fix: address PR review feedback

simongdavies · simongdavies · commit f8f6895cee61 · 2026-04-15T23:10:49.000+01:00
- Fix import detection: use starts_with for from-line matching (no mid-line false positives) - Reject classic PATs (ghp_) early with clear error in both auth scripts - Fix base64url JWT decode for Azure OID extraction (proper padding + urlsafe) - Fix entrypoint.sh: disable set -e around agent run so output collection works on failure - Fix k8s-local-down: use lighter dependency check (no KVM required for teardown) - Fix k8s-infra-down: only require az CLI (not kubectl/envsubst) for teardown - Parameterise namespace in job manifests (uses NAMESPACE from envsubst) - Escape prompt for safe YAML embedding (backslashes, quotes, newlines) Note: edit_handler validation bypass (review comment #7) is a pre-existing issue requiring a larger refactor — tracked separately.
diff --git a/Justfile b/Justfile
@@ -367,7 +367,7 @@ k8s-local-up: _k8s-check-local
     ./deploy/k8s/local/setup.sh
 
 # Tear down local KIND cluster and registry
-k8s-local-down: _k8s-check-local
+k8s-local-down: _k8s-check-common
     ./deploy/k8s/local/teardown.sh
 
 # Build and load image into local KIND cluster
@@ -406,8 +406,11 @@ k8s-local-run +ARGS:
 k8s-infra-up: _k8s-check-azure
     ./deploy/k8s/azure/setup.sh
 
-# Tear down all Azure resources
-k8s-infra-down: _k8s-check-azure
+# Tear down all Azure resources (only requires az CLI)
+k8s-infra-down:
+    #!/usr/bin/env bash
+    command -v az >/dev/null 2>&1 || { echo "Azure CLI (az) is required"; exit 1; }
+    az account show >/dev/null 2>&1 || { echo "Please log in: az login"; exit 1; }
     ./deploy/k8s/azure/teardown.sh
 
 # Stop AKS cluster (save costs when not in use)
diff --git a/deploy/k8s/entrypoint.sh b/deploy/k8s/entrypoint.sh
@@ -5,9 +5,12 @@
 # from the random temp dir to /output/ for kubectl cp retrieval.
 set -e
 
-# Run HyperAgent with all provided arguments
+# Run HyperAgent with all provided arguments.
+# Disable -e so output collection still runs on agent failure.
+set +e
 /app/dist/bin/hyperagent "$@"
 EXIT_CODE=$?
+set -e
 
 # Copy output files from the fs-write temp dir to /output/
 # The fs-write plugin creates /tmp/hyperlight-fs-<random>/
diff --git a/deploy/k8s/manifests/hyperagent-job-keyvault.yaml b/deploy/k8s/manifests/hyperagent-job-keyvault.yaml
@@ -10,7 +10,7 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: ${JOB_NAME}
-  namespace: hyperagent
+  namespace: ${NAMESPACE}
   labels:
     app.kubernetes.io/name: hyperagent
     app.kubernetes.io/part-of: hyperagent
diff --git a/deploy/k8s/manifests/hyperagent-job.yaml b/deploy/k8s/manifests/hyperagent-job.yaml
@@ -8,7 +8,7 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: ${JOB_NAME}
-  namespace: hyperagent
+  namespace: ${NAMESPACE}
   labels:
     app.kubernetes.io/name: hyperagent
     app.kubernetes.io/part-of: hyperagent
diff --git a/deploy/k8s/setup-auth-keyvault.sh b/deploy/k8s/setup-auth-keyvault.sh
@@ -76,12 +76,27 @@ if [ -z "$TOKEN" ]; then
     echo ""
     echo "Set GITHUB_TOKEN and re-run:"
     echo ""
-    echo "  1. Create a PAT at https://github.com/settings/tokens"
-    echo "     → Click 'Generate new token (classic)'"
-    echo "     → No extra scopes needed"
+    echo "  1. Create a fine-grained PAT at https://github.com/settings/personal-access-tokens/new"
+    echo "     → Do not use 'Generate new token (classic)'"
+    echo "     → No special permissions needed"
+    echo "     → Classic PATs (ghp_) do NOT work — must be fine-grained (github_pat_)"
     echo ""
     echo "  2. Run:"
-    echo "     GITHUB_TOKEN=ghp_your_token_here just k8s-setup-auth-keyvault"
+    echo "     GITHUB_TOKEN=github_pat_your_token_here just k8s-setup-auth-keyvault"
+    echo ""
+    exit 1
+fi
+
+# ── Reject classic PATs early ────────────────────────────────────────
+
+if [[ "$TOKEN" == ghp_* ]]; then
+    log_error "Classic GitHub personal access tokens (ghp_) are not supported by the Copilot SDK."
+    echo ""
+    echo "Create a fine-grained personal access token instead:"
+    echo "  https://github.com/settings/personal-access-tokens/new"
+    echo ""
+    echo "Then re-run with:"
+    echo "  GITHUB_TOKEN=github_pat_your_token_here just k8s-setup-auth-keyvault"
     echo ""
     exit 1
 fi
@@ -93,10 +108,17 @@ log_step "Storing token in Key Vault..."
 # Grant current user permission to set secrets.
 # Extract user OID from the ARM access token JWT — avoids Graph API dependency
 # (az ad signed-in-user / az role assignment --assignee both need Graph scope).
+# JWT payloads use base64url encoding (- instead of +, _ instead of /, no padding)
+# so we use python to handle the decoding correctly.
 CURRENT_USER_OID=$(az account get-access-token --query "accessToken" -o tsv 2>/dev/null \
-    | cut -d. -f2 \
-    | base64 -d 2>/dev/null \
-    | python3 -c "import sys,json; t=json.load(sys.stdin); print(t.get('oid',''))" 2>/dev/null \
+    | python3 -c "
+import sys, json, base64
+token = sys.stdin.read().strip().split('.')[1]
+# Add padding for base64url
+padded = token + '=' * (4 - len(token) % 4)
+payload = json.loads(base64.urlsafe_b64decode(padded))
+print(payload.get('oid', ''))
+" 2>/dev/null \
     || true)
 
 KEYVAULT_ID=$(az keyvault show --name "${KEYVAULT_NAME}" --query id -o tsv)
diff --git a/deploy/k8s/setup-auth.sh b/deploy/k8s/setup-auth.sh
@@ -36,20 +36,30 @@ if [ -z "$TOKEN" ]; then
     echo ""
     echo "Set GITHUB_TOKEN and re-run:"
     echo ""
-    echo "  1. Create a PAT at https://github.com/settings/tokens"
-    echo "     → Click 'Generate new token (classic)'"
-    echo "     → No extra scopes needed"
+    echo "  1. Create a fine-grained PAT at https://github.com/settings/personal-access-tokens/new"
+    echo "     → Do not use 'Generate new token (classic)'"
+    echo "     → No special permissions needed"
     echo ""
     echo "  2. Run:"
-    echo "     GITHUB_TOKEN=ghp_your_token_here just k8s-setup-auth"
+    echo "     GITHUB_TOKEN=github_pat_your_token_here just k8s-setup-auth"
     echo ""
     exit 1
 fi
 
 # ── Validate token format ────────────────────────────────────────────
 
-if [[ ! "$TOKEN" =~ ^(ghp_|gho_|github_pat_|ghu_) ]]; then
-    log_warning "Token doesn't match known GitHub token formats (ghp_, gho_, github_pat_, ghu_)"
+if [[ "$TOKEN" =~ ^ghp_ ]]; then
+    log_error "Classic GitHub personal access tokens (ghp_) are not supported by the Copilot SDK."
+    log_error "Please create a fine-grained personal access token and re-run this script."
+    echo ""
+    echo "Create one at: https://github.com/settings/personal-access-tokens/new"
+    echo "Then: GITHUB_TOKEN=github_pat_... just k8s-setup-auth"
+    echo ""
+    exit 1
+fi
+
+if [[ ! "$TOKEN" =~ ^(gho_|github_pat_|ghu_) ]]; then
+    log_warning "Token doesn't match known GitHub token formats (gho_, github_pat_, ghu_)"
     log_warning "Proceeding anyway — the Copilot SDK will validate it at runtime"
 fi
 
diff --git a/scripts/hyperagent-k8s b/scripts/hyperagent-k8s
@@ -109,7 +109,7 @@ log_info "  Timeout: ${TIMEOUT}s"
 [ -n "$INPUT_DIR" ] && log_info "  Input: ${INPUT_DIR}"
 
 # Export vars for envsubst
-export JOB_NAME IMAGE PROMPT EXTRA_ARGS
+export JOB_NAME IMAGE PROMPT EXTRA_ARGS NAMESPACE
 
 # Select manifest based on auth method (Key Vault vs K8s Secret)
 if kubectl get secretproviderclass hyperagent-keyvault -n "${NAMESPACE}" &>/dev/null; then
@@ -129,8 +129,12 @@ if [ -n "$INPUT_DIR" ]; then
     PROMPT="${PROMPT} Input files are available at /input/ — enable fs-read with baseDir=/input to access them."
 fi
 
+# Escape prompt for safe YAML embedding (double-quoted string).
+# Replace backslashes first, then double quotes, then newlines.
+PROMPT=$(printf '%s' "$PROMPT" | sed 's/\\/\\\\/g; s/"/\\"/g' | tr '\n' ' ')
+
 # Render the job manifest (only substitute our specific variables)
-MANIFEST=$(envsubst '${JOB_NAME} ${IMAGE} ${PROMPT} ${EXTRA_ARGS}' < "${JOB_TEMPLATE}")
+MANIFEST=$(envsubst '${JOB_NAME} ${IMAGE} ${PROMPT} ${EXTRA_ARGS} ${NAMESPACE}' < "${JOB_TEMPLATE}")
 
 # If --input-dir is set, inject an init container and input volume into the manifest.
 # The init container waits for a .ready marker file, which we create after kubectl cp.
diff --git a/src/code-validator/guest/runtime/src/js_parser.rs b/src/code-validator/guest/runtime/src/js_parser.rs
@@ -509,16 +509,22 @@ pub fn extract_all_imports(source: &str) -> Vec<String> {
             imports.push(String::from(stmt.specifier));
         }
         // Also check for `from "..."` pattern on continuation lines.
-        // Only match when `from` is at the start of the line or after `}`
-        // (e.g. `  } from "ha:pptx"` or `  from "ha:pptx"`).
-        // This avoids false positives from prose inside string literals
-        // like: `"an AI that builds documents from 'impressive demo'"`
-        if (trimmed.starts_with("from ")
-            || trimmed.contains("} from ")
-            || trimmed.contains("}from "))
-            && let Some(from_pos) = trimmed.find("from ")
+        // Only match when `from` is at the START of the trimmed line or
+        // immediately after `}` at the start. Using `starts_with` prevents
+        // false positives from `from` appearing mid-line inside strings.
+        if trimmed.starts_with("from ")
+            || trimmed.starts_with("} from ")
+            || trimmed.starts_with("}from ")
         {
-            let rest = &trimmed[from_pos + 5..];
+            let rest = if trimmed.starts_with("from ") {
+                &trimmed[5..]
+            } else if trimmed.starts_with("} from ") {
+                &trimmed[7..]
+            } else {
+                // "}from "
+                &trimmed[6..]
+            };
+
             if let Ok((_, specifier)) = string_literal(rest.trim())
                 && !imports.iter().any(|s: &String| s == specifier)
             {
