fix(compile): correct threat-prompt doc claim and gate required_hosts on actual download

jamesadevine · Copilot · jamesadevine · commit 211f49897863 · 2026-05-19T15:30:23.000+01:00
Two findings from the latest PR review:

1. docs/template-markers.md falsely claimed that the
   `{{ threat_analysis_prompt }}` marker is emitted as a
   `{{#runtime-import ...}}` when `inlined-imports: false`. The
   threat-analysis prompt is tooling-shipped (compiled into the
   `ado-aw` binary via `include_str!`) and unconditionally inlined at
   step 11 of `compile_shared`. The marker is for the agent body, not
   the threat prompt. Rewrote the paragraph to reflect this and to
   cross-reference the rationale in `src/compile/common.rs`.

2. `AdoScriptExtension::required_hosts()` always requested
   `github.com`, even when `inlined-imports: true` AND no filters were
   configured (so neither `setup_steps()` nor `prepare_steps()` emits
   the NodeTool@0 + curl pair, and github.com is therefore unreachable
   from the pipeline). For a security-sensitive project, the
   allowlist should match the actual network reach of the compiled
   pipeline. Now returns `vec![]` unless `has_gate()` or
   `runtime_imports_active()`. Added three unit tests covering all
   three branches (no-consumer, gate-active, imports-active).

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/docs/template-markers.md b/docs/template-markers.md
@@ -489,7 +489,7 @@ Tool names are validated at compile time:
 
 Should be replaced with the embedded threat detection analysis prompt from `src/data/threat-analysis.md`. This prompt template includes markers for `{{ source_path }}`, `{{ agent_name }}`, `{{ agent_description }}`, and `{{ working_directory }}` which are replaced during compilation.
 
-When `inlined-imports: false`, the compiler emits a top-level `{{#runtime-import ...}}` marker pointing at the bundled threat-analysis prompt that ships in `ado-script.zip`; when `inlined-imports: true`, the expanded prompt body is embedded directly into the YAML.
+When `inlined-imports: false`, the compiler emits a top-level `{{#runtime-import ...}}` marker pointing at the agent's source `.md` file so the agent body is reloaded from the trigger-repo checkout at pipeline runtime. The threat-analysis prompt itself is **always** inlined at compile time via `include_str!` regardless of `inlined-imports`, because it is tooling-shipped (compiled into the `ado-aw` binary) rather than authored alongside agents. See the comment block at step 11 of `compile_shared` in `src/compile/common.rs` for the rationale; this mirrors gh-aw's model.
 
 The threat analysis prompt instructs the security analysis agent to check for:
 - Prompt injection attempts
diff --git a/src/compile/extensions/ado_script.rs b/src/compile/extensions/ado_script.rs
@@ -195,11 +195,18 @@ impl CompilerExtension for AdoScriptExtension {
     }
 
     fn required_hosts(&self) -> Vec<String> {
-        // Either consumer (gate or import resolver) needs github.com to
-        // pull the release artifact at runtime. Conservatively always
-        // requested; the host list is allowlist-additive across
-        // extensions, so a always-on contribution is benign.
-        vec!["github.com".to_string()]
+        // Only request github.com when the bundle is actually downloaded.
+        // When `inlined-imports: true` AND no filters are configured,
+        // neither `setup_steps()` nor `prepare_steps()` emits the
+        // NodeTool@0 + curl pair, so the github.com release-asset host
+        // is never reached and shouldn't be on the allowlist. The host
+        // list is allowlist-additive across extensions, so this stays
+        // safe even when other extensions independently need github.com.
+        if self.has_gate() || self.runtime_imports_active() {
+            vec!["github.com".to_string()]
+        } else {
+            vec![]
+        }
     }
 }
 
@@ -390,6 +397,37 @@ mod tests {
         assert!(ext.validate(&ctx).is_err());
     }
 
+    #[test]
+    fn required_hosts_empty_when_no_consumer_active() {
+        // inlined-imports: true AND no filters ⇒ no NodeTool / no
+        // download / no gate / no resolver step. The github.com host
+        // (used to fetch the release asset) is therefore unreachable
+        // and must NOT be requested.
+        let ext = ext_with(None, None, true);
+        assert!(ext.required_hosts().is_empty());
+    }
+
+    #[test]
+    fn required_hosts_requests_github_when_gate_active() {
+        let filters = PrFilters {
+            labels: Some(LabelFilter {
+                any_of: vec!["run-agent".into()],
+                ..Default::default()
+            }),
+            ..Default::default()
+        };
+        let ext = ext_with(Some(filters), None, true);
+        assert_eq!(ext.required_hosts(), vec!["github.com".to_string()]);
+    }
+
+    #[test]
+    fn required_hosts_requests_github_when_runtime_imports_active() {
+        // inlined-imports: false (default) ⇒ resolver step runs ⇒
+        // github.com is needed for the bundle download.
+        let ext = ext_with(None, None, false);
+        assert_eq!(ext.required_hosts(), vec!["github.com".to_string()]);
+    }
+
     // ── resolve_imports_inline ─────────────────────────────────────────
 
     static NEXT_ID: AtomicUsize = AtomicUsize::new(0);
