Add admin memory verification console, loader, guard contract, docs, and tests#96
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Warning Review limit reached
More reviews will be available in 15 minutes and 34 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (5)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 49307a16e3
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| return ( | ||
| <AppShell> | ||
| <PageHeader eyebrow="Internal admin" title="Production memory verification" description="Read-only, authenticated/admin-only verification route for Phase 3D closure safety. It reports deployment proof, read availability, route guard status, persisted read gate, unsafe mutation/integration gates, public read status, and a close/no-close recommendation without enabling public reads or writes." /> | ||
| {!session.ok ? <SectionCard title="Authentication required" description="No persisted rows or proof data are exposed without a Supabase operator session."><Link className="button-link button-link--primary" href={loginPath}>Start operator session</Link></SectionCard> : null} |
There was a problem hiding this comment.
Hide verification proof until authenticated
When session.ok is false this branch only adds the login card, but the page still continues to render the safety summary and Vercel/environment proof sections below, including commit and gate status details. For an unauthenticated request to this admin-only route, that exposes the internal verification proof that the page copy says requires a Supabase operator session; return the auth-required view early or gate the remaining sections behind session.ok.
Useful? React with 👍 / 👎.
| const session = await resolvePandoraServerSession(); | ||
| const context = createRepositoryContextFromPandoraSession({ sessionResult: session, namespace }); | ||
| const runtime = resolvePandoraRuntimeSafetyConfig(); | ||
| const supabase = await createSupabaseServerClient(); | ||
| const dto = await loadAdminMemoryVerification({ session, context: context.ok ? context.context : { namespace }, repository: new SupabasePersistedMemoryReadRepository(supabase as never), runtime }); |
There was a problem hiding this comment.
Require operator capability before verification reads
This route treats any successful Supabase session as sufficient and then loads the verification DTO/repository, while the new guard contract and page copy describe the route as admin/operator-only. In this codebase resolvePandoraServerSession creates ordinary real sessions with empty adminCapabilities and isInternalOperator: false, and other admin APIs such as readiness explicitly require those capabilities, so a non-operator authenticated user can still access the closure proof for their namespace here.
Useful? React with 👍 / 👎.
Motivation
Description
app/admin/memory/verification/page.tsxthat summarizes commit proof, gate states, route availability, unsafe gate detection, and a close/no-close recommendation.loadAdminMemoryVerificationinlib/services/admin-memory-verification-loader.tsto assemble verification DTOs from runtime config, persisted-memory reads, and environment proof.adminMemoryRouteGuardExpectationsand helper accessors inlib/services/admin-memory-route-guard-contract.tsto codify expected guard properties for admin memory routes.docs/phase-3d-production-verification.mdand a unit test suitetests/unit/admin-memory-verification.test.tsvalidating gate detection, read-only behavior, redirect-only public routes, and guard expectations.Testing
tests/unit/admin-memory-verification.test.tswithvitest, which exercise safe and unsafe env configurations and route/read protections, and they passed.Codex Task