Skip to content

[codey] Use readable surface names in findings #34

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Conalh merged 1 commit into from
May 22, 2026
Merged

[codey] Use readable surface names in findings #34

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
# PolicyMesh

[![CI](https://github.com/Conalh/PolicyMesh/actions/workflows/ci.yml/badge.svg)](https://github.com/Conalh/PolicyMesh/actions/workflows/ci.yml)
Expand Down Expand Up @@ -103,7 +103,7 @@
steps:
- uses: actions/checkout@v6

- uses: Conalh/PolicyMesh@v0.1.16
- uses: Conalh/PolicyMesh@v0.1.17
with:
fail-on: none
```
Expand Down
19 changes: 15 additions & 4 deletions dist/mesh/engine.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
import { isBroadAllow, isSensitiveDeny } from '../parsers/claude.js';
import { codexSandboxRank } from '../parsers/codex.js';
export function runMeshRules(policies) {
Expand Down Expand Up @@ -506,7 +506,7 @@
return servers
.map((server) => {
const keys = uniqueSorted(Object.keys(server.env));
return `${server.surfaceId} uses ${keys.length > 0 ? keys.join(', ') : 'no env variables'}`;
return `${surfaceLabel(server.surfaceId)} uses ${keys.length > 0 ? keys.join(', ') : 'no env variables'}`;
})
.join('; ');
}
Expand All @@ -530,17 +530,28 @@
return servers
.map((server) => {
const keys = uniqueSorted(Object.keys(server.headers));
return `${server.surfaceId} uses ${keys.length > 0 ? keys.join(', ') : 'no headers'}`;
return `${surfaceLabel(server.surfaceId)} uses ${keys.length > 0 ? keys.join(', ') : 'no headers'}`;
})
.join('; ');
}
function summarizeEnabledStates(servers) {
return servers
.map((server) => `${server.enabled ? 'enabled' : 'disabled'} in ${server.surfaceId}`)
.map((server) => `${server.enabled ? 'enabled' : 'disabled'} in ${surfaceLabel(server.surfaceId)}`)
.join('; ');
}
function formatSurfaceList(surfaces) {
return surfaces.join(', ');
return surfaces.map(surfaceLabel).join(', ');
}
function surfaceLabel(surface) {
const labels = {
root_mcp: 'Root MCP',
cursor_mcp: 'Cursor MCP',
vscode_mcp: 'VS Code MCP',
windsurf_mcp: 'Codeium/Windsurf MCP',
claude: 'Claude',
codex: 'Codex'
};
return labels[surface];
}
function listOtherAgentSurfaces(policies) {
const surfaces = policies.mcpSurfaces
Expand Down
4 changes: 2 additions & 2 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "policymesh",
"version": "0.1.16",
"version": "0.1.17",
"description": "Cross-surface AI agent policy consistency review.",
"type": "module",
"keywords": [
Expand Down
20 changes: 16 additions & 4 deletions src/mesh/engine.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
import { isBroadAllow, isSensitiveDeny } from '../parsers/claude.js';
import { codexSandboxRank } from '../parsers/codex.js';
import type { Finding, MatrixRow, McpServer, RepoPolicies, SurfaceId } from '../types.js';
Expand Down Expand Up @@ -588,7 +588,7 @@
return servers
.map((server) => {
const keys = uniqueSorted(Object.keys(server.env));
return `${server.surfaceId} uses ${keys.length > 0 ? keys.join(', ') : 'no env variables'}`;
return `${surfaceLabel(server.surfaceId)} uses ${keys.length > 0 ? keys.join(', ') : 'no env variables'}`;
})
.join('; ');
}
Expand Down Expand Up @@ -616,19 +616,31 @@
return servers
.map((server) => {
const keys = uniqueSorted(Object.keys(server.headers));
return `${server.surfaceId} uses ${keys.length > 0 ? keys.join(', ') : 'no headers'}`;
return `${surfaceLabel(server.surfaceId)} uses ${keys.length > 0 ? keys.join(', ') : 'no headers'}`;
})
.join('; ');
}

function summarizeEnabledStates(servers: McpServer[]): string {
return servers
.map((server) => `${server.enabled ? 'enabled' : 'disabled'} in ${server.surfaceId}`)
.map((server) => `${server.enabled ? 'enabled' : 'disabled'} in ${surfaceLabel(server.surfaceId)}`)
.join('; ');
}

function formatSurfaceList(surfaces: SurfaceId[]): string {
return surfaces.join(', ');
return surfaces.map(surfaceLabel).join(', ');
}

function surfaceLabel(surface: SurfaceId): string {
const labels: Record<SurfaceId, string> = {
root_mcp: 'Root MCP',
cursor_mcp: 'Cursor MCP',
vscode_mcp: 'VS Code MCP',
windsurf_mcp: 'Codeium/Windsurf MCP',
claude: 'Claude',
codex: 'Codex'
};
return labels[surface];
}

function listOtherAgentSurfaces(policies: RepoPolicies): SurfaceId[] {
Expand Down
21 changes: 13 additions & 8 deletions test/cli-output.test.mjs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
import test from 'node:test';
import assert from 'node:assert/strict';
import { execFile } from 'node:child_process';
Expand Down Expand Up @@ -219,7 +219,9 @@
assert.equal(report.findings[0].severity, 'low');
assert.equal(report.findings[0].subject, 'github');
assert.deepEqual(report.findings[0].surfaces, ['root_mcp', 'cursor_mcp']);
assert.match(report.findings[0].message, /missing from cursor_mcp/);
assert.match(report.findings[0].message, /defined in Root MCP/);
assert.match(report.findings[0].message, /missing from Cursor MCP/);
assert.doesNotMatch(report.findings[0].message, /root_mcp|cursor_mcp/);
});

test('CLI reports MCP server enabled-state drift across surfaces', async () => {
Expand All @@ -239,8 +241,9 @@
assert.equal(report.findings[0].severity, 'medium');
assert.equal(report.findings[0].subject, 'github');
assert.deepEqual(report.findings[0].surfaces, ['root_mcp', 'cursor_mcp']);
assert.match(report.findings[0].message, /enabled in root_mcp/);
assert.match(report.findings[0].message, /disabled in cursor_mcp/);
assert.match(report.findings[0].message, /enabled in Root MCP/);
assert.match(report.findings[0].message, /disabled in Cursor MCP/);
assert.doesNotMatch(report.findings[0].message, /root_mcp|cursor_mcp/);
});

test('CLI reports MCP server environment drift without leaking values', async () => {
Expand All @@ -261,8 +264,9 @@
assert.equal(report.findings[0].subject, 'github');
assert.deepEqual(report.findings[0].surfaces, ['root_mcp', 'vscode_mcp']);
assert.match(report.findings[0].message, /environment variable names differ/);
assert.match(report.findings[0].message, /GITHUB_TOKEN/);
assert.match(report.findings[0].message, /GH_TOKEN/);
assert.match(report.findings[0].message, /Root MCP uses GITHUB_TOKEN/);
assert.match(report.findings[0].message, /VS Code MCP uses GH_TOKEN/);
assert.doesNotMatch(report.findings[0].message, /root_mcp|vscode_mcp/);
assert.doesNotMatch(stdout, /root-token-value/);
assert.doesNotMatch(stdout, /vscode-token-value/);
});
Expand Down Expand Up @@ -306,8 +310,9 @@
assert.equal(report.findings[0].subject, 'analytics');
assert.deepEqual(report.findings[0].surfaces, ['root_mcp', 'vscode_mcp']);
assert.match(report.findings[0].message, /header names differ/);
assert.match(report.findings[0].message, /Authorization/);
assert.match(report.findings[0].message, /X-API-Key/);
assert.match(report.findings[0].message, /Root MCP uses Authorization/);
assert.match(report.findings[0].message, /VS Code MCP uses X-API-Key/);
assert.doesNotMatch(report.findings[0].message, /root_mcp|vscode_mcp/);
assert.doesNotMatch(stdout, /root-header-secret/);
assert.doesNotMatch(stdout, /vscode-header-secret/);
});
Expand Down Expand Up @@ -450,7 +455,7 @@

const missingAnnotations = stdout
.split('\n')
.filter((line) => line.includes('missing from cursor_mcp'));
.filter((line) => line.includes('missing from Cursor MCP'));

assert.deepEqual(
missingAnnotations.map((line) => /^::warning file=([^,]+)/.exec(line)?.[1]).sort(),
Expand Down
10 changes: 5 additions & 5 deletions test/workflow.test.mjs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
import test from 'node:test';
import assert from 'node:assert/strict';
import { execFile } from 'node:child_process';
Expand All @@ -10,15 +10,15 @@
const testDir = dirname(fileURLToPath(import.meta.url));
const packageRoot = join(testDir, '..');

test('release metadata is prepared for v0.1.16 Action users', async () => {
test('release metadata is prepared for v0.1.17 Action users', async () => {
const packageJson = JSON.parse(await readFile(join(packageRoot, 'package.json'), 'utf8'));
const packageLock = JSON.parse(await readFile(join(packageRoot, 'package-lock.json'), 'utf8'));
const readme = await readFile(join(packageRoot, 'README.md'), 'utf8');

assert.equal(packageJson.version, '0.1.16');
assert.equal(packageLock.version, '0.1.16');
assert.equal(packageLock.packages[''].version, '0.1.16');
assert.match(readme, /uses: Conalh\/PolicyMesh@v0\.1\.16/);
assert.equal(packageJson.version, '0.1.17');
assert.equal(packageLock.version, '0.1.17');
assert.equal(packageLock.packages[''].version, '0.1.17');
assert.match(readme, /uses: Conalh\/PolicyMesh@v0\.1\.17/);
});

test('package metadata supports OSS discovery', async () => {
Expand Down