fix(routing): safely route verified legal sidecars

[mldangelo-oai]

Summary

• Route verified UTF-8 LICENSE/NOTICE sidecars through one bounded pickle tokenization path before text scanning.
• Preserve complete pickle ownership and fail closed as pickle_routing_inconclusive when a bounded parsed side effect can occur before parse failure/EOF.
• Keep selected top-level Jinja legal overlaps from dropping the preferred structured-owner skip metadata.

Exact-head repair

Published additively on 965e46eef8ee9066b925d420ae911c1c63437814, after merging main@dd3558d096dce7c7cb7452afc821647d88f52ddc without rebase/force-push.

This repair replaces terminal protocol-0 PERSID prose spelling decisions with parsed pickle grammar: any P-leading line that reaches persistent_load before EOF exits 2 and stays non-cacheable. The audit lock constrains aiohttp and cryptography to current published vulnerability fixes; dependency audit installs audited requirements from PyPI so the published cryptography fix is enforced instead of suppressed. The same bounded path now retains GLOBAL operands with whitespace, short hex NEXT_BUFFER + STOP (972e), and blank/whitespace-split base64/hex candidates. Tests use shared parameterized malicious/benign matrices; legal controls that are intentionally text no longer use protocol-shaped P-leading fixture prose.

Security bounds

• Legal-sidecar reads remain capped at 2 MiB; oversized legal sidecars still fail closed.
• Decoded candidates remain capped at 1 MiB; pickle structural probes remain capped at 64 KiB with bounded candidate/opcode work.
• Runtime proof: stdlib pickle.Unpickler reaches find_class('posix', 'open ') for cposix\nopen \nA, persistent_load('id') for Pid\n, and consumes one out-of-band buffer for hex 972e before return/failure.

Validation

• Focused blocker/Jinja/cache matrix: 86 passed; focused filetype/bounds matrix: 110 passed.
• Dependency audit: No known vulnerabilities found with only unfixed Pygments CVE-2026-4539 ignored.
• Ruff format/check, mypy, diff whitespace: clean.
• Full non-slow/non-integration suite: 21856 passed, 788 skipped.
• Exact-head Codex review: no major issues; unresolved review threads: 0.
• Exact-head GitHub CI: pending final coverage shards.

[mldangelo-oai]

@codex review

[github-actions]

Workflow run and artifacts

Performance Benchmarks

Compared 13 shared benchmarks with a regression threshold of 15%.
Status: 0 regressions, 0 improved, 13 stable, 0 new, 0 missing.
Aggregate shared-benchmark median: 4.144s -> 4.134s (-0.2%).

Workload	Benchmark	Target	Size	Files	Baseline	Current	Change	Status
nested-payload-review	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_nested_payload_review[nested_raw]	nested_raw	78 B	1	280.3us	287.4us	+2.5%	stable
nested-payload-review	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_nested_payload_review[nested_base64]	nested_base64	98 B	1	277.5us	272.3us	-1.9%	stable
direct-malicious-upload	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_direct_malicious_upload	malicious_reduce	52 B	1	222.9us	219.3us	-1.6%	stable
chunked-upload-stream	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_chunked_upload_stream	chunked_stream	278.2 KiB	1	111.99ms	113.72ms	+1.5%	stable
warm-cache-rescan	tests/benchmarks/test_scan_benchmarks.py::test_scan_warm_cached_repository_rescan	release-candidate	547.3 KiB	32	146.81ms	149.01ms	+1.5%	stable
padded-multi-stream-upload	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_padded_multi_stream_upload	multi_stream_padded	4.1 KiB	1	340.1us	344.4us	+1.3%	stable
clean-training-checkpoint	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_clean_training_checkpoint	safe_large	278.2 KiB	1	109.40ms	110.77ms	+1.3%	stable
nested-payload-review	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_nested_payload_review[nested_hex]	nested_hex	130 B	1	300.9us	303.5us	+0.8%	stable
single-checkpoint-preflight	tests/benchmarks/test_scan_benchmarks.py::test_scan_single_checkpoint_before_load	single_checkpoint.pkl	183.0 KiB	1	86.81ms	87.52ms	+0.8%	stable
rejected-basic-auth-candidates	tests/benchmarks/test_scan_benchmarks.py::test_rejected_basic_auth_candidates_scan_linearly	-	371.1 KiB	1	2.512s	2.494s	-0.7%	stable
mixed-model-repository	tests/benchmarks/test_scan_benchmarks.py::test_scan_release_candidate_repository	release-candidate	547.3 KiB	32	558.64ms	562.52ms	+0.7%	stable
suspicious-pickle-intake	tests/benchmarks/test_scan_benchmarks.py::test_scan_suspicious_pickle_intake	suspicious-intake	183.8 KiB	4	131.18ms	131.70ms	+0.4%	stable
duplicate-heavy-registry	tests/benchmarks/test_scan_benchmarks.py::test_scan_duplicate_registry_snapshot	registry-snapshot	915.2 KiB	13	485.45ms	483.74ms	-0.4%	stable

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 699b75fc69

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[mldangelo-oai]

Independent exact-head review of 699b75fc69b16b6127e360da611487a9c34d1735: request changes; do not merge. Three current blockers were reproduced.

1. P1: valid protocol-0 pickles can route to harmless text. modelaudit/utils/file/detection.py:3256-3258,3286-3295 limits pickle globals to a seed list. A valid webbrowser.open fixture changed from base exit 1 with two critical S201 findings to head exit 0 with no S201, both directly and as a ZIP member named LICENSE.
2. P2: ordinary legal prose still triggers pickle heuristics. modelaudit/utils/file/detection.py:325-348,3216-3245,3256-3273: among 224 real valid license/notice files, 69 routed to pickle and 8 became inconclusive. The Hugging Face Hub Apache license produced S901/S902 failures.
3. P2: basename-only fallback bypasses UTF-8/control validation. modelaudit/scanners/text_scanner.py:597-619: invalid UTF-8 and NUL-bearing LICENSE/NOTICE files detect as unknown but complete successfully under TextScanner.

Required direction: preserve fail-closed handling for arbitrary syntactically valid pickle globals before any basename text fallback; replace the broad pickle-text heuristic with structural pickle proof; require the same bounded UTF-8/control validation for basename-owned text. Add direct and nested-archive regressions for all three classes.

Focused tests were 23 passed; changed-surface tests were 1993 passed; pinned Phi-4 LICENSE QA was clean. Both current unresolved threads were behaviorally validated. Full report: modelaudit-pr-swarm/outputs/pr-1671-independent-review-20260611.md.

[mldangelo-oai]

@codex review

Updated head 4fd6ca27 addresses the prior Codex review items:

• Added socket to embedded protocol-0 pickle seed coverage so csocket\nsocket\n... legal-name payloads stay on the pickle route.
• Removed the overly broad direct whole-stream classifier from the legal-text shortcut after it proved too aggressive for normal Microsoft... license text.
• Changed encoded-token handling so ordinary long alphabetic license prose does not consume the suspicious encoded-payload budget, while decoded pickle/execution payloads still route before text ownership.
• Added regressions for long Apache-style license prose and a socket.socket protocol-0 payload containing MIT License text.

Review-fix validation:

• PROMPTFOO_DISABLE_TELEMETRY=1 uv run pytest tests/scanners/test_text_scanner.py::test_text_scanner_routes_legal_sidecars_before_pickle_probe tests/scanners/test_text_scanner.py::test_directory_scan_routes_legal_sidecar_to_text_before_pickle_probe -q -> 3 passed
• PROMPTFOO_DISABLE_TELEMETRY=1 uv run pytest tests/utils/file/test_filetype.py -q -k "legal_text or license_prose or malicious_legal_names or binary_pickle_embedded or malformed_or_misleading_legal_names or polyglot_and_oversized" -> 14 passed, 334 deselected
• PROMPTFOO_DISABLE_TELEMETRY=1 uv run pytest tests/utils/file/test_filetype.py tests/scanners/test_text_scanner.py tests/test_scanner_selection.py tests/scanners/test_zip_scanner.py tests/utils/sources/test_huggingface.py -q -> 1977 passed, 18 skipped, 1 warning
• uv run ruff format ... / uv run ruff check --fix ... / uv run ruff format --check ... -> clean
• uv run mypy modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/ -> success, 474 source files
• Pinned microsoft/phi-4@932b33c0ec9ca189badeb22480721a8de9d0e006 LICENSE stream -> exit 0, scanner_names=["text"], pickle_failures=[], no issues
• Pinned README control -> exit 1 from existing text network findings only, scanner_names=["text"], rule codes S307/S309/S310, pickle_failures=0
• git diff --check -> clean

Broad rerun note: PROMPTFOO_DISABLE_TELEMETRY=1 uv run pytest -n auto -m "not slow and not integration" --maxfail=1 --tb=short --color=no again hit the pre-existing xdist-only cache flake tests/cache/test_cache_correctness.py::test_cached_scan_skips_persisting_scan_timed_out_messages (release_calls == 3, expected 2) after 4981 passes; the exact failing test passes in isolation (1 passed). The same xdist cache flake appeared before the review-fix commit and is unrelated to this routing change.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4fd6ca2754

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[mldangelo-oai]

@codex review

Updated head 0b4186b5 addresses the independent review blockers:

• Replaced seed/broad protocol-0 heuristics for legal sidecars with structural pickletools.dis validation of complete pickle prefixes and security-bearing embedded protocol-0 globals.
• Preserved arbitrary valid protocol-0 globals such as webbrowser.open, both direct and inside ZIP members named LICENSE/NOTICE.
• Kept normal legal prose, including NOTICE. and long Apache-style text with many base64-looking words and system prose, on the text route.
• Tightened TextScanner.can_handle() so LICENSE/NOTICE basename fallback only claims files that pass the same bounded UTF-8/control/legal-text validation; invalid UTF-8 and NUL-bearing legal sidecars no longer complete under TextScanner.
• Added direct and ZIP regressions for the three blocker classes.

Validation on 0b4186b5:

• PROMPTFOO_DISABLE_TELEMETRY=1 uv run pytest tests/utils/file/test_filetype.py -q -k "legal_text or license_prose or malicious_legal_names or binary_pickle_embedded or malformed_or_misleading_legal_names or polyglot_and_oversized" -> 16 passed, 334 deselected
• PROMPTFOO_DISABLE_TELEMETRY=1 uv run pytest tests/scanners/test_text_scanner.py -q -k "legal_sidecar or invalid_legal_sidecar or directory_scan_routes_legal" -> 5 passed, 430 deselected
• PROMPTFOO_DISABLE_TELEMETRY=1 uv run pytest tests/scanners/test_zip_scanner.py -q -k "legal_text_member or malicious_pickle_named_license or webbrowser_pickle_named_notice or invalid_legal_member" -> 4 passed, 897 deselected
• PROMPTFOO_DISABLE_TELEMETRY=1 uv run pytest tests/utils/file/test_filetype.py tests/scanners/test_text_scanner.py tests/test_scanner_selection.py tests/scanners/test_zip_scanner.py tests/utils/sources/test_huggingface.py -q -> 1983 passed, 18 skipped, 1 warning
• PROMPTFOO_DISABLE_TELEMETRY=1 uv run pytest tests/test_streaming_scan.py -q -> 80 passed
• uv run ruff format ... / uv run ruff check --fix ... / uv run ruff format --check ... -> clean
• uv run mypy modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/ -> success, 474 source files
• Pinned microsoft/phi-4@932b33c0ec9ca189badeb22480721a8de9d0e006 LICENSE stream -> exit 0, scanner_names=["text"], pickle_failures=[], no issues
• Pinned README control -> exit 1 from existing text network findings only, scanner_names=["text"], rule codes S307/S309/S310, pickle_failures=0
• git diff --check -> clean

Broad rerun note: PROMPTFOO_DISABLE_TELEMETRY=1 uv run pytest -n auto -m "not slow and not integration" --maxfail=1 --tb=short --color=no again hit the unrelated xdist-only cache flake tests/cache/test_cache_correctness.py::test_cached_scan_skips_persisting_scan_timed_out_messages (release_calls == 3, expected 2) after 5050 passes; the exact failing test passes in isolation (1 passed).

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Chef's kiss.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[mldangelo-oai]

Updated for the remaining review blockers and pushed commit 6358412b011f7f38942b0fff834b1aba97f84e74.

Changes since the last review:

• Encoded-payload probing no longer counts plain alphabetic base64-shaped prose words against the ambiguity budget after they decode cleanly and show no pickle route.
• Text scanner sidecar network classification uses the logical archive member name, so LICENSE members get the same documentation downgrade behavior as direct LICENSE files while preserving the extracted path for scan context.
• Added explicit malicious protocol-0 requests.get controls for direct legal names and ZIP members.

Validation:

• PROMPTFOO_DISABLE_TELEMETRY=1 uv run pytest tests/utils/file/test_filetype.py tests/scanners/test_text_scanner.py tests/test_scanner_selection.py tests/scanners/test_zip_scanner.py tests/utils/sources/test_huggingface.py tests/test_streaming_scan.py -q -> 2066 passed, 18 skipped, 1 warning.
• uv run ruff format ... -> reformatted 1 file; then uv run ruff format --check ... -> 419 files already formatted.
• uv run ruff check --fix modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/ -> all checks passed.
• uv run mypy modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/ -> success, 474 source files.
• git diff --check -> clean.
• Focused post-format reruns:
  • PROMPTFOO_DISABLE_TELEMETRY=1 uv run pytest tests/utils/file/test_filetype.py -q -k "license_prose or malicious_legal_names" -> 9 passed.
  • PROMPTFOO_DISABLE_TELEMETRY=1 uv run pytest tests/scanners/test_zip_scanner.py -q -k "legal_text_member or logical_legal_member or malicious_pickle_named_license or webbrowser_pickle_named_notice or requests_pickle_named_license" -> 5 passed.
• Real pinned HF QA, no model weights downloaded:
  • PROMPTFOO_DISABLE_TELEMETRY=1 uv run modelaudit scan --format json --output /tmp/modelaudit-t42-final-license.json --no-cache --stream https://huggingface.co/microsoft/phi-4/resolve/932b33c0ec9ca189badeb22480721a8de9d0e006/LICENSE -> exit 0; success=true, files_scanned=1, scanner_names=["text"], issues=[], no S901/S902/pickle failures.
  • PROMPTFOO_DISABLE_TELEMETRY=1 uv run modelaudit scan --format json --output /tmp/modelaudit-t42-final-readme.json --no-cache --stream https://huggingface.co/microsoft/phi-4/resolve/932b33c0ec9ca189badeb22480721a8de9d0e006/README.md -> exit 1 with existing text findings only; success=true, files_scanned=1, scanner_names=["text"], issue codes S307,S309,S310, no S901/S902/pickle failures.
• Broad lane: PROMPTFOO_DISABLE_TELEMETRY=1 uv run pytest -n auto -m "not slow and not integration" --maxfail=1 --tb=short --color=no hit the pre-existing xdist-only cache flake tests/cache/test_cache_correctness.py::test_cached_scan_skips_persisting_scan_timed_out_messages (release_calls == 3, expected 2) after 4782 passed / 681 skipped; exact isolated rerun passed with PROMPTFOO_DISABLE_TELEMETRY=1 uv run pytest tests/cache/test_cache_correctness.py::test_cached_scan_skips_persisting_scan_timed_out_messages -q -vv.

origin/main was fetched immediately before final validation and remains 8d6c4864fe2ea833ceaef1b9803d225afb1e8d69; it is already an ancestor of this branch, so no additive merge was needed.

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. More of your lovely PRs please.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[mldangelo-oai]

Pushed follow-up commit 31aeb0d87746a0facec38b574fd96494bc99b3c0 for the Windows CI failure.

Root cause: the new pinned phi-4 streaming regression wrote _PHI4_LICENSE_TEXT with Path.write_text(). On Windows, newline translation changed the on-disk fixture size from the mocked Hub metadata size (246) to 249, so the test tripped its own bounded-download guard before exercising routing. The fix writes the exact UTF-8 bytes and derives the mocked size from those bytes.

Validation after this follow-up:

• PROMPTFOO_DISABLE_TELEMETRY=1 uv run pytest tests/utils/sources/test_huggingface.py::TestModelDownloadStreaming::test_download_model_streaming_text_selection_preserves_phi4_license_without_weights -q -vv -> 1 passed.
• uv run ruff format modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/ -> 419 files left unchanged.
• uv run ruff check --fix modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/ -> all checks passed.
• uv run ruff format --check modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/ -> 419 files already formatted.
• uv run mypy modelaudit/ packages/modelaudit-picklescan/src packages/modelaudit-picklescan/tests tests/ -> success, 474 source files.
• git diff --check -> clean.

origin/main was fetched again before this validation and remains 8d6c4864fe2ea833ceaef1b9803d225afb1e8d69, already an ancestor of the branch.

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. What shall we delve into next?

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[mldangelo-oai]

Exact-head update for 7697c64.

Implemented an additive hardening commit for the remaining review blockers:

• complete legal UTF-8 LICENSE/NOTICE content stays on text ownership without S901/S902 pickle parse failures;
• valid protocol-0 webbrowser/global pickles and protocol 1-5 legal-named pickles stay on pickle routing;
• incomplete embedded protocol-0 pickle continuations fail closed instead of becoming clean text;
• invalid UTF-8/NUL/misleading suffixes do not bypass binary/pickle fallback;
• HF streaming now includes the text content-route format so selected text sidecars can be retained by bounded sniffing.

Validation on this exact head:

• git fetch origin main + git merge --no-edit origin/main: already up to date.
• Focused routing/archive/HF/CLI matrix: passed.
• Affected routing/text/archive/HF/core/CLI suite: 3102 passed, 40 skipped.
• uv run ruff check ...: passed.
• uv run ruff format --check ...: passed.
• uv run mypy ...: passed.
• Package checks: root wheel built; packages/modelaudit-picklescan wheel built.
• Broad non-slow/non-integration: first xdist run hit unrelated cache xdist race, exact failing cache test passed serially, rerun passed with 17427 passed, 1292 skipped.
• git diff --check: passed.

Pinned real-model QA without model weights:

• microsoft/phi-4 932b33c0ec9ca189badeb22480721a8de9d0e006 direct LICENSE: exit 0, scanner_names=["text"], no errors, no issues, no S901/S902.
• same revision direct README.md: exit 1 with existing text findings, scanner_names=["text"], no pickle routing failures.

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Nice work!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[mldangelo-oai]

Fleet sequencing note: keep the goal active and continue the full review, simplification, conflict resolution, validation, title/body cleanup, and exact-head CI work. Please hold only the final merge until Nightly repair PR #1679 reports MERGED. Immediately afterward, fetch the new origin/main, merge it additively into this published branch (no rebase or force-push), re-run exact-new-head technical gates, and then use the normal squash/admin-review-only merge path. This coordination hold should not pause any other work.

[mldangelo-oai]

Fleet release: Nightly repair PR #1679 is MERGED as b83dff38026574e255756613d46f65f0010a11b6 (2026-06-13 09:07:12Z). Fetch origin/main now and merge that exact current main additively into this published branch; do not rebase or force-push. Reconcile any overlap according to current behavior, re-run the final review/simplification/thread/metadata gates, push, and require exact-new-head CI before squash merge. If main advances again before your merge, repeat the normal merge-from-main and exact-head gate. The prior hold is released; continue the goal through verified merge and post-merge main health.

[mldangelo-oai]

Exact-head takeover update for 138dfd7a6e1aab0e534eb5045c6a763bdf278f7d:

• merged current main additively through b83dff38026574e255756613d46f65f0010a11b6; no rebase or force-push;
• completed the full author/reviewer and simplification loops, with no remaining validated P0/P1 blocker or actionable review thread;
• fixed the validated structured-format, protocol-0 continuation/stack/boundary, archive, streaming, Hugging Face budget, compatibility, and legal-prose cases;
• canonical local gates passed: Ruff format/check, mypy over 477 files, and 20,538 non-slow/non-integration tests (884 skipped);
• pinned Phi-4 LICENSE remains clean with no pickle rules, while README retains text-only findings.

The PR title/body now describe the current scope and fail-closed residual behavior. Exact-head GitHub checks are running.

@codex review

[mldangelo-oai]

@codex review

[mldangelo-oai]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. 👍

Reviewed commit: bcd8147ed3

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[mldangelo-oai]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Another round soon, please!

Reviewed commit: 1c407c5752

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[mldangelo-oai]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Swish!

Reviewed commit: 0ea53d21b8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[mldangelo-oai]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. More of your lovely PRs please.

Reviewed commit: 4614e97910

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[mldangelo-oai]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 39564c1367

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[mldangelo-oai]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Another round soon, please!

Reviewed commit: 965e46eef8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[mldangelo-oai]

Exact-head closeout update: 965e46eef8ee9066b925d420ae911c1c63437814 is validated locally (focused blocker/Jinja/cache 86 passed; focused filetype/bounds 110 passed; dependency audit no known vulnerabilities; ruff/check, mypy, diff whitespace clean; full non-slow/non-integration 21856 passed, 788 skipped). Codex reviewed this exact head with no major issues and unresolved review threads are 0. Waiting only for exact-head CI coverage shards and required codeowner approval before non-bypass merge.

[mldangelo-oai]

@mldangelo Exact-head CI is green, Codex exact-head review is clean, and auto-merge (non-bypass squash; merge commits are disabled by repo policy) is armed. Please provide the required codeowner approval for 965e46eef8ee9066b925d420ae911c1c63437814 so GitHub can merge without bypass.

[mldangelo-oai]

@codex review

Exact head ef973c48123580b9e671e5e507d3910064bafd07 adds two additive routing repairs:

• Removes attacker-derived importlib.util.find_spec calls from legal-sidecar GLOBAL/INST prose disambiguation. A 300-name recording-finder regression confirms no attacker operand reaches import hooks, while arbitrary bundle-provided GLOBAL/INST payloads retain pickle ownership.
• Allows a previously weak candidate offset to be upgraded once when later line-boundary grammar proves it prevalidated. Raw/base64/hex arbitrary lowercase GLOBAL with a malformed prose tail now routes as pickle; INST fails closed as pickle_routing_inconclusive; incomplete prose near-matches remain text.

Independent exact-head review found no P0-P3 findings and no open P0/P1. Validation includes 243 focused routing tests, 12 additive regressions, 206 independent routing controls, 14 CLI controls, a 432-payload state/budget matrix, and a broader changed-surface run of 3802 passed / 62 skipped. Ruff, mypy, formatting, and diff checks are clean.

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Bravo.

Reviewed commit: ef973c4812

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".