feat: extract mintcore shared library with JWKSVerifier and status endpoint#1783
Conversation
Site previewPreview: https://b92bc573-site.fullsend-ai.workers.dev Commit: |
ReviewFindingsMedium
Low
Info
Previous runReviewFindingsMedium
Low
Info
Previous run (2)ReviewFindingsMedium
Low
Info
Previous run (3)ReviewFindingsMedium
Low
Info
Previous run (4)ReviewFindingsMedium
Low
Info
Previous run (5)Review — PR #1783Head SHA: SummaryLarge extraction PR (55 files, ~9700 lines changed) that moves mint HTTP handler logic from Two high-severity findings block approval — both relate to unauthorized scope changes in scaffold templates that are not covered by the linked issue #1751. FindingsHigh
Medium
Low
Info
Positive observationsThe mintcore extraction is architecturally sound. The package boundary is clean, the handler returns errors instead of fataling, test coverage is maintained with stronger verification (real crypto instead of mocks), and the embed-sync pattern is correctly followed. The Recommended resolution
Previous run (6)ReviewFindingsMedium
Low
Info
Previous run (7)ReviewFindingsLow
Info
Previous run (8)ReviewFindingsLow
Info
Previous run (9)ReviewFindingsMedium
Low
Info
Previous run (10)ReviewFindingsMedium
Low
Info
Previous run (11)ReviewFindingsLow
Info
Previous run (12)ReviewFindingsMedium
Low
Info
Previous run (13)ReviewFindingsLow
Info
Previous run (14)ReviewFindingsHigh
Medium
Low
|
9806077 to
e5a32f6
Compare
waynesun09
left a comment
There was a problem hiding this comment.
Review Squad Report — 7 agents, 11 findings (MEDIUM+)
Agents: 2x claude-coder, 2x claude-researcher, 2x gemini-code-review, 1x cursor-code-review
Total findings: 21 (after dedup and false positive removal) — 3 HIGH, 8 MEDIUM, 7 LOW, 3 INFO
False positives removed: 5
Summary
The STSVerifier extraction is faithful — identical validation logic, error messages, and control flow preserved. The most actionable finding is the JWKSVerifier fail-open design on empty allowlists (3-agent consensus), which creates a security asymmetry with STSVerifier that should be fixed before devmint uses it. The status endpoint App ID exposure (4-agent consensus) and duplicate BuildRepoProviderID are cleanup items to address in this PR. Four deleted test suites covering security-relevant edge cases should be restored in mintcore.
Only MEDIUM+ findings are posted inline. 7 LOW and 3 INFO findings available on request.
e5a32f6 to
fc4843d
Compare
|
All findings from both review sources have been addressed in From review #4411014072 (8 inline comments): All fixed and threads resolved. From issue comment #4603468794:
|
fc4843d to
60e46b1
Compare
60e46b1 to
9f4015b
Compare
9f4015b to
a2ed9bb
Compare
4309f74 to
531aefd
Compare
|
Addressing review findings from pullrequestreview-4419453135: Medium:
Low — fixed:
Low — acknowledged (no change):
Embed copy synced. All tests pass. Squashed, rebased, and force-pushed. |
531aefd to
24d32f1
Compare
24d32f1 to
e7cda39
Compare
|
Low findings from review addressed in e7cda39:
Scope-creep cleanup: removed 4 scaffold sub-agent model pin changes that were unrelated to mintcore extraction. |
e7cda39 to
7237a6b
Compare
ifireball
left a comment
There was a problem hiding this comment.
Sorry for still requesting changes, but I want to get this re-factor right. If all goes well, the dev/stand-alone mint PR should end up being very small (A PEMAccessor implementation reading from local files + a tiny main to launch the server in the background)
Extract shared mint logic from internal/mint/main.go into internal/mintcore/ package. Handler, OIDC verifiers (STS + JWKS), GitHub API helpers, claims, and GCP PEM accessor are now in the shared library. The Cloud Function entry point retains only GCP-specific wiring (init, env vars). Key changes: - OIDCVerifier is injected into Handler (supports STSVerifier and JWKSVerifier) - PEMAccessor is injected (GCPSecretPEMAccessor exported from mintcore) - BuildRepoProviderID consolidated into mintcore (removed from provisioner) - JWKS verifier uses singleflight to prevent thundering-herd refreshes - RSA key size validation (2048-bit minimum) in parseRSAPublicKey - Issuer validation in OIDC discovery per spec Section 4.3 - Case-insensitive org lookup in lookupRoleAppID - Cross-org installation mismatch audit logging preserved - Shared maxClockSkew constant and ValidateOrgName/ValidateRoleName helpers - go.mod replace directive rewriting validated in bundleFunctionSource - Symlink detection in addDirToZip for Cloud Function packaging - Handler tests use real RSA-signed JWTs instead of mocked validators - All source files synced to .embed copies for Cloud Function deployment Signed-off-by: Greg Allen <gallen@fullsend.ai> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Greg Allen <gallen@redhat.com>
Summary
Extract shared types and functions from
internal/mint/main.gointo a newinternal/mintcore/Go module, then refactor the GCP mint to import from it. This PR also introduces new features alongside the refactoring.This is the first half of #1751, split to isolate the production-risk changes for focused review.
New features
RolePermissionsis now a function returning a deep copy, preventing accidental mutation of the canonical permission mapWhat moved to mintcore
JWKSVerifier(new) andSTSVerifier(extracted from GCP mint)ValidateOrgAllowed,ValidateWorkflowRef)GenerateAppJWT,FindInstallation,CreateInstallationToken)GitHubOrgPattern,RepoNamePattern,RolePattern)BuildRepoProviderID)What changed in the GCP mint
main.gonow imports frommintcoreinstead of defining types/functions inlineSTSVerifierreplaces inlinestsTokenValidator(same logic, just relocated)NewHandlerconstructs the verifier internally/v1/statusendpoint added for mint health inspection (authenticated)Intentional behavioral change: 403 → 401 for OIDC auth failures
The
/v1/tokenendpoint now returns HTTP 401 (Unauthorized) for OIDC authentication failures, changed from the previous 403 (Forbidden). This is intentional:/v1/statusalready returned 401 for the same condition, so both endpoints are now consistentClients that distinguish 401 from 403 in error handling may need to update their logic.
Provisioner / Cloud Function deployment
mintcore/source alongside the mint function in the deployment zipgo.modreplace directive rewritten from../mintcoreto./mintcoreduring zip creation.embedfiles for mintcore (synced from source, including go.sum)Review focus
STSVerifierextraction faithful — same logic, no behavioral changes?bundleFunctionSourcecorrectly nest mintcore in the deployment zip?JWKSVerifiercorrectly validate org allowlist and workflow refs?Test plan
go test ./internal/mintcore/...— all tests pass (including new JWKSVerifier validation tests)go test ./internal/mint/...— all tests pass (including new STSVerifier integration test)go test ./internal/dispatch/gcf/...— provisioner tests pass (including embed sync)go vet ./...— clean🤖 Generated with Claude Code