fix(issue): Safety: crossReferenceEvidence commented out, fabricated evidence bypasses check

[jeremymcs]

Summary

• Swapped zero-bash evidence fallback for cross-reference mismatch warning logic and confirmed with focused safety tests passing.

Verification

• Completed in the repository worktree before push.

Related Issue

• Closes Safety: crossReferenceEvidence commented out, fabricated evidence bypasses check #5938
• #5938 Safety: crossReferenceEvidence commented out, fabricated evidence bypasses check

Repo

• gsd-build/gsd-2

Branch

• issue/5938-safety-crossreferenceevidence-commented--1778892810

Summary by CodeRabbit

• Refactor
  • Enhanced the command verification system to more accurately detect and report when claimed verification commands are not found in executed logs, providing improved safety notifications when discrepancies are identified.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: a85c4d07-553d-4be8-b295-33718cb24338

📥 Commits

Reviewing files that changed from the base of the PR and between 8906b64 and 3647bc0.

📒 Files selected for processing (1)

• src/resources/extensions/gsd/auto-post-unit.ts

---

📝 Walkthrough

Walkthrough

The PR refactors the post-unit evidence cross-reference safety harness in auto-post-unit.ts. Instead of deriving a separate bashCalls array to detect missing commands, it now filters the existing mismatches set for warning-level entries where actual is null, logging a safety warning and notifying the UI when claimed commands are not found in recorded bash calls.

Changes

Evidence cross-reference safety harness

Layer / File(s)	Summary
Evidence cross-reference safety refactoring src/resources/extensions/gsd/auto-post-unit.ts	Removed the prior bashCalls array derivation and replaced it with filtering mismatches for warning-severity entries with actual === null, then logging and notifying the UI of missing claimed commands.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• gsd-build/gsd-2#5810: Both PRs modify the src/resources/extensions/gsd/auto-post-unit.ts safety/evidence cross-reference flow by changing how claimed bash/verification evidence is matched to recorded evidence.
• gsd-build/gsd-2#6074: Both PRs touch the GSD evidence cross-reference flow in auto-post-unit.ts by changing how mismatches for missing recorded bash calls are computed and surfaced.

Suggested labels

bug

Poem

🐰 A fuzzy hop through safety checks refined,
No more redundant lists to find,
Just filter mismatches with care,
And warn the UI: commands weren't there!
Evidence cross-reference, cleaner and wise. 🔍

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the safety fix for fabricated evidence bypass when crossReferenceEvidence is not properly used.
Linked Issues check	✅ Passed	The pull request implements all key objectives: re-enables crossReferenceEvidence logic, replaces zero-bash-calls check with command-level matching, detects fabricated evidence mismatches, and logs warnings when claimed commands are missing.
Out of Scope Changes check	✅ Passed	All changes in the pull request are directly related to the linked issue objective of fixing the fabricated evidence bypass by improving safety verification logic.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch issue/5938-safety-crossreferenceevidence-commented--1778892810

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔴 PR Risk Report — CRITICAL

Files changed	1
Systems affected	1
Overall risk	🔴 CRITICAL

Affected Systems

Risk	System
🔴 critical	Auto Engine

File Breakdown

Risk	File	Systems
🔴	src/resources/extensions/gsd/auto-post-unit.ts	Auto Engine

⚠️ 🔴 Critical risk — the following systems require verification before merge:

• 🔴 Auto Engine: validate auto-mode trigger conditions and loop termination

⛔ This PR should not be merged without executing this follow-up prompt.

Ask your coding agent to verify before submitting:

Review this PR for risks in: Auto Engine. Verify:

1. validate auto-mode trigger conditions and loop termination

Before modifying any code, assess the scope of this fix:

- Identify the root cause, not just the reported symptom.
- Search the codebase for other call sites, similar patterns, or duplicated logic that may share the same bug.
- List affected tests, documentation, and any downstream consumers that depend on the current behavior.
- Flag any changes that extend beyond the immediate file or function.

Report findings first. Then propose a fix scoped to the actual root cause, and wait for confirmation before applying changes outside the originally reported location.

💡 Have a Codex subscription? Get an independent second opinion: codex review --adversarial