Skip to content

Fix flag resolution, router model routing, and schema validation fail-open #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Fix flag resolution, router model routing, and schema validation fail-open #2

Copilot wants to merge 2 commits into from

Conversation

Copy link

Copilot AI commented Jan 12, 2026
edited
Loading

Three bugs: (1) --dry-run default true blocks --apply/--exec execution paths, (2) router ignores model in routing.by_task, (3) schema validation silently skips if validator fails to load.

Flag Resolution (Critical)

  • Track explicit --dry-run via Changed() in PersistentPreRunE
  • ResolveFlags() auto-disables dry-run when --apply or --exec set
  • Fail-closed: reject --dry-run + --apply/--exec conflicts
// Before: --apply never reaches sandbox execution
if dryRun { return } // always true by default

// After: --apply auto-disables dry-run
if apply { dryRun = false }

Router Model Propagation

  • New RouteDecision{Provider, Model} replaces provider-only routing
  • routing.by_task[task].model now propagates to provider requests
  • lock_model overrides routing model
  • Model validated against providers.<x>.models allowlist—fails immediately if not present
// FixRequest now accepts ModelOverride
reqWithModel.ModelOverride = decision.Model

Schema Validation Fail-Closed

  • Lazy-init shared validator instance
  • parseFixPlan() rejects if validator unavailable (was: silently skip)
  • Consistent across OpenAI, Anthropic, Gemini providers
// Before: fail-open
validator, err := plan.NewSchemaValidator()
if err == nil { validator.Validate(&fixPlan) }

// After: fail-closed
if err != nil { return nil, fmt.Errorf("schema validator unavailable: %w", err) }

All changes include table-driven unit tests.

Original prompt

You are GitHub Copilot acting as a senior Go engineer.

Context:
This repository is "Jermator", a Linux-first, command-centric terminal repair tool.
It must NOT become an autonomous agent. It only plans and executes terminal commands
under strict policy gates. Safety is fail-closed.

Your task is to implement fixes for three known issues. Do NOT add new features.
Do NOT redesign architecture. Only fix what is specified.

========================================
ISSUE 1 — Flag Resolution Bug (CRITICAL)

Problem:
--dry-run is default true and blocks --apply and --exec.
Currently, even when users pass --apply or --exec, the code returns early
in dry-run mode and never executes sandbox/live logic.

Required behavior:

  1. Default mode should be dry-run ONLY when neither --apply nor --exec is set.
  2. If --apply is set:
    • dry-run must be automatically disabled
    • sandbox execution must run (subject to policy)
  3. If --exec is set:
    • dry-run must be automatically disabled
    • live execution path must be entered (with confirmation)
  4. If user explicitly sets --dry-run together with --apply or --exec:
    • reject with a clear error (fail-closed)

Acceptance:

  • Fix flag resolution logic in cmd/jerm/main.go
  • processFailure must correctly reach sandbox/live execution
  • Add table-driven unit tests for flag combinations

========================================
ISSUE 2 — Routing Uses Provider Only, Ignores Model

Problem:
Config routing.by_task supports {provider, model}, but router only selects provider.
Model override is ignored; providers always use their default model.

Required behavior:

  1. Router must return both Provider AND Model (RouteDecision).
  2. If routing.by_task[task].model is set:
    • that model must be used for the LLM request
  3. If lock_model=true:
    • routing model overrides must be ignored
  4. If the routed model is not in providers..models allowlist:
    • fail immediately (do NOT silently fallback)

Acceptance:

  • Update internal/providers/router.go to propagate model decisions
  • Update provider request builders to accept per-call model override
  • Add unit tests for:
    • model override via routing
    • lock_model behavior
    • invalid model rejection

========================================
ISSUE 3 — FixPlan Schema Validation Can Fail-Open

Problem:
If the FixPlan JSON schema validator fails to load,
providers may accept unvalidated LLM output (fail-open).

Required behavior:

  1. Schema validation must be fail-closed.
  2. If schema validator cannot be initialized:
    • LLM planning must be rejected with a clear error
  3. If FixPlan JSON does not conform to schema:
    • reject and allow router fallback
  4. Validation logic must be consistent across OpenAI, Anthropic, Gemini providers.

Acceptance:

  • Initialize schema validator once (shared or injected)
  • Providers must refuse to parse plans if validator is unavailable
  • Add unit tests covering:
    • validator init failure
    • invalid schema rejection
    • valid plan acceptance

========================================
CONSTRAINTS

  • Do NOT add new CLI flags.
  • Do NOT change user-facing semantics beyond what is required.
  • Do NOT add networking, agents, retries, or chat loops.
  • Keep changes minimal and well-scoped.
  • All changes must compile and pass go test ./....

========================================
OUTPUT

  • Implement fixes in code.
  • Add/adjust unit tests.
  • Briefly summarize changes at the end.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Summary by cubic

Fixes the dry-run flag blocking apply/exec, adds model-aware routing, and makes FixPlan validation fail-closed to prevent unsafe execution.

  • Bug Fixes
    • CLI flags (cmd/jerm/main.go)
      • Dry-run defaults only when neither --apply nor --exec is set.
      • --dry-run combined with --apply or --exec is rejected with a clear error.
      • processFailure now reaches sandbox/live paths for --apply/--exec as intended.
    • Routing (internal/providers/router.go and providers)
      • Router returns both provider and model (RouteDecision).
      • routing.by_task model is honored unless lock_model=true.
      • Routed model must be in the provider’s allowlist; no silent fallback.
      • Provider request builders accept per-call model overrides.
    • FixPlan validation
      • Validator is initialized once and required; providers refuse plans if unavailable.
      • Non-conformant plans are rejected; behavior is consistent across OpenAI, Anthropic, and Gemini.
    • Tests
      • Added table-driven tests for flag combinations, routing model overrides/lock_model/invalid model, and validator init failure/invalid schema/valid plan.

Written for commit 217c16f. Summary will update on new commits.

@coderabbitai
Copy link

coderabbitai bot commented Jan 12, 2026

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI changed the title [WIP] Fix flag resolution bug for terminal commands Fix flag resolution, router model routing, and schema validation fail-open Jan 12, 2026
Copilot AI requested a review from fentz26 January 12, 2026 06:17
@fentz26
Copy link
Owner

fentz26 commented Jan 12, 2026

@claude

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@fentz26 fentz26 fentz26 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@fentz26 fentz26

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fentz26