docs: add CAC PR-ready enforcement prompt#22312
Conversation
BrianCLong
added
the
codex
ChatGPT Codex Connector
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 10 minutes and 36 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a new prompt specification, 'CAC Enforcement Prompt — Drift-Proof, Merge-Ready', which defines strict requirements for an AI agent to generate mergeable patches for Compliance as Code (CAC) enforcement. The feedback identifies a contradiction in the PR stack plan requirements and suggests aligning the final completion gate with the previously defined hard failure rules to ensure all security controls are verified.
|
|
||
| ## Required Deliverable Format | ||
|
|
||
| ### 1) PR Stack Plan (exact block) |
There was a problem hiding this comment.
The instruction 'exact block' for the PR Stack Plan contradicts the rule on line 9 which allows for a variable number of PRs ('at most 7 PRs and at least 1 PR'). If the agent determines that fewer than 7 PRs are needed, it will be unable to provide the 'exact block' as specified. Changing this to 'template' or 'suggested structure' allows the agent to adapt the plan to the actual work required.
| ### 1) PR Stack Plan (exact block) | |
| ### 1) PR Stack Plan (template) |
| ## Completion Gate | ||
| Task is complete only if all are true: | ||
| 1. PR without evidence fails in CI. | ||
| 2. Non-deterministic artifacts fail in CI. | ||
| 3. Invalid CAC verdict is blocked at deploy/admission. | ||
| 4. Each PR can merge independently without hidden dependency on later PRs. |
There was a problem hiding this comment.
The 'Completion Gate' criteria do not fully align with the 'Hard Failure Rules' defined earlier. Specifically, the requirement for the branch protection drift sentinel (Rule 4 on line 21) is missing from the final checklist. Including it ensures the agent verifies this critical security control before completing the task.
| ## Completion Gate | |
| Task is complete only if all are true: | |
| 1. PR without evidence fails in CI. | |
| 2. Non-deterministic artifacts fail in CI. | |
| 3. Invalid CAC verdict is blocked at deploy/admission. | |
| 4. Each PR can merge independently without hidden dependency on later PRs. | |
| ## Completion Gate | |
| Task is complete only if all are true: | |
| 1. PR without evidence fails in CI. | |
| 2. Non-deterministic artifacts fail in CI. | |
| 3. Invalid CAC verdict is blocked at deploy/admission. | |
| 4. Branch protection drift sentinel verifies CAC check presence. | |
| 5. Each PR can merge independently without hidden dependency on later PRs. |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f4782dcada
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| @@ -0,0 +1,120 @@ | |||
| # CAC Enforcement Prompt — Drift-Proof, Merge-Ready | |||
There was a problem hiding this comment.
This new prompt is not accompanied by a prompts/registry.yaml entry, which makes it unusable in the governed agent flow because PR metadata validation resolves prompts strictly by hash and throws when the hash is missing (scripts/ci/validate-pr-metadata.ts lines 120-125). As written, any task that references this prompt cannot pass the required metadata/integrity checks until the prompt id/path/hash/scope are added to the registry.
Useful? React with 👍 / 👎.
|
|
||
| ### 5) Drift Sentinel Extension (mandatory) | ||
| Extend: | ||
| - `/scripts/check_branch_protection_drift.mjs` |
There was a problem hiding this comment.
The prompt tells implementers to extend /scripts/check_branch_protection_drift.mjs, but the enforced gate and integration tests invoke scripts/ci/check_branch_protection_drift.mjs (see package.json ci:branch-protection:check and tests/integration/ci-gate.test.mjs). Following this instruction literally can place CAC-required-check logic in the wrapper script while leaving the actual CI sentinel unchanged, so the required protection check may never be enforced in CI.
Useful? React with 👍 / 👎.
|
Closed as prompt/spec collateral, not executable golden-path work. Keep the executable enforcement lane on #22309. |
Pull request was closed
1 participant
Motivation
Description
prompts/cac-pr-ready-enforcement.prompt.md, a hardened prompt that specifies the exact PR stack, required files/scripts (/scripts/verify_determinism.mjs,/scripts/check_branch_protection_drift.mjs,/apps/ingestion/validator.ts, Kyverno policy, test locations, CI gate requirements), failure conditions (missing evidence, nondeterminism, inadmissible verdicts), and the deliverable/validation format for downstream patch generation.Testing
wc -l prompts/cac-pr-ready-enforcement.prompt.md,sed -n '1,40p' prompts/cac-pr-ready-enforcement.prompt.md, andnl -ba prompts/cac-pr-ready-enforcement.prompt.md | sed -n '1,220p', and registered PR metadata via the repository PR tooling; these checks succeeded (no CI or lint runs were invoked as part of this change).Codex Task