From c4059b13d78b09e3519f67908f56c139b7c0dbe9 Mon Sep 17 00:00:00 2001 From: Codex Date: Fri, 26 Jun 2026 07:50:11 +0000 Subject: [PATCH] fix: avoid blocking sentinel on non-red quick verify findings --- scripts/src/hwlab-node-web-sentinel-cicd.ts | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/scripts/src/hwlab-node-web-sentinel-cicd.ts b/scripts/src/hwlab-node-web-sentinel-cicd.ts index ba4ccc4e..d1f65edb 100644 --- a/scripts/src/hwlab-node-web-sentinel-cicd.ts +++ b/scripts/src/hwlab-node-web-sentinel-cicd.ts @@ -1705,7 +1705,9 @@ function runSentinelQuickVerify(state: SentinelCicdState, reason: string, timeou const artifactSummaryRecord = record(artifactSummary); const artifactFindings = Array.isArray(artifactSummaryRecord.findings) ? artifactSummaryRecord.findings.map(record) : []; const findings = mergeFindingRecords(artifactFindings, controlFindings); - const ok = analysis.ok && record(artifactSummary).ok === true && controlFindings.length === 0; + const blockingFindings = findings.filter(isQuickVerifyBlockingFinding); + const analysisWarnings = analysis.ok ? [] : ["quick verify analyze command returned non-zero but a readable analysis artifact was produced; targetValidation is using artifact severity plus control blockers."]; + const ok = record(artifactSummary).ok === true && controlFindings.length === 0 && blockingFindings.length === 0; return recordQuickVerify(state, { ok, runId, @@ -1718,7 +1720,7 @@ function runSentinelQuickVerify(state: SentinelCicdState, reason: string, timeou reportJsonSha256: stringAtNullable(artifactSummary, "reportJsonSha256"), findingCount: findings.length, artifactCount: numberAtNullable(artifactSummary, "artifactCount") ?? 0, - failure: controlFindings.length > 0 ? "quick-verify-no-business-turn" : null, + failure: controlFindings.length > 0 ? "quick-verify-no-business-turn" : blockingFindings.length > 0 ? "quick-verify-blocking-findings" : null, promptSource: prompts.summary, steps, analysis: artifactSummary, @@ -1730,7 +1732,7 @@ function runSentinelQuickVerify(state: SentinelCicdState, reason: string, timeou findings, screenshot: record(artifactSummary).screenshot, publicOrigin: stringAt(state.publicExposure, "publicBaseUrl"), - warnings: elapsedWarnings(), + warnings: mergeWarnings(analysisWarnings, elapsedWarnings()), valuesRedacted: true, }); } @@ -2525,6 +2527,11 @@ function mergeFindingRecords(primary: readonly Record[], extra: return merged; } +function isQuickVerifyBlockingFinding(item: Record): boolean { + const severity = (stringAtNullable(item, "severity") ?? stringAtNullable(item, "level") ?? "").toLowerCase(); + return ["critical", "red", "fatal", "error", "failed", "blocked"].includes(severity); +} + function quickVerifyControlFindings(failure: string | null, promptIndex: number, turnSummary: Record | null, traceFrame: Record | null): Record[] { const rendered = [ typeof turnSummary?.renderedText === "string" ? turnSummary.renderedText : "",