Skip to content

fix(review): add expression index for case-insensitive calibration login lookup#5324

Merged
JSONbored merged 1 commit into
mainfrom
codex/propose-fix-for-calibration-lookup-vulnerability
Jul 12, 2026
Merged

fix(review): add expression index for case-insensitive calibration login lookup#5324
JSONbored merged 1 commit into
mainfrom
codex/propose-fix-for-calibration-lookup-vulnerability

Conversation

@JSONbored

Copy link
Copy Markdown
Owner

Motivation

  • The canonicalization change in the calibration read used lower(login) = ? which prevents SQLite/D1 from using the existing (login, created_at) index and makes contributor-triggerable reads scan the entire insert-only ledger, risking availability as the ledger grows.
  • A matching expression index preserves the intended case-insensitive lookup semantics while restoring indexed performance for the read path.

Description

  • Add a new migration 0146_predicted_gate_calibration_ledger_login_lower_idx.sql that creates an expression index on lower(login), created_at for the predicted_gate_calibration_ledger table to match the WHERE lower(login) = ? lookup.
  • Add a regression test in test/unit/predicted-gate-calibration-ledger.test.ts that asserts the index predicted_gate_calibration_ledger_login_lower_idx exists and that EXPLAIN QUERY PLAN for the canonicalized query uses that index rather than scanning the table.
  • Refresh generated Worker runtime types (worker-configuration.d.ts) to satisfy the local cf-typegen checks.

Testing

  • Ran npx vitest run test/unit/predicted-gate-calibration-ledger.test.ts, and the unit test file passed (25 tests).
  • Ran npm run db:migrations:check, which reported migrations are contiguous and the next free number is available (0147).
  • Ran git diff --check, which passed with no issues reported for the change set.
  • Ran npm run test:ci, which failed during tsc --noEmit on unrelated, pre-existing type errors (missing @jsonbored/gittensory-engine module/types and implicit-any errors in miner tests), so the full CI gate could not be completed locally.
  • Ran npm audit --audit-level=moderate, which failed due to the npm registry audit endpoint returning 403 Forbidden (external registry error).

Codex Task

@superagent-security

Copy link
Copy Markdown
Contributor

Superagent didn't find any vulnerabilities or security issues in this PR.

@JSONbored JSONbored self-assigned this Jul 12, 2026
@JSONbored JSONbored marked this pull request as draft July 12, 2026 14:03
@gittensory-orb gittensory-orb Bot added the gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. label Jul 12, 2026
@gittensory-orb

gittensory-orb Bot commented Jul 12, 2026

Copy link
Copy Markdown

Warning

🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨

⏸️ Gittensory review result - manual review recommended

Review updated: 2026-07-12 21:36:15 UTC

2 files · 1 AI reviewer · 2 blockers · readiness 93/100 · CI green · clean

⏸️ Suggested Action - Manual Review

Review summary
This PR adds a matching expression index (lower(login), created_at) so the case-insensitive calibration lookup in computeContributorCalibration (predicted-gate-calibration-ledger.ts) can use an index instead of a full table scan, and includes a regression test that verifies both the index's existence and that EXPLAIN QUERY PLAN actually uses it rather than scanning the table. The migration is a plain CREATE INDEX IF NOT EXISTS with no D1-unsupported constructs (no TEMP, PRAGMA, or transaction control), and the test exercises the real read path rather than a fabricated scenario. The PR description references migration '0146' while the actual file is numbered 0147, which is a minor inconsistency but the artifact itself matches the stated 'next free number is 0147' from db:migrations:check.

Nits — 5 non-blocking
  • The PR description references migration file '0146_predicted_gate_calibration_ledger_login_lower_idx.sql' but the actual added file is '0147_...'; fix the description for accuracy since the number matters for review traceability.
  • Confirm whether the drizzle schema.ts also needs an index declaration mirroring this migration for schema/migration parity, since only the migration file is shown here.
  • The 'uses the matching lower(login) expression index...' test at line 240 relies on SQLite's query planner choosing the index for a small in-memory test DB — worth a comment noting this could differ from D1's planner behavior in edge cases, though it's not a blocker.
  • Double check the PR description's migration number reference matches the shipped filename (0147) before merge.
  • If schema.ts tracks indexes via drizzle, add the corresponding index() declaration there to keep schema and migration in parity.

Concerns raised — review before merging

  • No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.
  • Maintainer requires a linked issue — Link the relevant issue (for example Closes #123) before opening the PR.
📋 Copy for AI agents — paste into your coding agent
Fix the following blocker(s) from this PR review:

1. No linked issue detected — If this PR is intended to solve an issue, link it explicitly in the PR body.

2. Maintainer requires a linked issue — Link the relevant issue (for example `Closes #123`) before opening the PR.
Signal Result Evidence
Code review ❌ 2 blockers 1 reviewer
Linked issue ⚠️ Missing No linked issue or no-issue rationale found.
Related work ✅ No active overlap found No same-issue or scoped active PR overlap found.
Change scope ✅ 20/20 Low review scope from cached public metadata (no linked issue context).
Validation posture ✅ 25/25 PR body includes validation/test evidence.
Contributor workload ✅ 10/10 Author activity: 44 registered-repo PR(s), 36 merged, 435 issue(s).
Contributor context ✅ Confirmed Gittensor contributor JSONbored; Gittensor profile; 44 PR(s), 435 issue(s).
Gate result ❌ Blocking Repo-configured hard blocker found.
Improvement ✅ Minor risk: clean · value: minor — Code changes are accompanied by test evidence.
Review context
  • Author: JSONbored
  • Role context: owner (maintainer lane)
  • Public audience mode: oss maintainer
  • Lane context: Repository is configured for direct PR review.
  • Public profile languages: not available
  • Official Gittensor activity: 44 PR(s), 435 issue(s).
  • PR-specific overlap: none found.
Contributor next steps
  • Treat this as maintainer-lane context rather than normal contributor-lane activity.
  • Explain no-issue PR.
  • Link the issue being solved, or explicitly explain why this is a no-issue PR.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.
[BETA] Chat with Gittensory

Ask Gittensory a question about this PR directly in a comment — grounded only in the same cached, public-safe facts shown above, never a new claim.

  • @gittensory ask <question> answers contribution-quality Q&A with source citations and freshness.
  • @gittensory chat <question> answers in natural prose from cached decision-pack facts via local inference (maintainer/collaborator; read-only).
  • A plain-language @gittensory mention with a real question is routed to the closest matching read-only command automatically -- no exact syntax required.

Full command reference: https://gittensory.aethereal.dev/docs/gittensory-commands

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

  • Re-run Gittensory review

@JSONbored JSONbored force-pushed the codex/propose-fix-for-calibration-lookup-vulnerability branch from abebdc9 to 94c10f5 Compare July 12, 2026 21:27
@JSONbored JSONbored marked this pull request as ready for review July 12, 2026 21:27
@codecov

codecov Bot commented Jul 12, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.71%. Comparing base (ecb18c1) to head (94c10f5).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #5324   +/-   ##
=======================================
  Coverage   94.71%   94.71%           
=======================================
  Files         555      555           
  Lines       44526    44526           
  Branches    14664    14664           
=======================================
  Hits        42172    42172           
  Misses       1619     1619           
  Partials      735      735           
Flag Coverage Δ
shard-1 44.02% <ø> (ø)
shard-2 35.22% <ø> (ø)
shard-3 32.01% <ø> (ø)
shard-4 32.08% <ø> (ø)
shard-5 32.73% <ø> (ø)
shard-6 43.47% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@gittensory-orb gittensory-orb Bot added the manual-review Gittensor contributor context label Jul 12, 2026
@JSONbored JSONbored merged commit 293ed1e into main Jul 12, 2026
18 checks passed
@JSONbored JSONbored deleted the codex/propose-fix-for-calibration-lookup-vulnerability branch July 12, 2026 21:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

aardvark codex gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. manual-review Gittensor contributor context

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant