Skip to content

Add deterministic JS/TS package hardening and PR-triggered security remediation#390

Merged
nicobistolfi merged 2 commits intomainfrom
vigilante/issue-389-add-deterministic-js-ts-package-hardening-and-pr-triggered-security-remediation-for-modified-package-manifests
Apr 3, 2026
Merged

Add deterministic JS/TS package hardening and PR-triggered security remediation#390
nicobistolfi merged 2 commits intomainfrom
vigilante/issue-389-add-deterministic-js-ts-package-hardening-and-pr-triggered-security-remediation-for-modified-package-manifests

Conversation

@nicobistolfi
Copy link
Copy Markdown
Collaborator

@nicobistolfi nicobistolfi commented Apr 3, 2026

Summary

  • Adds a deterministic, code-driven JS/TS package hardening scan that runs during Vigilante's poll loop for watched repositories with the nodejs tech stack.
  • When a PR modifies package.json, Vigilante checks lockfile presence, runs npm audit, flags non-exact dependency ranges, and verifies CI uses deterministic install paths.
  • Posts a structured PR comment with findings and an implement fixes checkbox; applies the vigilante:flagged-security-review label when issues are found.
  • When a human checks the implement fixes box, Vigilante adds an eyes reaction and dispatches an agentic remediation session scoped to the PR branch.
  • The entire feature is gated by a package_hardening_enabled config toggle (defaults to enabled).

Changes

  • internal/hardening/ — New package with deterministic checks (hardening.go), PR comment formatting/parsing with checkbox detection (comment.go), and comprehensive tests.
  • internal/state/state.goPackageHardeningEnabled config field, HardeningPRState type, and hardening state persistence.
  • .github/labels.json — New vigilante:flagged-security-review label in the label taxonomy.
  • internal/backend/ — Extended PullRequestManager interface with ListOpenPullRequests, ListPullRequestFiles, CommentOnPullRequest, AddPullRequestCommentReaction, AddPullRequestLabel, and ListPullRequestComments.
  • internal/github/github.go — GitHub CLI helpers for the new PR operations.
  • internal/app/app.goscanPackageHardeningForTargets integration in ScanOnce, checkbox detection, and remediation dispatch.
  • internal/provider/PackageRemediationTask type and BuildPackageRemediationInvocation on all providers.
  • internal/skill/skill.goBuildPackageRemediationPrompt for agentic remediation sessions.

Test plan

  • Hardening scanner tests: lockfile detection (npm/pnpm/yarn/missing), npm audit (success/failure/vulnerabilities), non-exact ranges, CI deterministic install detection, subdirectory package.json support
  • Comment formatting tests: marker detection, implement-fixes checkbox (checked/unchecked/uppercase), remediation result comments, severity emojis
  • State tests: config toggle default/explicit/persistence, hardening state round-trip, PR key generation
  • App tests: extractPackageJSONPaths with various file patterns, isNodeJSTarget with different tech stacks, config gating
  • All existing tests pass (label provisioning tests updated for new label)
  • go fmt, go vet, go test ./... all clean

Closes #389

@nicobistolfi
Add deterministic JS/TS package hardening and PR-triggered security r…
f079781 
…emediation

Implement a code-driven, deterministic package hardening scan that runs
during Vigilante's poll loop for watched JS/TS/Node repositories. When a
PR modifies package.json, the scanner checks lockfile presence, runs npm
audit, flags non-exact dependency ranges, and verifies CI uses
deterministic install paths.

Key changes:
- New internal/hardening package with deterministic checks and PR comment
  formatting including the implement-fixes checkbox
- Config toggle via package_hardening_enabled in config.json (default: on)
- New vigilante:flagged-security-review label in the label taxonomy
- Backend interface extensions for PR file listing, PR comments, labels
- Checkbox detection and eyes reaction with agentic remediation dispatch
- Provider support for package remediation invocations (Claude, Codex, Gemini)
- Comprehensive test coverage across hardening, state, and app packages
@nicobistolfi nicobistolfi mentioned this pull request Apr 3, 2026
Closed
8 tasks
@nicobistolfi
Switch package hardening to post-push worktree-based scanning
b3f5e40 
Replace the PR-listing approach with a post-push worktree-based approach
for deterministic JS/TS package hardening. Instead of querying GitHub for
all open PRs on every scan cycle, the hardening scan now runs after a
session completes and pushes to the branch, using git diff against the
base branch to detect package.json changes from the local worktree.

Key changes:
- Add ExtractPackageJSONPathsFromDiff() to use git diff --name-only
  for detecting changed package.json files from the worktree
- Add runPostPushPackageHardening() triggered after successful session
  completion in launchIssueSession
- Simplify scanPackageHardeningForTargets to only monitor checkbox
  state on existing hardening entries (monitorHardeningCheckboxes)
- Remove ListOpenPullRequests and ListPullRequestFiles calls from the
  hardening scan path
- Add comprehensive tests for diff-based detection, config gating,
  checkbox monitoring state, and default branch fallback

Closes #389
@nicobistolfi nicobistolfi merged commit 199648f into main Apr 3, 2026
1 check passed
@nicobistolfi nicobistolfi deleted the vigilante/issue-389-add-deterministic-js-ts-package-hardening-and-pr-triggered-security-remediation-for-modified-package-manifests branch April 3, 2026 19:11
This was referenced Apr 3, 2026
Closed
Closed
nicobistolfi added a commit that referenced this pull request Apr 3, 2026
@nicobistolfi
Document package hardening from PR #390 in README and DOCS.md
d4dadf8 
Add a concise package hardening section to README.md covering user-visible
behavior with a caveat that the feature currently applies only to supported
JS/TS/Node.js repositories and will expand over time.

Add detailed operational documentation to DOCS.md covering trigger conditions,
checks performed (lockfile presence, npm audit, non-exact ranges, CI
deterministic install, CI audit step), PR comment and label behavior
(vigilante:flagged-security-review), checkbox-driven remediation flow, and
the package_hardening_enabled config toggle.

Closes #392
@nicobistolfi nicobistolfi mentioned this pull request Apr 3, 2026
Merged
5 tasks
nicobistolfi added a commit that referenced this pull request Apr 3, 2026
@nicobistolfi
Document package hardening from PR #390 in README and DOCS.md (#393)
328286e 
Add a concise package hardening section to README.md covering user-visible
behavior with a caveat that the feature currently applies only to supported
JS/TS/Node.js repositories and will expand over time.

Add detailed operational documentation to DOCS.md covering trigger conditions,
checks performed (lockfile presence, npm audit, non-exact ranges, CI
deterministic install, CI audit step), PR comment and label behavior
(vigilante:flagged-security-review), checkbox-driven remediation flow, and
the package_hardening_enabled config toggle.

Closes #392
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add deterministic JS/TS package hardening and PR-triggered security remediation for modified package manifests

1 participant

@nicobistolfi