Skip to content

fix: roll up contributor validation, HTML, and release gate fixes#403

Merged
maziyarpanahi merged 3 commits into
masterfrom
bugfix/contributor-fix-rollup
Jun 19, 2026
Merged

fix: roll up contributor validation, HTML, and release gate fixes#403
maziyarpanahi merged 3 commits into
masterfrom
bugfix/contributor-fix-rollup

Conversation

@maziyarpanahi

@maziyarpanahi maziyarpanahi commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown
Owner

Summary

  • preserve the contributor commits for the CJK validation, HTML escaping, and release-gate candidate fixes in one branch
  • keep the TUI fallback change out because it fails the current CLI fallback test and remains closed separately

Verification

  • .venv/bin/python -m pytest tests/ -q (1614 passed, 1 skipped)
  • .venv/bin/python scripts/release/check_license_policy.py
  • .venv/bin/python scripts/release/check_repo_policy.py
  • CI passed for repo-policy, security, secret-scan, test matrix, and build

Closes #391
Closes #392
Closes #396

@rtmalikian @maziyarpanahi
fix: stop rejecting CJK clinical text as suspicious content
8be8bc4 
The _contains_suspicious_content regex [^\x00-\x7F]{50,} was designed
to catch binary/encoded content but also rejects legitimate CJK
(Japanese, Chinese, Korean) clinical text, which doesn't use spaces
between words. Japanese is an explicitly supported PII language.

Replace the blanket non-ASCII rejection with a targeted check for
control characters only ([\x00-\x08\x0e-\x1f\x7f]{10,}).
The existing checks for repeated characters (100+) and excessive
special char ratio (>0.5) already catch real binary/encoded content.

Fixes #391
@rtmalikian @maziyarpanahi
fix: escape user-controlled text in OutputFormatter.to_html to preven…
0f37ec1 
…t XSS

The to_html method inserted user-controlled values (result.text,
entity.label, entity.text, result.model_name, result.timestamp)
directly into HTML without escaping. This allows cross-site scripting
when the HTML output is rendered in a browser.

Add html.escape() to all user-controlled values before embedding
them in HTML. Use 'import html as html_mod' to avoid shadowing the
local 'html' variable used for building the output string.

Fixes #392
@rtmalikian @maziyarpanahi
fix: handle missing candidate file gracefully in release gates (Fixes #…
52b6f1b 
…396)

When the nightly cron runs the release-gates workflow without a
candidate report file (artifacts/release-candidate.json), the gate
harness previously raised FileNotFoundError which was caught by the
generic exception handler and opened a spurious tracking issue.

Changes:
- Add early file-existence check in main() that exits cleanly (rc=0)
  when the candidate report file does not exist, instead of letting
  FileNotFoundError propagate to the issue-creating error handler.
- Update the release-gates workflow to check for the candidate file
  before running the gate, skipping all gate steps when absent.
@maziyarpanahi maziyarpanahi merged commit 2ed6d4e into master Jun 19, 2026
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

2 participants

@maziyarpanahi @rtmalikian