Address PR R0 P3s: bootstrap placeholder + hardening test coverage

igerber · claude · igerber · commit 6c8c67d78e21 · 2026-05-12T20:49:37.000-04:00
P3 #1 (Maintainability): The bootstrap-skip branch — when BASE_SHA does not yet contain `tools/notebook_md_extract.py` and the PR touches tutorials — previously only logged "skipped" to stdout without emitting anything to the compiled prompt. The reviewer would see no prose section AND no indication why. Restructured the prose-extraction block so CHANGED_NB is computed unconditionally, and added an `elif [ -n "$CHANGED_NB" ]` branch that emits a `<notebook-prose untrusted="true">` placeholder explaining the one-shot bootstrap state and listing the changed tutorial files. This PR itself is the bootstrap case but doesn't touch tutorials, so the path is currently exercised only structurally; the first tutorial-touching PR after merge stops triggering this branch entirely. P3 #2 (Tech Debt): Extended `TestWorkflowPromptHardening` with two parametrized-style tests mirroring the existing `<pr-title>`/`<pr-body>` coverage: one asserts the `<notebook-prose untrusted="true">` wrapper + closing tag are present in the workflow YAML; the other asserts the sanitizer escapes `</notebook-prose>` to `&lt;/notebook-prose&gt;`. A future workflow edit that drops the wrapper or sanitizer for the new tag now fails the test suite. All 16 tests in TestWorkflowPromptHardening + test_notebook_md_extract pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/.github/workflows/ai_pr_review.yml b/.github/workflows/ai_pr_review.yml
@@ -260,9 +260,9 @@ jobs:
           # the prompt within input budget. Fail-soft per notebook: a
           # malformed one degrades to a placeholder line rather than killing
           # the AI review job.
+          CHANGED_NB=$(git --no-pager diff --name-only "$BASE_SHA" "$HEAD_SHA" \
+            -- 'docs/tutorials/*.ipynb' 2>/dev/null || true)
           if [ -f /tmp/notebook_md_extract.py ]; then
-            CHANGED_NB=$(git --no-pager diff --name-only "$BASE_SHA" "$HEAD_SHA" \
-              -- 'docs/tutorials/*.ipynb' 2>/dev/null || true)
             if [ -n "$CHANGED_NB" ]; then
               : > /tmp/notebook-prose.md
               while IFS= read -r nb; do
@@ -295,6 +295,27 @@ jobs:
                 echo "</notebook-prose>"
               } >> "$PROMPT"
             fi
+          elif [ -n "$CHANGED_NB" ]; then
+            # Bootstrap-skip path: the trusted extractor does not yet exist
+            # on BASE_SHA (one-shot for the PR that introduces it), but the
+            # PR touches tutorial notebooks. Emit an in-prompt placeholder
+            # so the reviewer knows prose extraction was intentionally
+            # skipped (vs silently absent).
+            {
+              echo ""
+              echo "<notebook-prose untrusted=\"true\">"
+              echo "Tutorial notebook prose extraction was SKIPPED for this run:"
+              echo "the notebook extractor (tools/notebook_md_extract.py) does"
+              echo "not yet exist on BASE_SHA. This is the one-shot bootstrap"
+              echo "state for the PR that introduces the extractor;"
+              echo "subsequent tutorial-touching PRs after that PR merges will"
+              echo "see full prose."
+              echo ""
+              echo "Changed tutorial files (raw .ipynb JSON is excluded from"
+              echo "the unified diff above; review the diff directly if needed):"
+              printf '%s\n' "$CHANGED_NB"
+              echo "</notebook-prose>"
+            } >> "$PROMPT"
           fi
 
       - name: Run Codex
diff --git a/tests/test_openai_review.py b/tests/test_openai_review.py
@@ -1754,6 +1754,33 @@ def test_workflow_sanitizes_pr_body_closing_tag(self):
         assert "&lt;/pr-body&gt;" in text
         assert "&lt;/previous-ai-review-output&gt;" in text
 
+    def test_workflow_wraps_notebook_prose_with_untrusted_attr(self):
+        """Tutorial notebook prose extracted from changed .ipynb files is
+        PR-controlled and must be wrapped in <notebook-prose untrusted="true">
+        — same pattern as <pr-title>/<pr-body>/<previous-ai-review-output>."""
+        assert _SCRIPT_PATH is not None
+        repo_root = _SCRIPT_PATH.parent.parent.parent
+        wf = repo_root / ".github" / "workflows" / "ai_pr_review.yml"
+        if not wf.exists():
+            pytest.skip("workflow not found")
+        text = wf.read_text()
+        # Shell uses backslash-escaped quotes inside the YAML literal block.
+        assert r'<notebook-prose untrusted=\"true\">' in text
+        assert "</notebook-prose>" in text
+
+    def test_workflow_sanitizes_notebook_prose_closing_tag(self):
+        """Notebook content is PR-controlled — adversarial markdown
+        containing literal </notebook-prose> must be escaped so the
+        wrapper cannot be closed early. Mirrors the pr-body /
+        previous-ai-review-output sanitization."""
+        assert _SCRIPT_PATH is not None
+        repo_root = _SCRIPT_PATH.parent.parent.parent
+        wf = repo_root / ".github" / "workflows" / "ai_pr_review.yml"
+        if not wf.exists():
+            pytest.skip("workflow not found")
+        text = wf.read_text()
+        assert "&lt;/notebook-prose&gt;" in text
+
 
 class TestWorkflowCommentPosting:
     """The workflow has TWO rerun-detection gates that must agree:
