Skip to content

docs(#346): add secure HTTP client guidance to AGENTS.md#501

Open
fullsend-ai-coder[bot] wants to merge 1 commit into
mainfrom
agent/346-secure-http-client-guidance
Open

docs(#346): add secure HTTP client guidance to AGENTS.md#501
fullsend-ai-coder[bot] wants to merge 1 commit into
mainfrom
agent/346-secure-http-client-guidance

Conversation

@fullsend-ai-coder

Copy link
Copy Markdown

Document SSRF-hardened client requirements for outbound HTTP requests in AGENTS.md and add corresponding SSRF review category to the security review sub-agent.


Closes #346

Post-script verification

  • Branch is not main/master (agent/346-secure-http-client-guidance)
  • Secret scan passed (gitleaks — b776cf6006a12016eaa21412dc65a3001100e801..HEAD)
  • Pre-commit hooks passed (authoritative run on runner)
  • Tests ran inside sandbox

Document SSRF-hardened client requirements for outbound HTTP requests
in AGENTS.md and add corresponding SSRF review category to the
security review sub-agent.

Closes #346
@github-actions

Copy link
Copy Markdown

E2E tests did not run

E2E tests run automatically for org/repo members and collaborators on pull requests.

For other contributors, a maintainer must add the ok-to-test label after the latest push.

See E2E testing guide for details.

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 14, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 3:12 PM UTC · Completed 3:19 PM UTC
Commit: b776cf6 · View workflow run →

@fullsend-ai-review

Copy link
Copy Markdown

Review — approve

PR: docs(#346): add secure HTTP client guidance to AGENTS.md

Clean docs-only change (+37 lines, 2 files). Adds SSRF-hardened HTTP client guidance to AGENTS.md and a corresponding ssrf review category to the security sub-agent.

Verified

  • Correctness: All code references are accurate — internal/fetch/ exports FetchURL, FetchPolicy, and NewTestPolicy as documented. docs/plans/universal-harness-access.md exists. The claim that http.Get()/http.Post()/http.Head() are convenience wrappers on http.DefaultClient is correct per the Go standard library.
  • Security: No secrets, no injection patterns, no permission changes. The SSRF guidance is sound — covers DNS rebinding, IP validation, HTTPS-only enforcement, and has appropriate severity calibration (medium for hardcoded external URLs, high for user-controlled).
  • Intent & coherence: Aligns with issue [ARCHIVED] Benchmark issue 346 #346. The issue originally referenced internal/repos/manifest.go's fetchManifestURL as the canonical pattern, but the codebase has since evolved to use internal/fetch/ — the PR correctly references the current implementation. Adding the security sub-agent review category is a natural complement, not scope creep.
  • Style: The new AGENTS.md section mirrors the established pattern of the adjacent "Forge abstraction" section (Prohibited / Acceptable / When writing / When reviewing). The ssrf category in security.md follows existing conventions (Category: tag, severity calibration, acceptable-use exceptions).
  • Docs currency: All referenced packages and files exist in the codebase (internal/fetch/, internal/gcp/, internal/forge/github/, docs/plans/universal-harness-access.md).
  • Cross-repo contracts: No exported interfaces modified — skipped.

No findings above the severity threshold.


Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

  • AGENTS.md

Labels: PR adds SSRF documentation to AGENTS.md and security sub-agent review guidance

@fullsend-ai-review fullsend-ai-review Bot added requires-manual-review Review requires human judgment documentation Improvements or additions to documentation security labels Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation requires-manual-review Review requires human judgment security

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[ARCHIVED] Benchmark issue 346

0 participants