Skip to content

Releases: Perseus-Computing-LLC/pr-pilot

v0.2.0 — Hardened, deployable

12 Jun 06:11
@tcconnally tcconnally
v0.2.0
e0b745e
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.2.0 — Hardened, deployable Latest
Latest

First hardened, deployable release. Resolves all 14 findings from the 2026-06-12 code review (baseline commit db5068e).

Highlights

Runtime (P0)

  • requirements.txt/pyproject now include stripe + PyJWT; Dockerfile installs the package so manifests cannot drift from runtime imports.
  • Gemini SDK is configured with GEMINI_API_KEY before each call (previously unauthenticated).

Security (P1/P2)

  • Webhook signature verification fails closed; unsigned bypass is opt-in dev only.
  • Webhook returns 202 fast and runs the agent chain in the background with delivery idempotency (no duplicate reviews).
  • LLM-only "auto_approve" never becomes a binding GitHub APPROVE unless verified.
  • Dashboard routes require an admin bearer token (disabled by default); CORS narrowed from "*" to an allowlist.
  • CI workflow no longer runs untrusted PR code with secrets; it runs trusted base code and fetches the diff via API.

Reliability / correctness (P2/P3)

  • Enforce MAX_DIFF_SIZE_BYTES and bound model calls with AGENT_TIMEOUT_SECONDS.
  • Paginate PR file listing so large PRs are fully reviewed.
  • Stripe price-id validation + sanitized errors.
  • Webhook secret deployed via Secret Manager.

Quality

  • 32 tests passing (23 added this cycle), ruff clean.

Merged in PR #16 and PR #17.

Assets 2
Loading