fix(evidence): include auth headers for evidence-trail fetches

[BrianCLong]

Motivation

• Ensure tenant-scoped, authenticated reads to the evidence endpoints succeed and return tenant-specific data by including the app auth token on client fetches from the Evidence-Trail Peek UI (apps/web/src/components/evidence/EvidenceTrailPeek.tsx).

Description

• Add a buildAuthHeaders helper that reads auth_token from localStorage and attaches Authorization: Bearer <token> (plus Content-Type) when present, and use it for the three parallel fetches to /api/evidence-index, /api/evidence-top, and /api/claim-ranking in EvidenceTrailPeek.

Testing

• No additional automated tests were added or run for this small fix; CI should run the existing server unit tests (server/src/routes/__tests__/evidence-trail-peek.test.ts) and the Cypress E2E spec (e2e/tests/evidence-trail-peek.cy.ts) included in the feature PR to validate behavior in an authenticated environment.

---

Codex Task

[chatgpt-codex-connector]

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses an authentication issue in the Evidence-Trail Peek UI by ensuring that all client-side fetches to evidence-related API endpoints include the necessary authentication headers. This change guarantees that the UI can successfully retrieve and display tenant-specific data, thereby enhancing the security and correctness of the evidence-trail feature.

Highlights

• Authentication Headers for Evidence-Trail Fetches: Implemented a buildAuthHeaders helper to retrieve the auth_token from localStorage and attach it as a Bearer token in Authorization headers for API requests.
• Integration with EvidenceTrailPeek Component: Integrated the buildAuthHeaders helper into the EvidenceTrailPeek component for all three parallel fetches to /api/evidence-index, /api/evidence-top, and /api/claim-ranking.
• Tenant-Scoped Data Access: Ensured tenant-scoped and authenticated reads for the Evidence-Trail Peek UI, allowing it to display tenant-specific data correctly.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• agents/examples/EVIDENCE_TRAIL_PEEK_20260208.json
  • Added a new agent example configuration for the Evidence-Trail Peek feature.
• apps/web/src/components/CopilotPanel.tsx
  • Imported EvidenceTrailPeek component and feature flag utilities.
  • Conditionally rendered the EvidenceTrailPeek button.
• apps/web/src/components/evidence/EvidenceTrailPeek.tsx
  • Added a new React component for displaying the Evidence-Trail Peek overlay.
  • Included data fetching logic with authentication headers.
• apps/web/src/config/features.ts
  • Added a new feature flag, evidenceTrailPeek, to control the visibility and functionality of the Evidence-Trail Peek UI.
• apps/web/src/panes/GraphPane.tsx
  • Integrated the EvidenceTrailPeek component and added feature flag checks.
  • Implemented right-click context menu functionality for graph nodes to trigger the evidence trail.
• apps/web/src/telemetry/evidenceTrailPeek.ts
  • Added a new utility for recording telemetry events specific to the Evidence-Trail Peek feature.
• docs/ops/runbooks/evidence-trail-peek.md
  • Added a new runbook detailing the summary, enablement, health checks, rollback procedures, and observability for the Evidence-Trail Peek feature.
• docs/roadmap/STATUS.json
  • Updated the roadmap status to include the 'evidence-trail-peek' initiative.
  • Incremented the total count of initiatives.
• docs/security/data-handling/evidence-trail-peek.md
  • Added new documentation outlining data handling, classification, logging policies, retention, access control, and MAESTRO alignment for Evidence-Trail Peek.
• docs/standards/evidence-trail-peek.md
  • Added a new standards document detailing the purpose, scope, data contracts, feature flag, import/export matrix, telemetry, MAESTRO alignment, and non-goals for Evidence-Trail Peek.
• e2e/tests/evidence-trail-peek.cy.ts
  • Added a new Cypress end-to-end test to validate the functionality and display of the Evidence-Trail Peek UI.
• packages/decision-ledger/decision_ledger.json
  • Added a new entry to the decision ledger for the implementation of the Evidence-Trail Peek feature.
• prompts/features/evidence-trail-peek@v1.md
  • Added a new prompt definition outlining the objective, requirements, guardrails, and deliverables for the Evidence-Trail Peek feature.
• prompts/registry.yaml
  • Registered the new evidence-trail-peek prompt with its scope and verification requirements.
• server/src/app.ts
  • Imported and registered the new evidenceTrailPeekRouter to handle API requests for evidence-trail data.
• server/src/routes/tests/evidence-trail-peek.test.ts
  • Added new unit tests for the /api/evidence-index, /api/evidence-top, and /api/claim-ranking endpoints.
  • Verified scope parameters, timeline, artifacts, and claim ranking in tests.
• server/src/routes/evidence-trail-peek.ts
  • Added new API routes (/evidence-index, /evidence-top, /claim-ranking) for fetching evidence trail data.
  • Included authentication, tenant scoping, and claim ranking logic in the new routes.

Activity

• No human activity was detected on this pull request.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Warning

Rate limit exceeded

@BrianCLong has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 12 minutes and 47 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8c5534de-0368-459b-812e-2f5f47b42e5a

📥 Commits

Reviewing files that changed from the base of the PR and between 68c99c3 and 45a683e.

📒 Files selected for processing (17)

• agents/examples/EVIDENCE_TRAIL_PEEK_20260208.json
• apps/web/src/components/CopilotPanel.tsx
• apps/web/src/components/evidence/EvidenceTrailPeek.tsx
• apps/web/src/config/features.ts
• apps/web/src/panes/GraphPane.tsx
• apps/web/src/telemetry/evidenceTrailPeek.ts
• docs/ops/runbooks/evidence-trail-peek.md
• docs/roadmap/STATUS.json
• docs/security/data-handling/evidence-trail-peek.md
• docs/standards/evidence-trail-peek.md
• e2e/tests/evidence-trail-peek.cy.ts
• packages/decision-ledger/decision_ledger.json
• prompts/features/evidence-trail-peek@v1.md
• prompts/registry.yaml
• server/src/app.ts
• server/src/routes/__tests__/evidence-trail-peek.test.ts
• server/src/routes/evidence-trail-peek.ts

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch codex/add-evidence-trail-peek-overlay-component-bo5x5v

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces the 'Evidence-Trail Peek' feature, adding a UI overlay to display evidence for answers and graph nodes, encompassing new frontend components, read-only API endpoints, telemetry, and documentation. A significant security vulnerability identified is a potential Cross-Site Scripting (XSS) issue in the UI component, where untrusted URLs from the API are directly rendered into href attributes; proper sanitization is crucial to prevent malicious script execution. Additionally, potential security vulnerabilities related to token storage and tenant handling need to be addressed. On a positive note, access control and SQL injection prevention seem correctly implemented through tenant scoping and parameterized queries. The review also includes suggestions to enhance type safety and maintainability in the new components.

[gemini-code-assist]

Storing authentication tokens in localStorage is a security risk as it makes the token accessible to any script running on the page, which can lead to token theft via Cross-Site Scripting (XSS) attacks. It is strongly recommended to store sensitive tokens in httpOnly cookies to prevent access from JavaScript. If using httpOnly cookies is not feasible, ensure that you have strong Content Security Policy (CSP) and other measures to mitigate XSS vulnerabilities.

[gemini-code-assist]

The generated href for evidence badges includes the tenantId as a query parameter. This is a potential security vulnerability. The receiving endpoint (/api/provenance-beta/evidence/:id) must not trust this parameter. It should exclusively use the tenantId from the authenticated user's session (req.user.tenantId) for database queries. Relying on a client-controlled query parameter for tenancy checks can lead to Insecure Direct Object Reference (IDOR) vulnerabilities, allowing users to potentially access data from other tenants. Please verify that the target endpoint correctly ignores this query parameter in favor of the session tenant ID.

[gemini-code-assist]

The artifact.location value is directly assigned to the href attribute of an <a> tag without sanitization. If an attacker can control the storage_uri of an evidence artifact (e.g., through a malicious ingestion source), they could inject a javascript: URL, leading to execution of arbitrary JavaScript in the user's browser when the link is clicked.

Suggested change

	href={artifact.location}
	href={artifact.location.startsWith('javascript:') ? '#' : artifact.location}

[gemini-code-assist]

The support.location value is used directly in an href attribute without sanitization. This allows for potential XSS if the location contains a javascript: URL.

Suggested change

	href={support.location}
	href={support.location.startsWith('javascript:') ? '#' : support.location}

[gemini-code-assist]

The node parameter in handleNodeRightClick is typed as any. For better type safety and code maintainability, it's recommended to use a more specific type. Since only node.id is used in this function, you can type it as an object with an id property.

Suggested change

	(node: any, event?: MouseEvent) => {
	(node: { id: string }, event?: MouseEvent) => {

[gemini-code-assist]

The getTenantId function falls back to 'unknown' if a tenant ID is not found on the user object. While the subsequent database queries will likely return no results for an 'unknown' tenant (which is a safe failure mode), it's better practice to fail explicitly by throwing an error or sending an error response. This "fail-fast" approach makes it easier to detect and debug issues where a user's session might be missing a tenant ID. Also, consider providing a specific type for the req parameter instead of any for improved type safety.

[github-actions]

🤖 Auto-approved by Mega Merge Orchestrator

[github-actions]

🤖 Auto-approved by Mega Merge Orchestrator

[github-actions]

🤖 Auto-approved by Mega Merge Orchestrator

[BrianCLong]

Temporarily closing to reduce Actions queue saturation and unblock #22241. Reopen after the golden-main convergence PR merges.

[BrianCLong]

Temporarily closing to reduce Actions queue saturation and unblock #22241. Reopen after the golden-main convergence PR merges.