[codex] add install vulnerability gate#109
Open
juangaitanv wants to merge 2 commits into
Open
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds package-manager install wrappers for
npm,yarn,pnpm,pip, anduvthat precheck install targets before handing off to the real package manager.The gate now checks package publish recency, Corgea vulnerability verdicts, and OSV as a public secondary signal. It supports JSON output,
--force,--no-fail, manager/project guardrails, named-package and tree coverage where safe, and package-manager stdout isolation for machine-readable output.Impact
Developers and coding agents can run familiar commands such as
corgea npm install ...andcorgea pip install ...to block known vulnerable, malicious, unverifiable, or too-recent package installs before package-manager code runs.Root Cause / Notes
The original CLI had dependency inventory scanning but no install-time guard. This change adds a pre-install command surface and preserves package-manager behavior when the gate passes. OSV can add public vulnerability blocks but does not weaken authenticated Corgea fail-closed verdicts.
Validation
./harness checkpassed: clippy fix, format, strict clippy, tests, deps skill drift; 322 tests passed.CORGEA_BIN=/Users/juan/Code/corgea/cli/target/debug/corgea ./scripts/validate-fixtures.shpassed across all~/Code/corgea/test-clifixtures.npm:lodash@4.17.20, 5 OSV advisories, wrapper exit1.npm:express@4.18.2, 2 OSV advisories, wrapper exit1.PyPI:django@2.2, 64 OSV advisories, wrapper exit1.