FF1 Agent / Tasks / ff1-agent-8qc

Last built: 2026-04-11 03:12 UTC

Site generator — more information

closed ff1-agent-8qc P1

Description

There's a lot of information in the json files for the tasks, like reviews, summaries, tests - all of that information should be shown on the task detail page.

Labels

test

Dependencies

No dependencies.

Artifacts

Summary

Enhanced task detail page to load and display artifact JSON files (summary.json, tests.json, review.json, adversarial.json) from data/dev/task-artifacts/<task_id>/. Added _load_artifacts() method to SiteGenerator with path-traversal protection (blocks relative '..' and absolute path task IDs). Updated dev/task.html template to render all four artifact sections with collapsible details. Added CSS for artifact UI components. Fixed 2 security bugs found by adversarial testing (relative and absolute path traversal in artifact dir lookup).

Status: complete

Tests

179 total 14 new 62 adversarial All passing
Test categories (14)
  • _load_artifacts returns parsed content for all four artifact files
  • _load_artifacts returns None for missing artifact directory
  • _load_artifacts returns None for partial file presence
  • _load_artifacts handles malformed JSON without crashing
  • Task detail shows summary text from summary.json
  • Task detail shows total_tests count from tests.json
  • Task detail shows review verdict from review.json
  • Task detail shows adversarial tests_written from adversarial.json
  • Task detail shows individual review issues (nested list)
  • Task detail shows individual adversarial bugs (nested list)
  • Task detail fallback message when no artifacts present
  • Task detail partial artifact presence renders only present blocks
  • Task detail all_passing=false shows 'Some failing'
  • build() succeeds when artifact JSON is malformed

Code Review

Verdict: APPROVED

Critical issues: 0 found, 0 fixed

Issues (3)
  • WARNING critical_issues_fixed rendered without existence guard — If review.json has critical_issues_found but omits critical_issues_fixed, renders as 'N found, fixed'. Non-crashing but misleading.
  • WARNING Missing .severity-note CSS class — Review issues with severity NOTE would render with unstyled badge. fixed
  • NOTE test-review.json not displayed — Spec lists test-review.json as a fifth artifact type. Not loaded or displayed.

Adversarial Testing

62 tests written 2 bugs found 2 bugs fixed
Bugs (2)
  • SECURITY test_path_traversal_task_id_does_not_escape_artifacts_dir — task_id '..' resolves to dev/ directory which is_dir() passes; code reads dev/summary.json etc. as if they were artifact files for that task.
    Fix: Resolve both artifacts_root and candidate dir; reject if candidate path doesn't start with artifacts_root + '/'
  • SECURITY test_path_traversal_absolute_path_as_task_id — pathlib Path division discards left operand for absolute right operand. task_id='/tmp/victim' causes _load_artifacts to open files from /tmp/victim/ anywhere on disk.
    Fix: Same resolve-and-check fix catches absolute paths — resolved path won't start with artifacts_root