Skip to content

Align AI review trust assumptions#2917

Draft
UnArbosFive wants to merge 1 commit into
stagingfrom
agent/align-ai-review-trust-context
Draft

Align AI review trust assumptions#2917
UnArbosFive wants to merge 1 commit into
stagingfrom
agent/align-ai-review-trust-context

Conversation

@UnArbosFive

Copy link
Copy Markdown
Contributor

What changed

  • remove the false assumption that every CI run receives nucleus approval
  • treat .github content as a security boundary without assuming a human backstop
  • require evidence before lowering bootstrap-only findings
  • remove the obsolete meta-bootstrap severity exception

Why

GitHub's repository-level workflow execution policy is an actor allow-list, not a universal approval queue. The previous prompt could therefore cause automated reviewers to under-grade workflow and bootstrap risks based on a control that does not apply to every PR.

Impact

AI security reviews now grade the code path that can execute after any trusted trigger. Repository settings remain outside the prompt rather than being duplicated as a hard-coded actor list that can drift.

Validation

  • git diff --check
  • verified .github/workflows/ai-review.yml consumes common.md as prompt text and does not parse the removed wording
  • confirmed the branch is based on origin/staging

@vercel

vercel Bot commented Jul 15, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
subtensor Ready Ready Preview, Comment Jul 15, 2026 3:37pm

Request Review

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

- **CI runs require nucleus approval on every PR.** A nucleus team member must explicitly authorize each workflow run before it executes. Drive-by malicious actors cannot run CI; an attacker would need to either (a) compromise a nucleus account or (b) social-engineer a nucleus member into approving a hostile PR.
- **Changes under `.github/` are heavily scrutinized by humans before CI is approved.** Workflow files, persona prompts, helper scripts, and required-check definitions get a manual eyeball pass. So changes to these paths are not, on their own, a strong "this PR is malicious" signal — the human nucleus reviewer is your backstop and they pay extra attention here. Still flag concrete problems you spot in them, but calibrate severity to the actual risk, not to the path.
- **External / unknown contributors** still warrant heightened scrutiny per the threat model, but the nucleus-approval gate means a hostile PR can't silently exfiltrate by triggering CI on push. The realistic attack surface is what happens *after* nucleus approves, e.g. malicious code that runs at `cargo build` time once CI is greenlit.
- **Do not assume a universal CI approval gate.** Workflow execution is governed by repository settings outside the PR diff. Depending on the triggering actor and event, a run may start automatically, require a separate trusted action, or be blocked entirely. Never lower a finding's severity based only on presumed human approval.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[HIGH] Trusted security-review policy is modified

This file controls the security reviewer's trust and severity calibration. Per the review's trusted operating policy, modifications under .github/ai-review/ must be treated as a high-severity security-boundary change. A trusted maintainer must independently validate these assumptions against the actual repository workflow settings and trigger paths before merge.

@github-actions

Copy link
Copy Markdown
Contributor

🛡️ AI Review — Skeptic (security review)

VERDICT: VULNERABLE

VERY HIGH scrutiny (13-day-old account, 0 public repos), mitigated by admin permission, prior substantive merges, matching commit authorship, and no Gittensor association; agent/align-ai-review-trust-context → staging.

The textual changes appear internally consistent and security-hardening, but they directly alter the trusted review policy that determines how future security findings are graded.

Findings

Sev File Finding
HIGH .github/ai-review/common.md:32 Trusted security-review policy is modified inline

Conclusion

This PR modifies the AI review trust boundary, which requires trusted human validation and blocks an automated SAFE verdict. No evidence of malicious intent was found.


# 🔍 AI Review — Auditor (domain review) has not yet run on this PR.

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: VULNERABLE

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant