gsrithreshold/signature,pqc_worm_loggerS3 Object Lock commits, and TEE/TPM attestation, and emits Markdown or JSON output and a suitable exit code.daily-sentinel-operational-checkentry topyproject.tomlunder[project.scripts]for easy invocation as a project script.docs/reports/DAILY_SENTINEL_V24_DEVSECOPS_RUNBOOK.mddescribing required checks, example evidence JSON payloads, CLI usage, and fail-closed rules.tests/test_daily_sentinel_operational_check.pyto validate individual check logic, CLI behavior (offline and JSON modes), and error handling.Testing
tests/test_daily_sentinel_operational_check.pycoveringcheck_gsri,check_worm,check_attestation, timestamp parsing, andmainbehavior in offline and JSON modes.pytest tests/test_daily_sentinel_operational_check.pyand all tests completed successfully.Codex Task
Summary by Sourcery
Introduce a daily Sentinel AI v2.4 operational check CLI that validates key evidence planes and exposes them via a project script.
New Features:
daily-sentinel-operational-checkproject script for easy invocation.Documentation:
Tests: