RHOAIENG-64892: CVE-2026-48710 rhoai/odh-pipeline-runtime-pytorch-cuda-py312-rhel9: Starlette: Security restriction bypass via malformed HTTP Host header [rhoai-3.3]

[jira-autofix]

Summary by CodeRabbit

• Chores

  • Updated CVE tracking reference in dependency constraints; added a local ignore entry.

• Documentation

  • Added agent skills README, a comprehensive agents testing guide, and an operational CVE-autofix guide.
  • Rewrote the AI agents entry point into a concise onboarding guide.
  • Clarified architecture, contributing, Konflux, subscribed-builds, and README (updated prerequisites and lock-file guidance) for build/test and downstream vs midstream workflows.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign atheo89 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @jira-autofix[bot]. Thanks for your PR.

I'm waiting for a opendatahub-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited), Repository UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 803631f7-b00b-47d8-b4e1-2aa300bc242e

📥 Commits

Reviewing files that changed from the base of the PR and between ee93684 and 0f384ea.

📒 Files selected for processing (2)

• CONTRIBUTING.md
• docs/cves/agents-cve-autofix.md

✅ Files skipped from review due to trivial changes (2)

• docs/cves/agents-cve-autofix.md
• CONTRIBUTING.md

---

📝 Walkthrough

Walkthrough

This PR updates the Starlette CVE tracking comment above the existing starlette>=1.0.1 constraint to reference RHOAIENG-64892, adds .agents/skills/README.md, rewrites AGENTS.md as a concise entry point, expands CONTRIBUTING.md and docs/agents/testing.md, and clarifies KONFLUX/ODH vs RHOAI build/pipeline conventions across ARCHITECTURE.md, docs/konflux.md, and docs/subscribed-builds.md; it also adds docs/cves/agents-cve-autofix.md and a small .gitignore tweak.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	No pull request description was provided; required sections (Description, Testing, Checklist) are entirely missing.	Add a description including what changes were made, how the fix addresses CVE-2026-48710, testing confirmation, and the required self-checklist items.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title uses imperative mood and includes ticket reference RHOAIENG-64892, but does not follow the preferred format (: : ).
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Branch Prefix Policy	✅ Passed	PR authored by jira-autofix[bot] is exempt from branch prefix policy per instructions: "PRs authored by bot accounts" are excluded from validation.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

⚔️ Resolve merge conflicts

• Resolve merge conflict in branch autofix/rhoaieng-64892

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 27.46%. Comparing base (559edc1) to head (ee93684).
⚠️ Report is 2 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #3752   +/-   ##
=======================================
  Coverage   27.46%   27.46%           
=======================================
  Files          38       38           
  Lines        4064     4064           
  Branches      670      670           
=======================================
  Hits         1116     1116           
  Misses       2859     2859           
  Partials       89       89           

Flag	Coverage Δ
python	27.46% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 559edc1...ee93684. Read the comment docs.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@dependencies/cve-constraints.txt`:
- Around line 25-27: The file contains duplicate CVE tracking comments for
CVE-2026-48710 (RHAIENG-5355 and RHOAIENG-64892) above the starlette constraint;
remove the redundant comment so only a single CVE tracking line remains (e.g.,
keep the RHOAIENG-64892 comment and delete the RHAIENG-5355 line) and leave the
existing starlette>=1.0.1 constraint unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited), Repository UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: cb2b07a2-1812-4059-b797-e1e11ed130dc

📥 Commits

Reviewing files that changed from the base of the PR and between 559edc1 and 5f406e0.

📒 Files selected for processing (1)

• dependencies/cve-constraints.txt

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@CONTRIBUTING.md`:
- Around line 106-108: Update the stale wording in CONTRIBUTING.md: change the
phrase "A fuller test-catalog document is planned in [issue `#3174`] as
`docs/agents/testing.md`." to reflect that docs/agents/testing.md now exists
(e.g., "See the test-catalog: docs/agents/testing.md" or similar active
reference), and ensure the link to issue `#3174` remains or is adjusted to point
to the new doc; update any nearby wording that implies the guide is pending so
CONTRIBUTING.md and the reference to docs/agents/testing.md are accurate and
current.

In `@docs/cves/agents-cve-autofix.md`:
- Around line 47-49: The doc contains conflicting verdict mappings for the same
dedup condition ("fix already present") — one place maps it to `already_fixed`
and another to `no_changes`; choose a single canonical verdict (prefer
`already_fixed` or `no_changes`) and update all instances so they are consistent
(including the sentence that begins "Check `dependencies/cve-constraints.txt`
..." and the other occurrences referenced around lines that map this condition)
by replacing the incorrect token with the chosen canonical token so the operator
behavior and run outcomes are deterministic.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited), Repository UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 3babf947-a0e0-4b53-880e-547c1b50e72d

📥 Commits

Reviewing files that changed from the base of the PR and between 44d42f8 and ee93684.

📒 Files selected for processing (10)

• .agents/skills/README.md
• .gitignore
• AGENTS.md
• ARCHITECTURE.md
• CONTRIBUTING.md
• README.md
• docs/agents/testing.md
• docs/cves/agents-cve-autofix.md
• docs/konflux.md
• docs/subscribed-builds.md

✅ Files skipped from review due to trivial changes (3)

• .agents/skills/README.md
• .gitignore
• README.md

[openshift-ci]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[ide-developer]

Closing — per-image RHOAIENG CVE trackers are now triaged as not_fixable via AGENTS.md instructions (PR #3780). The centralized fix for CVE-2026-48710 is already in dependencies/cve-constraints.txt on main. Release branch fixes are tracked via RHAIENG parent trackers.