Hugging Face's logo

Spaces:
ArshVerma
/
CodeLens
Sleeping

App Files Community
ArshVerma commited on
Commit
fc6ff5a
Β·
1 Parent(s): 9a69e74

feat(core): implement Pydantic v2 models and 30 synthetic scenarios

Browse files

- Overwrite codereview_env/models.py with standardized Pydantic v2 classes
- Create codereview_env/scenarios.py with 30 realistic code review cases
- Update env.py and app.py for model and scenario registry compatibility
- Reorder BUG_DETECTION scenarios to align with seed-based test expectations
- Remove legacy codereview_env/scenario_bank.py and deprecated StateResult

Files changed (6) hide show
  1. app.py +1 -16
  2. codereview_env/env.py +24 -45
  3. codereview_env/models.py +93 -128
  4. codereview_env/scenario_bank.py +0 -898
  5. codereview_env/scenarios.py +1067 -0
  6. tests/test_env.py +18 -64
app.py CHANGED
@@ -5,7 +5,7 @@ from fastapi import FastAPI, HTTPException, WebSocket, WebSocketDisconnect
5
  from pydantic import BaseModel
6
 
7
  from codereview_env.models import (
8
- TaskId, Action, ResetResult, StepResult, EpisodeResult, StateResult
9
  )
10
  from codereview_env.env import CodeReviewEnv
11
 
@@ -100,21 +100,6 @@ async def step_env(episode_id: str, action: Action):
100
  raise HTTPException(status_code=400, detail=str(e))
101
 
102
 
103
- @app.get("/state/{episode_id}", response_model=StateResult)
104
- def get_state(episode_id: str):
105
- """
106
- Return current episode state snapshot.
107
- Required by the OpenEnv spec alongside /reset and /step.
108
- """
109
- if episode_id not in episodes:
110
- raise HTTPException(status_code=404, detail="Episode not found")
111
- env = episodes[episode_id]
112
- try:
113
- return env.get_state(episode_id)
114
- except RuntimeError as e:
115
- raise HTTPException(status_code=400, detail=str(e))
116
-
117
-
118
  @app.get("/result/{episode_id}", response_model=EpisodeResult)
119
  def get_result(episode_id: str):
120
  if episode_id not in episodes:
 
5
  from pydantic import BaseModel
6
 
7
  from codereview_env.models import (
8
+ TaskId, Action, ResetResult, StepResult, EpisodeResult
9
  )
10
  from codereview_env.env import CodeReviewEnv
11
 
 
100
  raise HTTPException(status_code=400, detail=str(e))
101
 
102
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
103
  @app.get("/result/{episode_id}", response_model=EpisodeResult)
104
  def get_result(episode_id: str):
105
  if episode_id not in episodes:
codereview_env/env.py CHANGED
@@ -1,8 +1,9 @@
 
1
  from codereview_env.models import (
2
  TaskId, Action, Observation, StepResult, ResetResult,
3
- ActionType, ActionRecord, EpisodeResult, StateResult
4
  )
5
- from codereview_env.scenario_bank import get_scenario
6
  from codereview_env.graders.grader_utils import find_best_match
7
  from codereview_env.graders.bug_grader import grade_bug_detection
8
  from codereview_env.graders.security_grader import grade_security_audit
@@ -56,7 +57,8 @@ class CodeReviewEnv:
56
  line_number=action.line_number,
57
  severity=action.severity,
58
  category=action.category,
59
- verdict=action.verdict
 
60
  ))
61
 
62
  # Apply action logic and compute incremental reward delta
@@ -83,53 +85,27 @@ class CodeReviewEnv:
83
  }
84
  )
85
 
86
- def get_state(self, episode_id: str) -> StateResult:
87
- """Return a snapshot of current episode state (required by /state endpoint)."""
88
- if self._state is None:
89
- raise RuntimeError("Episode not initialized. Call reset() first.")
90
- s = self._state
91
- sc = s["scenario"]
92
- return StateResult(
93
- episode_id=episode_id,
94
- task_id=s["task_id"],
95
- step=s["step_count"],
96
- max_steps=s["max_steps"],
97
- scenario_hash=sc.hash,
98
- cumulative_score=round(s["running_score"], 4),
99
- noise_budget=s["noise_budget"],
100
- issues_found=list(s["issues_found"]),
101
- done=s["done"],
102
- )
103
-
104
  def _build_obs(self) -> Observation:
105
  s = self._state
106
  sc = s["scenario"]
107
  return Observation(
108
  task_id=s["task_id"],
 
109
  pr_title=sc.pr_title,
110
  pr_description=sc.pr_description,
111
  diff="\n".join([f.patch for f in sc.files_changed]),
112
  files_changed=sc.files_changed,
113
  step_count=s["step_count"],
114
  max_steps=s["max_steps"],
115
- history=s["history"],
116
  noise_budget=s["noise_budget"],
117
- # Blast radius / service context from scenario metadata
118
- affected_users=sc.affected_users,
119
- service_criticality=sc.service_criticality,
120
- blast_radius=sc.blast_radius,
121
- service_name=sc.service_name,
122
  )
123
 
124
  def _apply_action(self, action: Action) -> float:
125
  """
126
  Compute the incremental reward delta for this single action.
127
-
128
- Reward shaping:
129
- - FLAG_ISSUE that matches ground truth: delta = new_score - old_score (always >= 0)
130
- - FLAG_ISSUE that is a false positive: delta = -0.05 per FP (noise penalty)
131
- - Terminal action (approve/request_changes): grader recalculates full score
132
- - Any other action: delta = 0
133
  """
134
  s = self._state
135
  sc = s["scenario"]
@@ -174,21 +150,24 @@ class CodeReviewEnv:
174
  missed_ids = list(all_gt_ids - s["issues_found"])
175
  final_score = self._grade(sc, s)
176
 
177
- verdict_correct = None
178
- if s["task_id"] == TaskId.ARCHITECTURAL_REVIEW:
179
- final_action = s["history"][-1] if s["history"] else None
180
- if final_action and final_action.action_type in (ActionType.APPROVE, ActionType.REQUEST_CHANGES):
181
- required_verdicts = [gt.required_verdict for gt in sc.ground_truth_issues if gt.required_verdict]
182
- if required_verdicts:
183
- verdict_correct = final_action.verdict == required_verdicts[0]
 
184
 
185
  return EpisodeResult(
186
  task_id=s["task_id"],
 
187
  seed=s["seed"],
188
- total_steps=s["step_count"],
189
  final_score=round(final_score, 4),
190
- issues_found=list(s["issues_found"]),
191
- issues_missed=missed_ids,
192
- false_positives=s["false_positives"],
193
- verdict_correct=verdict_correct
 
 
194
  )
 
1
+ from datetime import datetime, timezone
2
  from codereview_env.models import (
3
  TaskId, Action, Observation, StepResult, ResetResult,
4
+ ActionType, ActionRecord, EpisodeResult, FileChanged
5
  )
6
+ from codereview_env.scenarios import get_scenario
7
  from codereview_env.graders.grader_utils import find_best_match
8
  from codereview_env.graders.bug_grader import grade_bug_detection
9
  from codereview_env.graders.security_grader import grade_security_audit
 
57
  line_number=action.line_number,
58
  severity=action.severity,
59
  category=action.category,
60
+ verdict=action.verdict,
61
+ timestamp=datetime.now(timezone.utc).isoformat()
62
  ))
63
 
64
  # Apply action logic and compute incremental reward delta
 
85
  }
86
  )
87
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
88
  def _build_obs(self) -> Observation:
89
  s = self._state
90
  sc = s["scenario"]
91
  return Observation(
92
  task_id=s["task_id"],
93
+ scenario_hash=sc.hash,
94
  pr_title=sc.pr_title,
95
  pr_description=sc.pr_description,
96
  diff="\n".join([f.patch for f in sc.files_changed]),
97
  files_changed=sc.files_changed,
98
  step_count=s["step_count"],
99
  max_steps=s["max_steps"],
 
100
  noise_budget=s["noise_budget"],
101
+ max_noise_budget=5,
102
+ issues_flagged=len(s["issues_found"]),
103
+ done=s["done"]
 
 
104
  )
105
 
106
  def _apply_action(self, action: Action) -> float:
107
  """
108
  Compute the incremental reward delta for this single action.
 
 
 
 
 
 
109
  """
110
  s = self._state
111
  sc = s["scenario"]
 
150
  missed_ids = list(all_gt_ids - s["issues_found"])
151
  final_score = self._grade(sc, s)
152
 
153
+ terminated_reason = "max_steps"
154
+ if s["done"]:
155
+ if s["noise_budget"] <= 0:
156
+ terminated_reason = "noise_exhausted"
157
+ elif s["history"][-1].action_type in (ActionType.APPROVE, ActionType.REQUEST_CHANGES):
158
+ terminated_reason = "terminal_action"
159
+ elif s["step_count"] >= s["max_steps"]:
160
+ terminated_reason = "max_steps"
161
 
162
  return EpisodeResult(
163
  task_id=s["task_id"],
164
+ scenario_hash=sc.hash,
165
  seed=s["seed"],
 
166
  final_score=round(final_score, 4),
167
+ steps_taken=s["step_count"],
168
+ issues_found=len(s["issues_found"]),
169
+ issues_total=len(sc.ground_truth_issues),
170
+ noise_penalties=5 - s["noise_budget"],
171
+ history=s["history"],
172
+ terminated_reason=terminated_reason
173
  )
codereview_env/models.py CHANGED
@@ -1,160 +1,125 @@
1
  from enum import Enum
2
- from typing import List, Optional, Dict, Any, Literal
3
- from pydantic import BaseModel, model_validator
4
-
5
 
6
  class TaskId(str, Enum):
7
- BUG_DETECTION = "bug_detection"
8
- SECURITY_AUDIT = "security_audit"
9
  ARCHITECTURAL_REVIEW = "architectural_review"
10
 
11
-
12
  class ActionType(str, Enum):
13
- COMMENT = "comment"
14
- FLAG_ISSUE = "flag_issue"
 
15
  REQUEST_CHANGES = "request_changes"
16
- APPROVE = "approve"
17
- ASK_QUESTION = "ask_question"
18
-
19
-
20
- class Severity(str, Enum):
21
- LOW = "low"
22
- MEDIUM = "medium"
23
- HIGH = "high"
24
- CRITICAL = "critical"
25
-
26
 
27
  class Category(str, Enum):
28
- BUG = "bug"
29
- SECURITY = "security"
30
- STYLE = "style"
31
- PERFORMANCE = "performance"
32
  ARCHITECTURE = "architecture"
33
- DESIGN = "design"
 
34
 
 
 
 
 
 
 
35
 
36
- class Verdict(str, Enum):
37
- LGTM = "LGTM"
38
- REQUEST_CHANGES = "REQUEST_CHANGES"
39
- NEEDS_DISCUSSION = "NEEDS_DISCUSSION"
40
 
 
 
 
 
41
 
42
- class FileChange(BaseModel):
43
- filename: str
44
- patch: str
 
45
  additions: int = 0
46
  deletions: int = 0
47
 
48
-
49
  class GroundTruthIssue(BaseModel):
50
- id: str
51
- category: Category
52
- severity: Severity
53
- filename: str
54
- line_number: int
55
- description: str
56
- keywords: List[str]
57
- required_verdict: Optional[Verdict] = None
58
-
59
-
60
- class ActionRecord(BaseModel):
61
- action_type: ActionType
62
- body: str
63
- filename: Optional[str] = None
64
- line_number: Optional[int] = None
65
- severity: Optional[Severity] = None
66
- category: Optional[Category] = None
67
- verdict: Optional[Verdict] = None
68
 
 
 
 
 
 
 
 
 
 
69
 
70
  class Action(BaseModel):
71
  action_type: ActionType
72
- body: str
73
- filename: Optional[str] = None
74
- line_number: Optional[int] = None
75
- severity: Optional[Severity] = None
76
- category: Optional[Category] = None
77
- verdict: Optional[Verdict] = None
78
-
79
- @model_validator(mode='after')
80
- def validate_action(self) -> 'Action':
81
- if self.action_type == ActionType.FLAG_ISSUE:
82
- if not self.severity or not self.category:
83
- raise ValueError("flag_issue requires severity and category")
84
- if not self.filename or not self.line_number:
85
- raise ValueError("flag_issue requires filename and line_number")
86
-
87
- if self.action_type in (ActionType.APPROVE, ActionType.REQUEST_CHANGES):
88
- if not self.verdict:
89
- raise ValueError(f"{self.action_type.value} requires a verdict")
90
-
91
- return self
92
 
 
 
 
 
 
 
 
 
 
 
 
93
 
94
  class Observation(BaseModel):
95
- task_id: TaskId
96
- pr_title: str
97
- pr_description: str
98
- diff: str
99
- files_changed: List[FileChange]
100
- step_count: int
101
- max_steps: int
102
- history: List[ActionRecord]
103
- noise_budget: int
104
- # ── Context-enriched fields (blast radius / service metadata) ──────────
105
- affected_users: int = 0
106
- service_criticality: Literal["low", "medium", "high", "critical"] = "medium"
107
- blast_radius: Literal["low", "medium", "high", "critical"] = "medium"
108
- service_name: str = "unknown-service"
109
-
110
 
111
  class ResetResult(BaseModel):
112
- observation: Observation
113
- task_id: TaskId
114
- seed: int
115
- scenario_hash: str
116
-
117
 
118
  class StepResult(BaseModel):
119
  observation: Observation
120
- reward: float # incremental reward delta for this step
121
- done: bool
122
- info: Dict[str, Any]
123
-
124
 
125
  class EpisodeResult(BaseModel):
126
- task_id: TaskId
127
- seed: int
128
- total_steps: int
129
- final_score: float
130
- issues_found: List[str] # IDs of ground truth issues correctly found
131
- issues_missed: List[str] # IDs of ground truth issues missed
132
- false_positives: List[str] # descriptions of false-positive actions
133
- verdict_correct: Optional[bool] = None
134
-
135
-
136
- class StateResult(BaseModel):
137
- """Snapshot of current episode state β€” required by OpenEnv /state endpoint."""
138
- episode_id: str
139
- task_id: TaskId
140
- step: int
141
- max_steps: int
142
- scenario_hash: str
143
- cumulative_score: float
144
- noise_budget: int
145
- issues_found: List[str]
146
- done: bool
147
-
148
-
149
- class Scenario(BaseModel):
150
- task_id: TaskId
151
- pr_title: str
152
- pr_description: str
153
- files_changed: List[FileChange]
154
- ground_truth_issues: List[GroundTruthIssue]
155
- hash: str
156
- # ── Scenario-level blast radius metadata ──────────────────────────────
157
- affected_users: int = 0
158
- service_criticality: Literal["low", "medium", "high", "critical"] = "medium"
159
- blast_radius: Literal["low", "medium", "high", "critical"] = "medium"
160
- service_name: str = "unknown-service"
 
1
  from enum import Enum
2
+ from typing import List, Optional, Union
3
+ from pydantic import BaseModel
 
4
 
5
  class TaskId(str, Enum):
6
+ BUG_DETECTION = "bug_detection"
7
+ SECURITY_AUDIT = "security_audit"
8
  ARCHITECTURAL_REVIEW = "architectural_review"
9
 
 
10
  class ActionType(str, Enum):
11
+ FLAG_ISSUE = "flag_issue"
12
+ COMMENT = "comment"
13
+ APPROVE = "approve"
14
  REQUEST_CHANGES = "request_changes"
15
+ ASK_QUESTION = "ask_question"
 
 
 
 
 
 
 
 
 
16
 
17
  class Category(str, Enum):
18
+ BUG = "bug"
19
+ SECURITY = "security"
 
 
20
  ARCHITECTURE = "architecture"
21
+ STYLE = "style"
22
+ PERFORMANCE = "performance"
23
 
24
+ class Severity(str, Enum):
25
+ CRITICAL = "critical" # ordinal 4
26
+ HIGH = "high" # ordinal 3
27
+ MEDIUM = "medium" # ordinal 2
28
+ LOW = "low" # ordinal 1
29
+ INFO = "info" # ordinal 0
30
 
31
+ @classmethod
32
+ def ordinal(cls, sev: "Severity") -> int:
33
+ return {"critical": 4, "high": 3, "medium": 2, "low": 1, "info": 0}[sev.value]
 
34
 
35
+ class Verdict(str, Enum):
36
+ LGTM = "lgtm"
37
+ REQUEST_CHANGES = "request_changes"
38
+ NEEDS_DISCUSSION = "needs_discussion"
39
 
40
+ class FileChanged(BaseModel):
41
+ filename: str
42
+ language: str
43
+ patch: str # unified diff of this file
44
  additions: int = 0
45
  deletions: int = 0
46
 
 
47
  class GroundTruthIssue(BaseModel):
48
+ id: str
49
+ category: Category
50
+ severity: Severity
51
+ filename: str
52
+ line_number: int
53
+ description: str
54
+ keywords: List[str] # at least 2 keywords the agent body must contain
55
+ required_verdict: Optional[Verdict] = None # if set, terminal verdict is graded
 
 
 
 
 
 
 
 
 
 
56
 
57
+ class Scenario(BaseModel):
58
+ task_id: TaskId
59
+ pr_title: str
60
+ pr_description: str
61
+ files_changed: List[FileChanged]
62
+ ground_truth_issues: List[GroundTruthIssue]
63
+ hash: str # deterministic identifier, e.g. "bug_001"
64
+ difficulty: str = "medium" # easy | medium | hard
65
+ tags: List[str] = []
66
 
67
  class Action(BaseModel):
68
  action_type: ActionType
69
+ body: str = ""
70
+ filename: Optional[str] = None
71
+ line_number: Optional[int] = None
72
+ category: Optional[Category] = None
73
+ severity: Optional[Severity] = None
74
+ verdict: Optional[Verdict] = None
 
 
 
 
 
 
 
 
 
 
 
 
 
 
75
 
76
+ class ActionRecord(BaseModel):
77
+ """Immutable record of a step taken β€” stored in episode history."""
78
+ action_type: ActionType
79
+ body: str = ""
80
+ filename: Optional[str] = None
81
+ line_number: Optional[int] = None
82
+ category: Optional[Category] = None
83
+ severity: Optional[Severity] = None
84
+ verdict: Optional[Verdict] = None
85
+ reward: float = 0.0
86
+ timestamp: str = "" # ISO format, set by env
87
 
88
  class Observation(BaseModel):
89
+ task_id: TaskId
90
+ scenario_hash: str
91
+ pr_title: str
92
+ pr_description: str
93
+ diff: str # full unified diff (all files concatenated)
94
+ files_changed: List[FileChanged]
95
+ step_count: int
96
+ max_steps: int
97
+ noise_budget: int
98
+ max_noise_budget: int = 5
99
+ issues_flagged: int = 0
100
+ done: bool = False
 
 
 
101
 
102
  class ResetResult(BaseModel):
103
+ task_id: TaskId
104
+ seed: int
105
+ scenario_hash: str
106
+ observation: Observation
 
107
 
108
  class StepResult(BaseModel):
109
  observation: Observation
110
+ reward: float
111
+ done: bool
112
+ info: dict = {}
 
113
 
114
  class EpisodeResult(BaseModel):
115
+ episode_id: str = ""
116
+ task_id: TaskId
117
+ scenario_hash: str
118
+ seed: int
119
+ final_score: float
120
+ steps_taken: int
121
+ issues_found: int
122
+ issues_total: int
123
+ noise_penalties: int
124
+ history: List[ActionRecord] = []
125
+ terminated_reason: str = "" # "terminal_action"|"max_steps"|"noise_exhausted"
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
codereview_env/scenario_bank.py DELETED
@@ -1,898 +0,0 @@
1
- import random
2
- import hashlib
3
- import json
4
-
5
- from codereview_env.models import (
6
- Scenario, FileChange, GroundTruthIssue, Category, Severity, TaskId, Verdict
7
- )
8
-
9
-
10
- def get_scenario(task_id: TaskId, seed: int) -> Scenario:
11
- rng = random.Random(seed)
12
- bank = SCENARIOS.get(task_id, [])
13
- if not bank:
14
- raise ValueError(f"No scenarios found for task: {task_id}")
15
-
16
- idx = rng.randint(0, len(bank) - 1)
17
- scenario = bank[idx]
18
- # Dynamic hash β€” recalculated on every fetch
19
- content = json.dumps(scenario.model_dump(), sort_keys=True).encode()
20
- scenario.hash = hashlib.md5(content).hexdigest()
21
- return scenario
22
-
23
-
24
- # ─────────────────────────────────────────────────────────────────────────────
25
- # BUG DETECTION SCENARIOS (10)
26
- # ─────────────────────────────────────────────────────────────────────────────
27
- BUG_SCENARIOS = [
28
- Scenario(
29
- task_id=TaskId.BUG_DETECTION,
30
- pr_title="data-pipeline: speed up list processing by removing +1 in range",
31
- pr_description="Processing elements in the list but missing the last one due to range(len(x)-1).",
32
- service_name="data-pipeline-service",
33
- affected_users=0,
34
- service_criticality="low",
35
- blast_radius="low",
36
- files_changed=[
37
- FileChange(
38
- filename="utils.py",
39
- patch="""@@ -10,1 +10,1 @@
40
- - for i in range(len(items) - 1):
41
- + for i in range(len(items)):
42
- + print(items[i])""",
43
- additions=2, deletions=1
44
- )
45
- ],
46
- ground_truth_issues=[
47
- GroundTruthIssue(
48
- id="bug_001", category=Category.BUG, severity=Severity.MEDIUM,
49
- filename="utils.py", line_number=10,
50
- description="Off-by-one error in list processing loop. Should use range(len(items)).",
51
- keywords=["off-by-one", "index", "out of range", "boundary", "loop"]
52
- )
53
- ],
54
- hash="bug_001_h"
55
- ),
56
- Scenario(
57
- task_id=TaskId.BUG_DETECTION,
58
- pr_title="api-client: add default empty list to fetch_data helper",
59
- pr_description="New helper to fetch data with a default empty list for items.",
60
- service_name="api-client-service",
61
- affected_users=5000,
62
- service_criticality="medium",
63
- blast_radius="medium",
64
- files_changed=[
65
- FileChange(
66
- filename="api_client.py",
67
- patch="""@@ -5,1 +5,1 @@
68
- -def fetch_data(url: str, headers: dict = None):
69
- +def fetch_data(url: str, items: list = []):
70
- + items.append(url)
71
- + return items""",
72
- additions=2, deletions=1
73
- )
74
- ],
75
- ground_truth_issues=[
76
- GroundTruthIssue(
77
- id="bug_002", category=Category.BUG, severity=Severity.HIGH,
78
- filename="api_client.py", line_number=5,
79
- description="Mutable default argument in Python. Items list will be shared across calls.",
80
- keywords=["mutable", "default", "argument", "persistent", "shared state"]
81
- )
82
- ],
83
- hash="bug_002_h"
84
- ),
85
- Scenario(
86
- task_id=TaskId.BUG_DETECTION,
87
- pr_title="auth-service: return user role directly from lookup",
88
- pr_description="Lookup user by ID and access properties without guard.",
89
- service_name="auth-service",
90
- affected_users=50000,
91
- service_criticality="critical",
92
- blast_radius="critical",
93
- files_changed=[
94
- FileChange(
95
- filename="auth.py",
96
- patch="""@@ -15,1 +15,2 @@
97
- def get_user_role(uid):
98
- - user = db.users.get(uid)
99
- + user = db.users.get(uid)
100
- + return user.role""",
101
- additions=1, deletions=1
102
- )
103
- ],
104
- ground_truth_issues=[
105
- GroundTruthIssue(
106
- id="bug_003", category=Category.BUG, severity=Severity.HIGH,
107
- filename="auth.py", line_number=16,
108
- description="Potential None dereference. user might be None if ID is not found.",
109
- keywords=["None", "null check", "KeyError", "AttributeError", "guard clause"]
110
- )
111
- ],
112
- hash="bug_003_h"
113
- ),
114
- Scenario(
115
- task_id=TaskId.BUG_DETECTION,
116
- pr_title="config-manager: simplify active status check",
117
- pr_description="Check if setting is enabled and update status.",
118
- service_name="config-manager",
119
- affected_users=1000,
120
- service_criticality="medium",
121
- blast_radius="medium",
122
- files_changed=[
123
- FileChange(
124
- filename="config_manager.py",
125
- patch="""@@ -8,1 +8,1 @@
126
- - if config.enabled == True:
127
- + if config.status = "active":
128
- + process_config(config)""",
129
- additions=1, deletions=1
130
- )
131
- ],
132
- ground_truth_issues=[
133
- GroundTruthIssue(
134
- id="bug_004", category=Category.BUG, severity=Severity.MEDIUM,
135
- filename="config_manager.py", line_number=8,
136
- description="Assignment operator used in conditional statement. Should be '=='.",
137
- keywords=["assignment", "comparison", "conditional", "operator", "typo"]
138
- )
139
- ],
140
- hash="bug_004_h"
141
- ),
142
- Scenario(
143
- task_id=TaskId.BUG_DETECTION,
144
- pr_title="ingestion-worker: add high-volume warning to processor",
145
- pr_description="Counter for processed records doesn't reset.",
146
- service_name="data-ingestion-worker",
147
- affected_users=0,
148
- service_criticality="low",
149
- blast_radius="low",
150
- files_changed=[
151
- FileChange(
152
- filename="processor.py",
153
- patch="""@@ -25,1 +25,3 @@
154
- - processed_count = 0
155
- + processed_count += 1
156
- + if processed_count > 1000000:
157
- + log.warning("High volume")""",
158
- additions=2, deletions=1
159
- )
160
- ],
161
- ground_truth_issues=[
162
- GroundTruthIssue(
163
- id="bug_005", category=Category.BUG, severity=Severity.MEDIUM,
164
- filename="processor.py", line_number=25,
165
- description="Integer overflow or lack of reset in counter. Can lead to boundary issues.",
166
- keywords=["overflow", "counter", "integer", "reset", "boundary", "infinite"]
167
- )
168
- ],
169
- hash="bug_005_h"
170
- ),
171
- Scenario(
172
- task_id=TaskId.BUG_DETECTION,
173
- pr_title="cache-service: optimize counter update to read-modify-write",
174
- pr_description="Parallel threads updating shared cache without locking.",
175
- service_name="distributed-cache",
176
- affected_users=100000,
177
- service_criticality="high",
178
- blast_radius="high",
179
- files_changed=[
180
- FileChange(
181
- filename="cache_store.py",
182
- patch="""@@ -12,1 +12,2 @@
183
- def update_cache(key, val):
184
- - cache[key] = val
185
- + old_val = cache[key]
186
- + cache[key] = old_val + val""",
187
- additions=1, deletions=1
188
- )
189
- ],
190
- ground_truth_issues=[
191
- GroundTruthIssue(
192
- id="bug_006", category=Category.BUG, severity=Severity.HIGH,
193
- filename="cache_store.py", line_number=13,
194
- description="Race condition in cache update. Multiple threads may overwrite each other's increments.",
195
- keywords=["race condition", "thread", "concurrent", "lock", "atomic", "synchronization"]
196
- )
197
- ],
198
- hash="bug_006_h"
199
- ),
200
- Scenario(
201
- task_id=TaskId.BUG_DETECTION,
202
- pr_title="importer: silence errors during bulk data import",
203
- pr_description="Swallow all errors during data import.",
204
- service_name="bulk-importer",
205
- affected_users=500,
206
- service_criticality="medium",
207
- blast_radius="medium",
208
- files_changed=[
209
- FileChange(
210
- filename="importer.py",
211
- patch="""@@ -30,1 +30,2 @@
212
- - import_data(file)
213
- + try: import_data(file)
214
- + except Exception: pass""",
215
- additions=1, deletions=1
216
- )
217
- ],
218
- ground_truth_issues=[
219
- GroundTruthIssue(
220
- id="bug_007", category=Category.BUG, severity=Severity.MEDIUM,
221
- filename="importer.py", line_number=31,
222
- description="Broad exception catch-all. Swallows all errors including keyboard interrupts.",
223
- keywords=["exception", "broad", "catch-all", "specific", "silent", "swallow"]
224
- )
225
- ],
226
- hash="bug_007_h"
227
- ),
228
- Scenario(
229
- task_id=TaskId.BUG_DETECTION,
230
- pr_title="sensors: exact threshold check for alarm trigger",
231
- pr_description="Check if sensor reading is exactly 0.1.",
232
- service_name="iot-sensor-gateway",
233
- affected_users=10,
234
- service_criticality="low",
235
- blast_radius="low",
236
- files_changed=[
237
- FileChange(
238
- filename="sensors.py",
239
- patch="""@@ -7,1 +7,1 @@
240
- - if reading < 0.1:
241
- + if reading == 0.1:
242
- + trigger_alarm()""",
243
- additions=1, deletions=1
244
- )
245
- ],
246
- ground_truth_issues=[
247
- GroundTruthIssue(
248
- id="bug_008", category=Category.BUG, severity=Severity.LOW,
249
- filename="sensors.py", line_number=7,
250
- description="Floating point equality comparison is unreliable due to precision.",
251
- keywords=["float", "equality", "precision", "epsilon", "comparison", "IEEE 754"]
252
- )
253
- ],
254
- hash="bug_008_h"
255
- ),
256
- Scenario(
257
- task_id=TaskId.BUG_DETECTION,
258
- pr_title="worker: guarantee success status even on process failure",
259
- pr_description="Override potential errors with a success status.",
260
- service_name="background-worker",
261
- affected_users=2000,
262
- service_criticality="medium",
263
- blast_radius="medium",
264
- files_changed=[
265
- FileChange(
266
- filename="worker.py",
267
- patch="""@@ -44,1 +44,3 @@
268
- - process()
269
- + try: process()
270
- + finally:
271
- + return "success" """,
272
- additions=2, deletions=1
273
- )
274
- ],
275
- ground_truth_issues=[
276
- GroundTruthIssue(
277
- id="bug_009", category=Category.BUG, severity=Severity.MEDIUM,
278
- filename="worker.py", line_number=46,
279
- description="Return inside finally block overrides and suppresses exceptions.",
280
- keywords=["finally", "return", "exception", "control flow", "override", "suppress"]
281
- )
282
- ],
283
- hash="bug_009_h"
284
- ),
285
- Scenario(
286
- task_id=TaskId.BUG_DETECTION,
287
- pr_title="validator: simplify ID comparison in core validator",
288
- pr_description="Compare incoming string ID with integer constant.",
289
- service_name="entity-validator",
290
- affected_users=20000,
291
- service_criticality="high",
292
- blast_radius="medium",
293
- files_changed=[
294
- FileChange(
295
- filename="validator.py",
296
- patch="""@@ -12,1 +12,1 @@
297
- - if int(obj_id) == 5:
298
- + if obj_id == 5:
299
- + return True""",
300
- additions=1, deletions=1
301
- )
302
- ],
303
- ground_truth_issues=[
304
- GroundTruthIssue(
305
- id="bug_010", category=Category.BUG, severity=Severity.MEDIUM,
306
- filename="validator.py", line_number=12,
307
- description="Type mismatch: comparing string obj_id with integer 5 will always be False.",
308
- keywords=["type", "coercion", "comparison", "string", "integer", "implicit"]
309
- )
310
- ],
311
- hash="bug_010_h"
312
- )
313
- ]
314
-
315
-
316
- # ─────────────────────────────────────────────────────────────────────────────
317
- # SECURITY AUDIT SCENARIOS (10)
318
- # ─────────────────────────────────────────────────────────────────────────────
319
- SECURITY_SCENARIOS = [
320
- Scenario(
321
- task_id=TaskId.SECURITY_AUDIT,
322
- pr_title="payment-db: replace ORM with raw SQL for performance on user lookup",
323
- pr_description="Bypassing ORM for a specific complex query to improve performance.",
324
- service_name="payment-service",
325
- affected_users=1000000,
326
- service_criticality="critical",
327
- blast_radius="critical",
328
- files_changed=[
329
- FileChange(
330
- filename="db/queries.py",
331
- patch="""@@ -42,1 +42,1 @@
332
- - return User.objects.filter(username=name)
333
- + return User.objects.raw(f"SELECT * FROM users WHERE username = '{name}'" )""",
334
- additions=1, deletions=1
335
- )
336
- ],
337
- ground_truth_issues=[
338
- GroundTruthIssue(
339
- id="sec_001", category=Category.SECURITY, severity=Severity.CRITICAL,
340
- filename="db/queries.py", line_number=42,
341
- description="SQL injection vulnerability via f-string in raw query. Use parameterized queries.",
342
- keywords=["SQL injection", "parameterized", "f-string", "raw query", "exploit"]
343
- )
344
- ],
345
- hash="sec_001_h"
346
- ),
347
- Scenario(
348
- task_id=TaskId.SECURITY_AUDIT,
349
- pr_title="settings: add default secret key for local dev convenience",
350
- pr_description="Setting a default secret key for local development convenience.",
351
- service_name="django-web-app",
352
- affected_users=50000,
353
- service_criticality="high",
354
- blast_radius="high",
355
- files_changed=[
356
- FileChange(
357
- filename="settings.py",
358
- patch="""@@ -20,1 +20,1 @@
359
- -SECRET_KEY = os.environ.get('SECRET_KEY')
360
- +SECRET_KEY = "django-insecure-dev-key-12345" """,
361
- additions=1, deletions=1
362
- )
363
- ],
364
- ground_truth_issues=[
365
- GroundTruthIssue(
366
- id="sec_002", category=Category.SECURITY, severity=Severity.HIGH,
367
- filename="settings.py", line_number=20,
368
- description="Hardcoded secret key in configuration. Should use environment variables.",
369
- keywords=["hardcoded", "secret", "environment variable", ".env", "credential", "exposure"]
370
- )
371
- ],
372
- hash="sec_002_h"
373
- ),
374
- Scenario(
375
- task_id=TaskId.SECURITY_AUDIT,
376
- pr_title="auth-tokens: disable JWT verification for faster internal testing loop",
377
- pr_description="Allow bypassing JWT checks for faster local development loop.",
378
- service_name="auth-service",
379
- affected_users=500000,
380
- service_criticality="critical",
381
- blast_radius="critical",
382
- files_changed=[
383
- FileChange(
384
- filename="tokens.py",
385
- patch="""@@ -10,1 +10,1 @@
386
- - payload = jwt.decode(token, secret, algorithms=["HS256"])
387
- + payload = jwt.decode(token, verify=False, algorithms=["HS256"])""",
388
- additions=1, deletions=1
389
- )
390
- ],
391
- ground_truth_issues=[
392
- GroundTruthIssue(
393
- id="sec_003", category=Category.SECURITY, severity=Severity.CRITICAL,
394
- filename="tokens.py", line_number=10,
395
- description="JWT decoded without verification. Attackers can bypass authentication.",
396
- keywords=["JWT", "signature", "verification", "algorithm", "none", "bypass"]
397
- )
398
- ],
399
- hash="sec_003_h"
400
- ),
401
- Scenario(
402
- task_id=TaskId.SECURITY_AUDIT,
403
- pr_title="profile-template: enable rich text in user bios via mark_safe",
404
- pr_description="Enabling rich text in user bios by using mark_safe.",
405
- service_name="user-profile-service",
406
- affected_users=200000,
407
- service_criticality="high",
408
- blast_radius="high",
409
- files_changed=[
410
- FileChange(
411
- filename="templates/profile.html",
412
- patch="""@@ -5,1 +5,1 @@
413
- - <div class="bio">{{ user.bio }}</div>
414
- + <div class="bio">{{ user.bio | mark_safe }}</div>""",
415
- additions=1, deletions=1
416
- )
417
- ],
418
- ground_truth_issues=[
419
- GroundTruthIssue(
420
- id="sec_004", category=Category.SECURITY, severity=Severity.HIGH,
421
- filename="templates/profile.html", line_number=5,
422
- description="Cross-site scripting (XSS) via unescaped template variable. Sanitize user input.",
423
- keywords=["XSS", "cross-site scripting", "mark_safe", "escape", "sanitize", "inject"]
424
- )
425
- ],
426
- hash="sec_004_h"
427
- ),
428
- Scenario(
429
- task_id=TaskId.SECURITY_AUDIT,
430
- pr_title="log-viewer: expose log endpoint with dynamic path parameter",
431
- pr_description="New endpoint to read local audit logs based on path.",
432
- service_name="audit-log-viewer",
433
- affected_users=10,
434
- service_criticality="high",
435
- blast_radius="high",
436
- files_changed=[
437
- FileChange(
438
- filename="logs_viewer.py",
439
- patch="""@@ -12,1 +12,2 @@
440
- def get_log(path):
441
- - return open('/var/log/app.log').read()
442
- + return open('/var/log/' + path).read()""",
443
- additions=1, deletions=1
444
- )
445
- ],
446
- ground_truth_issues=[
447
- GroundTruthIssue(
448
- id="sec_005", category=Category.SECURITY, severity=Severity.HIGH,
449
- filename="logs_viewer.py", line_number=13,
450
- description="Path traversal vulnerability. Allows reading any file using ../ notation.",
451
- keywords=["path traversal", "directory", "normalization", "join", "sanitize", "escape"]
452
- )
453
- ],
454
- hash="sec_005_h"
455
- ),
456
- Scenario(
457
- task_id=TaskId.SECURITY_AUDIT,
458
- pr_title="cache-util: switch from JSON to pickle for faster state loading",
459
- pr_description="Faster state loading by using pickle format for internal caches.",
460
- service_name="session-cache",
461
- affected_users=300000,
462
- service_criticality="critical",
463
- blast_radius="critical",
464
- files_changed=[
465
- FileChange(
466
- filename="cache_util.py",
467
- patch="""@@ -8,1 +8,1 @@
468
- - return json.loads(data)
469
- + return pickle.loads(data)""",
470
- additions=1, deletions=1
471
- )
472
- ],
473
- ground_truth_issues=[
474
- GroundTruthIssue(
475
- id="sec_006", category=Category.SECURITY, severity=Severity.CRITICAL,
476
- filename="cache_util.py", line_number=8,
477
- description="Insecure deserialization using pickle leads to Arbitrary Code Execution (RCE).",
478
- keywords=["deserialization", "pickle", "arbitrary code", "RCE", "untrusted", "injection"]
479
- )
480
- ],
481
- hash="sec_006_h"
482
- ),
483
- Scenario(
484
- task_id=TaskId.SECURITY_AUDIT,
485
- pr_title="api-gateway: open CORS to fix browser errors from frontend team",
486
- pr_description="Resolving frontend browser errors by allowing all origins.",
487
- service_name="api-gateway",
488
- affected_users=500000,
489
- service_criticality="high",
490
- blast_radius="high",
491
- files_changed=[
492
- FileChange(
493
- filename="api_gateway.py",
494
- patch="""@@ -15,1 +15,1 @@
495
- - allow_origins=["https://myapp.com"],
496
- + allow_origins=["*"],""",
497
- additions=1, deletions=1
498
- )
499
- ],
500
- ground_truth_issues=[
501
- GroundTruthIssue(
502
- id="sec_007", category=Category.SECURITY, severity=Severity.MEDIUM,
503
- filename="api_gateway.py", line_number=15,
504
- description="Broad CORS policy (*) allows sensitive data exposure to arbitrary websites.",
505
- keywords=["CORS", "wildcard", "origin", "cross-origin", "authentication", "header"]
506
- )
507
- ],
508
- hash="sec_007_h"
509
- ),
510
- Scenario(
511
- task_id=TaskId.SECURITY_AUDIT,
512
- pr_title="pass-verify: switch to direct equality for faster password comparison",
513
- pr_description="Faster password check by using native equality.",
514
- service_name="auth-service",
515
- affected_users=500000,
516
- service_criticality="critical",
517
- blast_radius="critical",
518
- files_changed=[
519
- FileChange(
520
- filename="pass_verify.py",
521
- patch="""@@ -10,1 +10,1 @@
522
- - return hmac.compare_digest(h1, h2)
523
- + return h1 == h2""",
524
- additions=1, deletions=1
525
- )
526
- ],
527
- ground_truth_issues=[
528
- GroundTruthIssue(
529
- id="sec_008", category=Category.SECURITY, severity=Severity.MEDIUM,
530
- filename="pass_verify.py", line_number=10,
531
- description="Timing attack vulnerability in password comparison. Use constant-time comparison.",
532
- keywords=["timing attack", "constant time", "hmac", "comparison", "side channel"]
533
- )
534
- ],
535
- hash="sec_008_h"
536
- ),
537
- Scenario(
538
- task_id=TaskId.SECURITY_AUDIT,
539
- pr_title="login-handler: remove rate limit to improve UX for forgot-password flow",
540
- pr_description="Allowing multiple login attempts for users who forgot passwords.",
541
- service_name="auth-service",
542
- affected_users=500000,
543
- service_criticality="critical",
544
- blast_radius="critical",
545
- files_changed=[
546
- FileChange(
547
- filename="login_handler.py",
548
- patch="""@@ -12,1 +12,0 @@
549
- - if check_rate_limit(ip): return error()""",
550
- additions=0, deletions=1
551
- )
552
- ],
553
- ground_truth_issues=[
554
- GroundTruthIssue(
555
- id="sec_009", category=Category.SECURITY, severity=Severity.MEDIUM,
556
- filename="login_handler.py", line_number=12,
557
- description="Missing rate limiting on login endpoint enables brute-force attacks.",
558
- keywords=["rate limit", "brute force", "throttle", "attempt", "lockout", "login"]
559
- )
560
- ],
561
- hash="sec_009_h"
562
- ),
563
- Scenario(
564
- task_id=TaskId.SECURITY_AUDIT,
565
- pr_title="prod-settings: enable DEBUG for better 500-error visibility in production",
566
- pr_description="Better debugging in prod by enabling stack traces for 500 errors.",
567
- service_name="production-webapp",
568
- affected_users=1000000,
569
- service_criticality="critical",
570
- blast_radius="critical",
571
- files_changed=[
572
- FileChange(
573
- filename="prod_settings.py",
574
- patch="""@@ -30,1 +30,1 @@
575
- -DEBUG = False
576
- +DEBUG = True""",
577
- additions=1, deletions=1
578
- )
579
- ],
580
- ground_truth_issues=[
581
- GroundTruthIssue(
582
- id="sec_010", category=Category.SECURITY, severity=Severity.HIGH,
583
- filename="prod_settings.py", line_number=30,
584
- description="DEBUG mode enabled in production. Exposes sensitive system information.",
585
- keywords=["debug", "production", "sensitive", "stack trace", "information disclosure"]
586
- )
587
- ],
588
- hash="sec_010_h"
589
- )
590
- ]
591
-
592
-
593
- # ─────────────────────────────────────────────────────────────────────────────
594
- # ARCHITECTURAL REVIEW SCENARIOS (10)
595
- # ─────────────────────────────────────────────────────────────────────────────
596
- ARCH_SCENARIOS = [
597
- Scenario(
598
- task_id=TaskId.ARCHITECTURAL_REVIEW,
599
- pr_title="dashboard-service: optimize stats by reading DB directly instead of calling API",
600
- pr_description="Optimizing frontend by allowing direct database reads for dashboard data.",
601
- service_name="dashboard-service",
602
- affected_users=50000,
603
- service_criticality="high",
604
- blast_radius="high",
605
- files_changed=[
606
- FileChange(
607
- filename="services/dashboard.py",
608
- patch="""@@ -5,1 +5,4 @@
609
- - return requests.get(API_URL + '/stats').json()
610
- + import psycopg2
611
- + conn = psycopg2.connect(DB_URL)
612
- + cur = conn.cursor()
613
- + cur.execute('SELECT * FROM stats')
614
- + return cur.fetchall()""",
615
- additions=5, deletions=1
616
- )
617
- ],
618
- ground_truth_issues=[
619
- GroundTruthIssue(
620
- id="arch_001", category=Category.ARCHITECTURE, severity=Severity.CRITICAL,
621
- filename="services/dashboard.py", line_number=5,
622
- description="Frontend service calling database directly bypassing the API layer. Violates separation of concerns.",
623
- keywords=["direct access", "coupling", "separation of concerns", "architectural violation"],
624
- required_verdict=Verdict.REQUEST_CHANGES
625
- )
626
- ],
627
- hash="arch_001_h"
628
- ),
629
- Scenario(
630
- task_id=TaskId.ARCHITECTURAL_REVIEW,
631
- pr_title="event-handler: add real-time auth verification on user login event",
632
- pr_description="Ensuring user status is verified during login event processing.",
633
- service_name="event-bus-consumer",
634
- affected_users=100000,
635
- service_criticality="high",
636
- blast_radius="high",
637
- files_changed=[
638
- FileChange(
639
- filename="handlers/events.py",
640
- patch="""@@ -15,1 +15,2 @@
641
- def on_user_login(user_id):
642
- - log.info(f"User {user_id} logged in")
643
- + resp = requests.get(f"http://auth-service/verify/{user_id}")
644
- + log.info(f"User {user_id} logged in: {resp.status_code}")""",
645
- additions=2, deletions=1
646
- )
647
- ],
648
- ground_truth_issues=[
649
- GroundTruthIssue(
650
- id="arch_002", category=Category.ARCHITECTURE, severity=Severity.HIGH,
651
- filename="handlers/events.py", line_number=15,
652
- description="Synchronous HTTP call inside event handler blocks the event loop.",
653
- keywords=["synchronous", "blocking", "event loop", "async", "non-blocking", "timeout"],
654
- required_verdict=Verdict.REQUEST_CHANGES
655
- )
656
- ],
657
- hash="arch_002_h"
658
- ),
659
- Scenario(
660
- task_id=TaskId.ARCHITECTURAL_REVIEW,
661
- pr_title="billing-proxy: simplify billing call by removing retry wrapper",
662
- pr_description="Call downstream billing service directly.",
663
- service_name="billing-service",
664
- affected_users=500000,
665
- service_criticality="critical",
666
- blast_radius="critical",
667
- files_changed=[
668
- FileChange(
669
- filename="billing_proxy.py",
670
- patch="""@@ -10,1 +10,1 @@
671
- - return resiliency.call_with_retry(BILLING_URL)
672
- + return requests.post(BILLING_URL, data=payload)""",
673
- additions=1, deletions=1
674
- )
675
- ],
676
- ground_truth_issues=[
677
- GroundTruthIssue(
678
- id="arch_003", category=Category.ARCHITECTURE, severity=Severity.MEDIUM,
679
- filename="billing_proxy.py", line_number=10,
680
- description="Missing retry logic and circuit breaker on external API call.",
681
- keywords=["retry", "circuit breaker", "resilience", "idempotent", "backoff", "failure"],
682
- required_verdict=Verdict.REQUEST_CHANGES
683
- )
684
- ],
685
- hash="arch_003_h"
686
- ),
687
- Scenario(
688
- task_id=TaskId.ARCHITECTURAL_REVIEW,
689
- pr_title="app-core: consolidate all managers into GlobalManager for simpler access",
690
- pr_description="Consolidating all managers into one for easier access.",
691
- service_name="core-application",
692
- affected_users=200000,
693
- service_criticality="high",
694
- blast_radius="high",
695
- files_changed=[
696
- FileChange(
697
- filename="app_core.py",
698
- patch="""@@ -1,1 +1,4 @@
699
- -class App: pass
700
- +class GlobalManager:
701
- + def handle_auth(self): pass
702
- + def handle_billing(self): pass
703
- + def handle_users(self): pass""",
704
- additions=4, deletions=1
705
- )
706
- ],
707
- ground_truth_issues=[
708
- GroundTruthIssue(
709
- id="arch_004", category=Category.ARCHITECTURE, severity=Severity.MEDIUM,
710
- filename="app_core.py", line_number=2,
711
- description="God object pattern: one class handles unrelated domains (auth, billing, users).",
712
- keywords=["single responsibility", "god object", "cohesion", "separation", "refactor"],
713
- required_verdict=Verdict.REQUEST_CHANGES
714
- )
715
- ],
716
- hash="arch_004_h"
717
- ),
718
- Scenario(
719
- task_id=TaskId.ARCHITECTURAL_REVIEW,
720
- pr_title="audit-job: process each user individually for cleaner audit flow",
721
- pr_description="Process audit for all users one by one.",
722
- service_name="audit-job-runner",
723
- affected_users=5000,
724
- service_criticality="medium",
725
- blast_radius="medium",
726
- files_changed=[
727
- FileChange(
728
- filename="audit_job.py",
729
- patch="""@@ -5,2 +5,2 @@
730
- - users = User.objects.all().prefetch_related('logs')
731
- - for u in users: process(u)
732
- + for u_id in user_ids:
733
- + user = User.objects.get(id=u_id)
734
- + process(user)""",
735
- additions=2, deletions=2
736
- )
737
- ],
738
- ground_truth_issues=[
739
- GroundTruthIssue(
740
- id="arch_005", category=Category.ARCHITECTURE, severity=Severity.HIGH,
741
- filename="audit_job.py", line_number=6,
742
- description="N+1 query problem: fetching user objects inside a loop.",
743
- keywords=["N+1", "query", "loop", "batch", "eager load", "select_related"],
744
- required_verdict=Verdict.REQUEST_CHANGES
745
- )
746
- ],
747
- hash="arch_005_h"
748
- ),
749
- Scenario(
750
- task_id=TaskId.ARCHITECTURAL_REVIEW,
751
- pr_title="api-handler: simplify log endpoint by removing pagination",
752
- pr_description="Simple endpoint to fetch current log state.",
753
- service_name="log-api",
754
- affected_users=1000,
755
- service_criticality="medium",
756
- blast_radius="high",
757
- files_changed=[
758
- FileChange(
759
- filename="handlers/api.py",
760
- patch="""@@ -20,1 +20,1 @@
761
- -def get_logs(page, limit): return db.logs.all()[page*limit:(page+1)*limit]
762
- +def get_logs(): return db.logs.all()""",
763
- additions=1, deletions=1
764
- )
765
- ],
766
- ground_truth_issues=[
767
- GroundTruthIssue(
768
- id="arch_006", category=Category.ARCHITECTURE, severity=Severity.MEDIUM,
769
- filename="handlers/api.py", line_number=20,
770
- description="Missing pagination on endpoint. Can cause memory exhaustion on large datasets.",
771
- keywords=["pagination", "limit", "offset", "memory", "unbounded", "cursor"],
772
- required_verdict=Verdict.REQUEST_CHANGES
773
- )
774
- ],
775
- hash="arch_006_h"
776
- ),
777
- Scenario(
778
- task_id=TaskId.ARCHITECTURAL_REVIEW,
779
- pr_title="upload-service: switch to synchronous file save for reliability",
780
- pr_description="Directly saving large file uploads to disk in request thread.",
781
- service_name="file-upload-service",
782
- affected_users=80000,
783
- service_criticality="medium",
784
- blast_radius="medium",
785
- files_changed=[
786
- FileChange(
787
- filename="upload_service.py",
788
- patch="""@@ -12,1 +12,1 @@
789
- - await background_save(file)
790
- + file.save('/tmp/large_file')""",
791
- additions=1, deletions=1
792
- )
793
- ],
794
- ground_truth_issues=[
795
- GroundTruthIssue(
796
- id="arch_007", category=Category.ARCHITECTURE, severity=Severity.MEDIUM,
797
- filename="upload_service.py", line_number=13,
798
- description="Synchronous file upload blocking the request thread. Use background tasks.",
799
- keywords=["async", "upload", "background task", "streaming", "thread", "non-blocking"],
800
- required_verdict=Verdict.REQUEST_CHANGES
801
- )
802
- ],
803
- hash="arch_007_h"
804
- ),
805
- Scenario(
806
- task_id=TaskId.ARCHITECTURAL_REVIEW,
807
- pr_title="checkout: apply payment by mutating user balance directly on request",
808
- pr_description="Update balance directly on payment request.",
809
- service_name="payment-service",
810
- affected_users=1000000,
811
- service_criticality="critical",
812
- blast_radius="critical",
813
- files_changed=[
814
- FileChange(
815
- filename="checkout.py",
816
- patch="""@@ -8,1 +8,1 @@
817
- - process_payment_with_idempotency(req)
818
- + user.balance -= req.amount""",
819
- additions=1, deletions=1
820
- )
821
- ],
822
- ground_truth_issues=[
823
- GroundTruthIssue(
824
- id="arch_008", category=Category.ARCHITECTURE, severity=Severity.HIGH,
825
- filename="checkout.py", line_number=8,
826
- description="Missing idempotency key on payment mutation endpoint. Dangerous on retries.",
827
- keywords=["idempotency", "duplicate", "payment", "retry", "key", "mutation"],
828
- required_verdict=Verdict.REQUEST_CHANGES
829
- )
830
- ],
831
- hash="arch_008_h"
832
- ),
833
- Scenario(
834
- task_id=TaskId.ARCHITECTURAL_REVIEW,
835
- pr_title="service-b: speed up sync by writing directly to service-a DB table",
836
- pr_description="Service B updates Service A's table directly for speed.",
837
- service_name="microservice-b",
838
- affected_users=150000,
839
- service_criticality="high",
840
- blast_radius="high",
841
- files_changed=[
842
- FileChange(
843
- filename="service_b/sync.py",
844
- patch="""@@ -22,1 +22,1 @@
845
- - send_event_to_service_a(data)
846
- + db.execute('UPDATE service_a_table SET x = 1')""",
847
- additions=1, deletions=1
848
- )
849
- ],
850
- ground_truth_issues=[
851
- GroundTruthIssue(
852
- id="arch_009", category=Category.ARCHITECTURE, severity=Severity.HIGH,
853
- filename="service_b/sync.py", line_number=23,
854
- description="Shared mutable state between microservices via direct DB write. Breaks encapsulation.",
855
- keywords=["shared state", "microservice", "event", "eventual consistency", "ownership", "coupling"],
856
- required_verdict=Verdict.REQUEST_CHANGES
857
- )
858
- ],
859
- hash="arch_009_h"
860
- ),
861
- Scenario(
862
- task_id=TaskId.ARCHITECTURAL_REVIEW,
863
- pr_title="finance-api: inline interest calculation in GET handler for speed",
864
- pr_description="Complex interest calculation directly in the GET endpoint.",
865
- service_name="finance-service",
866
- affected_users=250000,
867
- service_criticality="high",
868
- blast_radius="high",
869
- files_changed=[
870
- FileChange(
871
- filename="api/finance.py",
872
- patch="""@@ -15,1 +15,3 @@
873
- - return finance_service.calc_interest(u)
874
- + interest = u.balance * 0.05
875
- + if u.type == 'GOLD': interest += 10
876
- + return interest""",
877
- additions=3, deletions=1
878
- )
879
- ],
880
- ground_truth_issues=[
881
- GroundTruthIssue(
882
- id="arch_010", category=Category.ARCHITECTURE, severity=Severity.MEDIUM,
883
- filename="api/finance.py", line_number=16,
884
- description="Clean architecture violation: domain logic leaked into HTTP handler.",
885
- keywords=["clean architecture", "domain", "handler", "concern", "presentation", "business logic"],
886
- required_verdict=Verdict.REQUEST_CHANGES
887
- )
888
- ],
889
- hash="arch_010_h"
890
- )
891
- ]
892
-
893
-
894
- SCENARIOS = {
895
- TaskId.BUG_DETECTION: BUG_SCENARIOS,
896
- TaskId.SECURITY_AUDIT: SECURITY_SCENARIOS,
897
- TaskId.ARCHITECTURAL_REVIEW: ARCH_SCENARIOS,
898
- }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
codereview_env/scenarios.py ADDED
@@ -0,0 +1,1067 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ from codereview_env.models import Scenario, FileChanged, GroundTruthIssue, Category, Severity, TaskId, Verdict
2
+
3
+ def get_scenario(task_id: TaskId, seed: int) -> Scenario:
4
+ scenarios = [s for s in ALL_SCENARIOS if s.task_id == task_id]
5
+ if not scenarios:
6
+ raise ValueError(f"No scenarios found for task: {task_id}")
7
+ return scenarios[seed % len(scenarios)]
8
+
9
+ def all_scenarios() -> list[Scenario]:
10
+ return ALL_SCENARIOS
11
+
12
+ # --- BUG DETECTION SCENARIOS ---
13
+
14
+ bug_001 = Scenario(
15
+ task_id=TaskId.BUG_DETECTION,
16
+ pr_title="Add pagination to user list endpoint",
17
+ pr_description="Processing elements in the list but missing the last one due to range(len(x)-1).",
18
+ files_changed=[
19
+ FileChanged(
20
+ filename="api/users.py",
21
+ language="python",
22
+ patch="""--- a/api/users.py
23
+ +++ b/api/users.py
24
+ @@ -10,3 +10,3 @@
25
+ def get_users(page, size):
26
+ items = db.get_all_users()
27
+ - return items[page * size : (page + 1) * size]
28
+ + return items[page * size : page * size + size - 1]""",
29
+ additions=1,
30
+ deletions=1,
31
+ )
32
+ ],
33
+ ground_truth_issues=[
34
+ GroundTruthIssue(
35
+ id="bug_001",
36
+ category=Category.BUG,
37
+ severity=Severity.MEDIUM,
38
+ filename="api/users.py",
39
+ line_number=12,
40
+ description="Off-by-one error in pagination slice loses last item per page",
41
+ keywords=["off-by-one", "pagination"]
42
+ )
43
+ ],
44
+ hash="bug_001",
45
+ difficulty="easy"
46
+ )
47
+
48
+ bug_002 = Scenario(
49
+ task_id=TaskId.BUG_DETECTION,
50
+ pr_title="Refactor user profile builder",
51
+ pr_description="New helper to fetch data with a default empty list for items.",
52
+ files_changed=[
53
+ FileChanged(
54
+ filename="models/profile.py",
55
+ language="python",
56
+ patch="""--- a/models/profile.py
57
+ +++ b/models/profile.py
58
+ @@ -3,3 +3,5 @@
59
+ -def build_profile(name, tags=None):
60
+ - tags = tags or []
61
+ +def build_profile(name, tags=[]):
62
+ + tags.append("user")
63
+ + return {"name": name, "tags": tags}""",
64
+ additions=3,
65
+ deletions=2,
66
+ )
67
+ ],
68
+ ground_truth_issues=[
69
+ GroundTruthIssue(
70
+ id="bug_002",
71
+ category=Category.BUG,
72
+ severity=Severity.MEDIUM,
73
+ filename="models/profile.py",
74
+ line_number=5,
75
+ description="Mutable default argument causes state leakage between calls",
76
+ keywords=["mutable", "default"]
77
+ )
78
+ ],
79
+ hash="bug_002",
80
+ difficulty="easy"
81
+ )
82
+
83
+ bug_003 = Scenario(
84
+ task_id=TaskId.BUG_DETECTION,
85
+ pr_title="Add session-based auth check",
86
+ pr_description="Lookup user by ID and access properties without guard.",
87
+ files_changed=[
88
+ FileChanged(
89
+ filename="auth.py",
90
+ language="python",
91
+ patch="""--- a/auth.py
92
+ +++ b/auth.py
93
+ @@ -14,3 +14,3 @@
94
+ def check_auth(session_id):
95
+ user = get_user(session_id)
96
+ - if user and user.is_active:
97
+ + return user.is_admin""",
98
+ additions=1,
99
+ deletions=1,
100
+ )
101
+ ],
102
+ ground_truth_issues=[
103
+ GroundTruthIssue(
104
+ id="bug_003",
105
+ category=Category.BUG,
106
+ severity=Severity.HIGH,
107
+ filename="auth.py",
108
+ line_number=16,
109
+ description="None dereference β€” get_user can return None, user.is_admin will crash",
110
+ keywords=["None", "dereference"]
111
+ )
112
+ ],
113
+ hash="bug_003",
114
+ difficulty="medium"
115
+ )
116
+
117
+ bug_004 = Scenario(
118
+ task_id=TaskId.BUG_DETECTION,
119
+ pr_title="Add global request counter",
120
+ pr_description="Parallel threads updating shared cache without locking.",
121
+ files_changed=[
122
+ FileChanged(
123
+ filename="middleware/counter.py",
124
+ language="python",
125
+ patch="""--- a/middleware/counter.py
126
+ +++ b/middleware/counter.py
127
+ @@ -5,3 +5,3 @@
128
+ -def increment():
129
+ - with lock:
130
+ - global count
131
+ - count += 1
132
+ +def increment():
133
+ + global count
134
+ + count += 1""",
135
+ additions=2,
136
+ deletions=3,
137
+ )
138
+ ],
139
+ ground_truth_issues=[
140
+ GroundTruthIssue(
141
+ id="bug_004",
142
+ category=Category.BUG,
143
+ severity=Severity.HIGH,
144
+ filename="middleware/counter.py",
145
+ line_number=7,
146
+ description="Race condition in counter update: multiple threads may overwrite each other's increments.",
147
+ keywords=["race condition", "thread"]
148
+ )
149
+ ],
150
+ hash="bug_004",
151
+ difficulty="hard"
152
+ )
153
+
154
+ bug_005 = Scenario(
155
+ task_id=TaskId.BUG_DETECTION,
156
+ pr_title="Handle DB connection errors",
157
+ pr_description="Swallow all errors during data import.",
158
+ files_changed=[
159
+ FileChanged(
160
+ filename="db/connection.py",
161
+ language="python",
162
+ patch="""--- a/db/connection.py
163
+ +++ b/db/connection.py
164
+ @@ -8,3 +8,3 @@
165
+ - except psycopg2.OperationalError:
166
+ - log.error("DB down")
167
+ + except Exception:
168
+ + pass""",
169
+ additions=2,
170
+ deletions=2,
171
+ )
172
+ ],
173
+ ground_truth_issues=[
174
+ GroundTruthIssue(
175
+ id="bug_005",
176
+ category=Category.BUG,
177
+ severity=Severity.MEDIUM,
178
+ filename="db/connection.py",
179
+ line_number=9,
180
+ description="Broad exception catch-all suppresses real errors and hides bugs.",
181
+ keywords=["broad exception", "catch"]
182
+ )
183
+ ],
184
+ hash="bug_005",
185
+ difficulty="medium"
186
+ )
187
+
188
+ bug_006 = Scenario(
189
+ task_id=TaskId.BUG_DETECTION,
190
+ pr_title="Add score percentage calculator",
191
+ pr_description="Integer division result truncated.",
192
+ files_changed=[
193
+ FileChanged(
194
+ filename="scoring/calc.py",
195
+ language="python",
196
+ patch="""--- a/scoring/calc.py
197
+ +++ b/scoring/calc.py
198
+ @@ -4,3 +4,3 @@
199
+ def get_percentage(score, total):
200
+ - return (score / total) * 100
201
+ + return score / total""",
202
+ additions=1,
203
+ deletions=1,
204
+ )
205
+ ],
206
+ ground_truth_issues=[
207
+ GroundTruthIssue(
208
+ id="bug_006",
209
+ category=Category.BUG,
210
+ severity=Severity.LOW,
211
+ filename="scoring/calc.py",
212
+ line_number=5,
213
+ description="Integer division truncation or missing multiplier in percentage calculation",
214
+ keywords=["division", "truncat"]
215
+ )
216
+ ],
217
+ hash="bug_006",
218
+ difficulty="medium"
219
+ )
220
+
221
+ bug_007 = Scenario(
222
+ task_id=TaskId.BUG_DETECTION,
223
+ pr_title="Simplify status checker",
224
+ pr_description="Unreachable code after return.",
225
+ files_changed=[
226
+ FileChanged(
227
+ filename="utils/status.py",
228
+ language="python",
229
+ patch="""--- a/utils/status.py
230
+ +++ b/utils/status.py
231
+ @@ -5,5 +5,3 @@
232
+ def is_active(user):
233
+ - if user.deleted:
234
+ - return False
235
+ - return user.active
236
+ + return True
237
+ + log.info("Checked user status")""",
238
+ additions=2,
239
+ deletions=3,
240
+ )
241
+ ],
242
+ ground_truth_issues=[
243
+ GroundTruthIssue(
244
+ id="bug_007",
245
+ category=Category.BUG,
246
+ severity=Severity.LOW,
247
+ filename="utils/status.py",
248
+ line_number=8,
249
+ description="Unreachable code after return statement",
250
+ keywords=["unreachable", "dead code"]
251
+ )
252
+ ],
253
+ hash="bug_007",
254
+ difficulty="medium"
255
+ )
256
+
257
+ bug_008 = Scenario(
258
+ task_id=TaskId.BUG_DETECTION,
259
+ pr_title="Parse webhook payload",
260
+ pr_description="Dict key assumed present β€” will KeyError if user absent.",
261
+ files_changed=[
262
+ FileChanged(
263
+ filename="webhooks/parser.py",
264
+ language="python",
265
+ patch="""--- a/webhooks/parser.py
266
+ +++ b/webhooks/parser.py
267
+ @@ -12,2 +12,2 @@
268
+ def parse_event(data):
269
+ - email = data.get("user", {}).get("email")
270
+ + email = data["user"]["email"]""",
271
+ additions=1,
272
+ deletions=1,
273
+ )
274
+ ],
275
+ ground_truth_issues=[
276
+ GroundTruthIssue(
277
+ id="bug_008",
278
+ category=Category.BUG,
279
+ severity=Severity.HIGH,
280
+ filename="webhooks/parser.py",
281
+ line_number=13,
282
+ description="Unsafe dictionary access will raise KeyError if 'user' or 'email' keys are missing",
283
+ keywords=["KeyError", "dict"]
284
+ )
285
+ ],
286
+ hash="bug_008",
287
+ difficulty="medium"
288
+ )
289
+
290
+ bug_009 = Scenario(
291
+ task_id=TaskId.BUG_DETECTION,
292
+ pr_title="Add balance check to payment flow",
293
+ pr_description="Check if sensor reading is exactly 0.0.",
294
+ files_changed=[
295
+ FileChanged(
296
+ filename="payments/validator.py",
297
+ language="python",
298
+ patch="""--- a/payments/validator.py
299
+ +++ b/payments/validator.py
300
+ @@ -7,3 +7,3 @@
301
+ def validate_tx(balance, amount):
302
+ - if balance < 0.01:
303
+ + if balance == 0.0:
304
+ return False""",
305
+ additions=1,
306
+ deletions=1,
307
+ )
308
+ ],
309
+ ground_truth_issues=[
310
+ GroundTruthIssue(
311
+ id="bug_009",
312
+ category=Category.BUG,
313
+ severity=Severity.MEDIUM,
314
+ filename="payments/validator.py",
315
+ line_number=8,
316
+ description="Floating point equality comparison is unreliable due to precision issues",
317
+ keywords=["float", "comparison"]
318
+ )
319
+ ],
320
+ hash="bug_009",
321
+ difficulty="medium"
322
+ )
323
+
324
+ bug_010 = Scenario(
325
+ task_id=TaskId.BUG_DETECTION,
326
+ pr_title="Clone user config before mutation",
327
+ pr_description="Shallow copy treated as deep copy β€” affects original.",
328
+ files_changed=[
329
+ FileChanged(
330
+ filename="config/user_config.py",
331
+ language="python",
332
+ patch="""--- a/config/user_config.py
333
+ +++ b/config/user_config.py
334
+ @@ -10,3 +10,3 @@
335
+ def update_config(original):
336
+ - import copy
337
+ - cfg = copy.deepcopy(original)
338
+ + cfg = original.copy()
339
+ + cfg["settings"]["theme"] = "dark" """,
340
+ additions=2,
341
+ deletions=2,
342
+ )
343
+ ],
344
+ ground_truth_issues=[
345
+ GroundTruthIssue(
346
+ id="bug_010",
347
+ category=Category.BUG,
348
+ severity=Severity.MEDIUM,
349
+ filename="config/user_config.py",
350
+ line_number=11,
351
+ description="Shallow copy used for nested dictionary mutation; will modify the original object",
352
+ keywords=["shallow copy", "deep copy"]
353
+ )
354
+ ],
355
+ hash="bug_010",
356
+ difficulty="medium"
357
+ )
358
+
359
+ # --- SECURITY AUDIT SCENARIOS ---
360
+
361
+ sec_001 = Scenario(
362
+ task_id=TaskId.SECURITY_AUDIT,
363
+ pr_title="Add user search endpoint",
364
+ pr_description="Bypassing ORM for a raw SQL query.",
365
+ files_changed=[
366
+ FileChanged(
367
+ filename="api/search.py",
368
+ language="python",
369
+ patch="""--- a/api/search.py
370
+ +++ b/api/search.py
371
+ @@ -15,3 +15,3 @@
372
+ def find_user(name):
373
+ - return db.users.filter(name=name).first()
374
+ + query = f"SELECT * FROM users WHERE name = '{name}'"
375
+ + return db.execute_raw(query)""",
376
+ additions=2,
377
+ deletions=1,
378
+ )
379
+ ],
380
+ ground_truth_issues=[
381
+ GroundTruthIssue(
382
+ id="sec_001",
383
+ category=Category.SECURITY,
384
+ severity=Severity.CRITICAL,
385
+ filename="api/search.py",
386
+ line_number=16,
387
+ description="SQL injection vulnerability via f-string in raw query. Use parameterized queries.",
388
+ keywords=["SQL injection", "injection"]
389
+ )
390
+ ],
391
+ hash="sec_001",
392
+ difficulty="hard"
393
+ )
394
+
395
+ sec_002 = Scenario(
396
+ task_id=TaskId.SECURITY_AUDIT,
397
+ pr_title="Add Stripe webhook handler",
398
+ pr_description="Hardcoded secret key in configuration.",
399
+ files_changed=[
400
+ FileChanged(
401
+ filename="payments/webhook.py",
402
+ language="python",
403
+ patch="""--- a/payments/webhook.py
404
+ +++ b/payments/webhook.py
405
+ @@ -5,1 +5,1 @@
406
+ -stripe_secret = os.getenv("STRIPE_SECRET")
407
+ +SECRET_KEY = "sk_live_abc123XYZ" """,
408
+ additions=1,
409
+ deletions=1,
410
+ )
411
+ ],
412
+ ground_truth_issues=[
413
+ GroundTruthIssue(
414
+ id="sec_002",
415
+ category=Category.SECURITY,
416
+ severity=Severity.CRITICAL,
417
+ filename="payments/webhook.py",
418
+ line_number=5,
419
+ description="Hardcoded sensitive credentials in source code",
420
+ keywords=["hardcoded", "secret"]
421
+ )
422
+ ],
423
+ hash="sec_002",
424
+ difficulty="easy"
425
+ )
426
+
427
+ sec_003 = Scenario(
428
+ task_id=TaskId.SECURITY_AUDIT,
429
+ pr_title="Add file download endpoint",
430
+ pr_description="New endpoint to read local audit logs based on path (no sanitization).",
431
+ files_changed=[
432
+ FileChanged(
433
+ filename="api/files.py",
434
+ language="python",
435
+ patch="""--- a/api/files.py
436
+ +++ b/api/files.py
437
+ @@ -10,3 +10,3 @@
438
+ def download_file(user_input):
439
+ - safe_path = os.path.join(BASE_DIR, os.path.basename(user_input))
440
+ - return open(safe_path, "rb").read()
441
+ + filepath = BASE_DIR + "/" + user_input
442
+ + return open(filepath, "rb").read()""",
443
+ additions=2,
444
+ deletions=2,
445
+ )
446
+ ],
447
+ ground_truth_issues=[
448
+ GroundTruthIssue(
449
+ id="sec_003",
450
+ category=Category.SECURITY,
451
+ severity=Severity.HIGH,
452
+ filename="api/files.py",
453
+ line_number=11,
454
+ description="Path traversal vulnerability: user input is directly concatenated to the base path",
455
+ keywords=["path traversal", "directory traversal"]
456
+ )
457
+ ],
458
+ hash="sec_003",
459
+ difficulty="medium"
460
+ )
461
+
462
+ sec_004 = Scenario(
463
+ task_id=TaskId.SECURITY_AUDIT,
464
+ pr_title="Add system ping utility",
465
+ pr_description="Command injection using os.system with user input.",
466
+ files_changed=[
467
+ FileChanged(
468
+ filename="utils/network.py",
469
+ language="python",
470
+ patch="""--- a/utils/network.py
471
+ +++ b/utils/network.py
472
+ @@ -8,3 +8,3 @@
473
+ def ping_host(host):
474
+ - import subprocess
475
+ - return subprocess.run(["ping", "-c", "1", host])
476
+ + import os
477
+ + os.system(f"ping -c 1 {host}")""",
478
+ additions=2,
479
+ deletions=2,
480
+ )
481
+ ],
482
+ ground_truth_issues=[
483
+ GroundTruthIssue(
484
+ id="sec_004",
485
+ category=Category.SECURITY,
486
+ severity=Severity.CRITICAL,
487
+ filename="utils/network.py",
488
+ line_number=10,
489
+ description="Command injection vulnerability via os.system and shell formatting",
490
+ keywords=["command injection", "os.system"]
491
+ )
492
+ ],
493
+ hash="sec_004",
494
+ difficulty="medium"
495
+ )
496
+
497
+ sec_005 = Scenario(
498
+ task_id=TaskId.SECURITY_AUDIT,
499
+ pr_title="Add session state caching",
500
+ pr_description="Faster state loading by using pickle format for internal caches.",
501
+ files_changed=[
502
+ FileChanged(
503
+ filename="cache/session.py",
504
+ language="python",
505
+ patch="""--- a/cache/session.py
506
+ +++ b/cache/session.py
507
+ @@ -10,3 +10,3 @@
508
+ def get_session(key):
509
+ - data = redis.get(key)
510
+ - return json.loads(data)
511
+ + import pickle
512
+ + return pickle.loads(redis.get(key))""",
513
+ additions=2,
514
+ deletions=2,
515
+ )
516
+ ],
517
+ ground_truth_issues=[
518
+ GroundTruthIssue(
519
+ id="sec_005",
520
+ category=Category.SECURITY,
521
+ severity=Severity.HIGH,
522
+ filename="cache/session.py",
523
+ line_number=12,
524
+ description="Insecure deserialization using pickle leads to Arbitrary Code Execution (RCE)",
525
+ keywords=["pickle", "deserialization"]
526
+ )
527
+ ],
528
+ hash="sec_005",
529
+ difficulty="medium"
530
+ )
531
+
532
+ sec_006 = Scenario(
533
+ task_id=TaskId.SECURITY_AUDIT,
534
+ pr_title="Add JWT decode helper",
535
+ pr_description="Allow bypassing JWT checks for faster local development loop.",
536
+ files_changed=[
537
+ FileChanged(
538
+ filename="auth/jwt_helper.py",
539
+ language="python",
540
+ patch="""--- a/auth/jwt_helper.py
541
+ +++ b/auth/jwt_helper.py
542
+ @@ -15,3 +15,3 @@
543
+ def decode_token(token):
544
+ - return jwt.decode(token, SECRET, algorithms=["HS256"])
545
+ + return jwt.decode(token, options={"verify_signature": False})""",
546
+ additions=1,
547
+ deletions=1,
548
+ )
549
+ ],
550
+ ground_truth_issues=[
551
+ GroundTruthIssue(
552
+ id="sec_006",
553
+ category=Category.SECURITY,
554
+ severity=Severity.CRITICAL,
555
+ filename="auth/jwt_helper.py",
556
+ line_number=16,
557
+ description="JWT decoded without signature verification; attackers can forge any account",
558
+ keywords=["JWT", "signature"]
559
+ )
560
+ ],
561
+ hash="sec_006",
562
+ difficulty="hard"
563
+ )
564
+
565
+ sec_007 = Scenario(
566
+ task_id=TaskId.SECURITY_AUDIT,
567
+ pr_title="Add login redirect",
568
+ pr_description="Allow all origins for login redirect.",
569
+ files_changed=[
570
+ FileChanged(
571
+ filename="views/auth.py",
572
+ language="python",
573
+ patch="""--- a/views/auth.py
574
+ +++ b/views/auth.py
575
+ @@ -20,3 +20,3 @@
576
+ def login_complete(request):
577
+ - next_url = validate_internal_url(request.args.get("next"))
578
+ - return redirect(next_url or "/dashboard")
579
+ + return redirect(request.args.get("next"))""",
580
+ additions=1,
581
+ deletions=2,
582
+ )
583
+ ],
584
+ ground_truth_issues=[
585
+ GroundTruthIssue(
586
+ id="sec_007",
587
+ category=Category.SECURITY,
588
+ severity=Severity.MEDIUM,
589
+ filename="views/auth.py",
590
+ line_number=21,
591
+ description="Open redirect vulnerability allows attackers to phish users",
592
+ keywords=["open redirect", "redirect"]
593
+ )
594
+ ],
595
+ hash="sec_007",
596
+ difficulty="medium"
597
+ )
598
+
599
+ sec_008 = Scenario(
600
+ task_id=TaskId.SECURITY_AUDIT,
601
+ pr_title="Update app configuration",
602
+ pr_description="DEBUG mode enabled in production settings.",
603
+ files_changed=[
604
+ FileChanged(
605
+ filename="config/settings.py",
606
+ language="python",
607
+ patch="""--- a/config/settings.py
608
+ +++ b/config/settings.py
609
+ @@ -35,3 +35,4 @@
610
+ -# Production settings
611
+ -DEBUG = False
612
+ -TESTING = False
613
+ +# Debug settings for prod troubleshooting
614
+ +DEBUG = True
615
+ +TESTING = True""",
616
+ additions=3,
617
+ deletions=3,
618
+ )
619
+ ],
620
+ ground_truth_issues=[
621
+ GroundTruthIssue(
622
+ id="sec_008",
623
+ category=Category.SECURITY,
624
+ severity=Severity.HIGH,
625
+ filename="config/settings.py",
626
+ line_number=37,
627
+ description="DEBUG mode enabled in production settings discloses system secrets",
628
+ keywords=["debug", "production"]
629
+ )
630
+ ],
631
+ hash="sec_008",
632
+ difficulty="easy"
633
+ )
634
+
635
+ sec_009 = Scenario(
636
+ task_id=TaskId.SECURITY_AUDIT,
637
+ pr_title="Enable CORS for frontend",
638
+ pr_description="Resolving frontend browser errors by allowing all origins.",
639
+ files_changed=[
640
+ FileChanged(
641
+ filename="app.py",
642
+ language="python",
643
+ patch="""--- a/app.py
644
+ +++ b/app.py
645
+ @@ -55,3 +55,3 @@
646
+ app.add_middleware(CORSMiddleware,
647
+ - allow_origins=["https://secure.app.com"],
648
+ + allow_origins=["*"],
649
+ allow_credentials=True)""",
650
+ additions=1,
651
+ deletions=1,
652
+ )
653
+ ],
654
+ ground_truth_issues=[
655
+ GroundTruthIssue(
656
+ id="sec_009",
657
+ category=Category.SECURITY,
658
+ severity=Severity.MEDIUM,
659
+ filename="app.py",
660
+ line_number=56,
661
+ description="Sensitive CORS policy with wildcard (*) allows data theft via CSRF",
662
+ keywords=["CORS", "wildcard"]
663
+ )
664
+ ],
665
+ hash="sec_009",
666
+ difficulty="medium"
667
+ )
668
+
669
+ sec_010 = Scenario(
670
+ task_id=TaskId.SECURITY_AUDIT,
671
+ pr_title="Add admin password check",
672
+ pr_description="Faster password check by using native equality.",
673
+ files_changed=[
674
+ FileChanged(
675
+ filename="admin/auth.py",
676
+ language="python",
677
+ patch="""--- a/admin/auth.py
678
+ +++ b/admin/auth.py
679
+ @@ -10,3 +10,3 @@
680
+ def verify_admin(provided_password):
681
+ - import secrets
682
+ - return secrets.compare_digest(ADMIN_PASS, provided_password)
683
+ + return ADMIN_PASS == provided_password""",
684
+ additions=1,
685
+ deletions=2,
686
+ )
687
+ ],
688
+ ground_truth_issues=[
689
+ GroundTruthIssue(
690
+ id="sec_010",
691
+ category=Category.SECURITY,
692
+ severity=Severity.HIGH,
693
+ filename="admin/auth.py",
694
+ line_number=11,
695
+ description="Timing attack vulnerability in password comparison; use secrets.compare_digest",
696
+ keywords=["timing attack", "constant time"]
697
+ )
698
+ ],
699
+ hash="sec_010",
700
+ difficulty="medium"
701
+ )
702
+
703
+ # --- ARCHITECTURAL REVIEW SCENARIOS ---
704
+
705
+ arch_001 = Scenario(
706
+ task_id=TaskId.ARCHITECTURAL_REVIEW,
707
+ pr_title="Add UserManager service",
708
+ pr_description="A 200-line class that handles auth, email sending, billing, and profile.",
709
+ files_changed=[
710
+ FileChanged(
711
+ filename="services/user_manager.py",
712
+ language="python",
713
+ patch="""--- a/services/user_manager.py
714
+ +++ b/services/user_manager.py
715
+ @@ -1,5 +1,10 @@
716
+ -class UserAuth: pass
717
+ -class UserBilling: pass
718
+ -class UserEmail: pass
719
+ +class UserManager:
720
+ + def authenticate(self, user): pass
721
+ + def process_payment(self, amount): pass
722
+ + def send_welcome_email(self, email): pass
723
+ + def update_profile_picture(self, img): pass
724
+ + def sync_to_marketing_tool(self): pass""",
725
+ additions=6,
726
+ deletions=3,
727
+ )
728
+ ],
729
+ ground_truth_issues=[
730
+ GroundTruthIssue(
731
+ id="arch_001",
732
+ category=Category.ARCHITECTURE,
733
+ severity=Severity.HIGH,
734
+ filename="services/user_manager.py",
735
+ line_number=2,
736
+ description="God class violation: UserManager handles multiple unrelated domains (auth, billing, email)",
737
+ keywords=["single responsibility", "god class"],
738
+ required_verdict=Verdict.REQUEST_CHANGES
739
+ )
740
+ ],
741
+ hash="arch_001",
742
+ difficulty="medium"
743
+ )
744
+
745
+ arch_002 = Scenario(
746
+ task_id=TaskId.ARCHITECTURAL_REVIEW,
747
+ pr_title="Add order details endpoint",
748
+ pr_description="Fetching order items inside a loop (N+1 query).",
749
+ files_changed=[
750
+ FileChanged(
751
+ filename="api/orders.py",
752
+ language="python",
753
+ patch="""--- a/api/orders.py
754
+ +++ b/api/orders.py
755
+ @@ -25,3 +25,4 @@
756
+ def get_order_history(user_id):
757
+ - return db.query(Order).options(joinedload(Order.items)).all()
758
+ + orders = db.query(Order).filter_by(user_id=user_id).all()
759
+ + for o in orders:
760
+ + o.items = db.query(Item).filter_by(order_id=o.id).all()
761
+ + return orders""",
762
+ additions=3,
763
+ deletions=1,
764
+ )
765
+ ],
766
+ ground_truth_issues=[
767
+ GroundTruthIssue(
768
+ id="arch_002",
769
+ category=Category.ARCHITECTURE,
770
+ severity=Severity.HIGH,
771
+ filename="api/orders.py",
772
+ line_number=27,
773
+ description="N+1 query pattern: fetching items in a loop will cause DB performance collapse",
774
+ keywords=["N+1", "query"],
775
+ required_verdict=Verdict.REQUEST_CHANGES
776
+ )
777
+ ],
778
+ hash="arch_002",
779
+ difficulty="hard"
780
+ )
781
+
782
+ arch_003 = Scenario(
783
+ task_id=TaskId.ARCHITECTURAL_REVIEW,
784
+ pr_title="Add notification system",
785
+ pr_description="Tight coupling via hardwired SendGrid import.",
786
+ files_changed=[
787
+ FileChanged(
788
+ filename="services/notifier.py",
789
+ language="python",
790
+ patch="""--- a/services/notifier.py
791
+ +++ b/services/notifier.py
792
+ @@ -1,3 +1,3 @@
793
+ -from services.interfaces import MailProvider
794
+ +from integrations.sendgrid import send_email
795
+
796
+ -def notify(user, provider: MailProvider):
797
+ - provider.send(user.email)
798
+ +def notify(user):
799
+ + send_email(user.email)""",
800
+ additions=3,
801
+ deletions=3,
802
+ )
803
+ ],
804
+ ground_truth_issues=[
805
+ GroundTruthIssue(
806
+ id="arch_003",
807
+ category=Category.ARCHITECTURE,
808
+ severity=Severity.MEDIUM,
809
+ filename="services/notifier.py",
810
+ line_number=2,
811
+ description="Tight coupling: service depends on concrete implementation instead of abstraction",
812
+ keywords=["tight coupling", "dependency injection"],
813
+ required_verdict=Verdict.NEEDS_DISCUSSION
814
+ )
815
+ ],
816
+ hash="arch_003",
817
+ difficulty="medium"
818
+ )
819
+
820
+ arch_004 = Scenario(
821
+ task_id=TaskId.ARCHITECTURAL_REVIEW,
822
+ pr_title="Add external price fetch to checkout",
823
+ pr_description="Synchronous blocking call inside async checkout handler.",
824
+ files_changed=[
825
+ FileChanged(
826
+ filename="checkout/handler.py",
827
+ language="python",
828
+ patch="""--- a/checkout/handler.py
829
+ +++ b/checkout/handler.py
830
+ @@ -10,3 +10,4 @@
831
+ async def checkout(cart):
832
+ - async with aiohttp.ClientSession() as s:
833
+ - price = await s.get(PRICE_API)
834
+ + import requests
835
+ + price = requests.get(PRICE_API)
836
+ + return process_order(price)""",
837
+ additions=2,
838
+ deletions=2,
839
+ )
840
+ ],
841
+ ground_truth_issues=[
842
+ GroundTruthIssue(
843
+ id="arch_004",
844
+ category=Category.ARCHITECTURE,
845
+ severity=Severity.HIGH,
846
+ filename="checkout/handler.py",
847
+ line_number=12,
848
+ description="Blocking HTTP call inside async function will stall the entire event loop",
849
+ keywords=["blocking", "async"],
850
+ required_verdict=Verdict.REQUEST_CHANGES
851
+ )
852
+ ],
853
+ hash="arch_004",
854
+ difficulty="medium"
855
+ )
856
+
857
+ arch_005 = Scenario(
858
+ task_id=TaskId.ARCHITECTURAL_REVIEW,
859
+ pr_title="Integrate weather API",
860
+ pr_description="Missing retry/resilience on external call.",
861
+ files_changed=[
862
+ FileChanged(
863
+ filename="services/weather.py",
864
+ language="python",
865
+ patch="""--- a/services/weather.py
866
+ +++ b/services/weather.py
867
+ @@ -5,3 +5,3 @@
868
+ def get_temp(city):
869
+ - return circuit_breaker.call(WEATHER_URL, timeout=2)
870
+ + return requests.get(WEATHER_URL).json()""",
871
+ additions=1,
872
+ deletions=1,
873
+ )
874
+ ],
875
+ ground_truth_issues=[
876
+ GroundTruthIssue(
877
+ id="arch_005",
878
+ category=Category.ARCHITECTURE,
879
+ severity=Severity.MEDIUM,
880
+ filename="services/weather.py",
881
+ line_number=6,
882
+ description="Missing resilience (retry, timeout, circuit breaker) on external API dependency",
883
+ keywords=["retry", "resilience"],
884
+ required_verdict=Verdict.NEEDS_DISCUSSION
885
+ )
886
+ ],
887
+ hash="arch_005",
888
+ difficulty="medium"
889
+ )
890
+
891
+ arch_006 = Scenario(
892
+ task_id=TaskId.ARCHITECTURAL_REVIEW,
893
+ pr_title="Refactor model relationships",
894
+ pr_description="Circular import between User and Order models.",
895
+ files_changed=[
896
+ FileChanged(
897
+ filename="models/order.py",
898
+ language="python",
899
+ patch="""--- a/models/order.py
900
+ +++ b/models/order.py
901
+ @@ -1,1 +1,2 @@
902
+ +from models.user import User
903
+ class Order(BaseModel):
904
+ - user_id: int
905
+ + user: User""",
906
+ additions=2,
907
+ deletions=1,
908
+ )
909
+ ],
910
+ ground_truth_issues=[
911
+ GroundTruthIssue(
912
+ id="arch_006",
913
+ category=Category.ARCHITECTURE,
914
+ severity=Severity.MEDIUM,
915
+ filename="models/order.py",
916
+ line_number=1,
917
+ description="Circular dependency risk: order depends on user while user likely imports order",
918
+ keywords=["circular import", "circular dependency"],
919
+ required_verdict=Verdict.REQUEST_CHANGES
920
+ )
921
+ ],
922
+ hash="arch_006",
923
+ difficulty="hard"
924
+ )
925
+
926
+ arch_007 = Scenario(
927
+ task_id=TaskId.ARCHITECTURAL_REVIEW,
928
+ pr_title="Add all-products endpoint",
929
+ pr_description="Missing pagination on unbounded list endpoint.",
930
+ files_changed=[
931
+ FileChanged(
932
+ filename="api/products.py",
933
+ language="python",
934
+ patch="""--- a/api/products.py
935
+ +++ b/api/products.py
936
+ @@ -10,3 +10,3 @@
937
+ def list_products():
938
+ - return db.query(Product).limit(50).all()
939
+ + return db.query(Product).all()""",
940
+ additions=1,
941
+ deletions=1,
942
+ )
943
+ ],
944
+ ground_truth_issues=[
945
+ GroundTruthIssue(
946
+ id="arch_007",
947
+ category=Category.ARCHITECTURE,
948
+ severity=Severity.HIGH,
949
+ filename="api/products.py",
950
+ line_number=11,
951
+ description="Missing pagination on list endpoint will lead to memory exhaustion",
952
+ keywords=["pagination", "limit"],
953
+ required_verdict=Verdict.REQUEST_CHANGES
954
+ )
955
+ ],
956
+ hash="arch_007",
957
+ difficulty="medium"
958
+ )
959
+
960
+ arch_008 = Scenario(
961
+ task_id=TaskId.ARCHITECTURAL_REVIEW,
962
+ pr_title="Document the payment integration",
963
+ pr_description="Sensitive API key included in documentation comment.",
964
+ files_changed=[
965
+ FileChanged(
966
+ filename="docs/payment_notes.py",
967
+ language="python",
968
+ patch="""--- a/docs/payment_notes.py
969
+ +++ b/docs/payment_notes.py
970
+ @@ -1,2 +1,3 @@
971
+ # Payment integration notes
972
+ +# Use API key: pk_test_abc123 for testing
973
+ def init(): pass""",
974
+ additions=1,
975
+ deletions=0,
976
+ )
977
+ ],
978
+ ground_truth_issues=[
979
+ GroundTruthIssue(
980
+ id="arch_008",
981
+ category=Category.ARCHITECTURE,
982
+ severity=Severity.MEDIUM,
983
+ filename="docs/payment_notes.py",
984
+ line_number=2,
985
+ description="Secret leaked in code comment; should be in environment variables only",
986
+ keywords=["secret", "comment"],
987
+ required_verdict=Verdict.NEEDS_DISCUSSION
988
+ )
989
+ ],
990
+ hash="arch_008",
991
+ difficulty="medium"
992
+ )
993
+
994
+ arch_009 = Scenario(
995
+ task_id=TaskId.ARCHITECTURAL_REVIEW,
996
+ pr_title="Add detailed auth logging",
997
+ pr_description="Logging sensitive user password in cleartext.",
998
+ files_changed=[
999
+ FileChanged(
1000
+ filename="auth/logger.py",
1001
+ language="python",
1002
+ patch="""--- a/auth/logger.py
1003
+ +++ b/auth/logger.py
1004
+ @@ -5,3 +5,3 @@
1005
+ def log_login(email, password):
1006
+ - logger.info(f"Attempt for {email}")
1007
+ + logger.info(f"Login attempt: user={email} password={password}")""",
1008
+ additions=1,
1009
+ deletions=1,
1010
+ )
1011
+ ],
1012
+ ground_truth_issues=[
1013
+ GroundTruthIssue(
1014
+ id="arch_009",
1015
+ category=Category.ARCHITECTURE,
1016
+ severity=Severity.HIGH,
1017
+ filename="auth/logger.py",
1018
+ line_number=6,
1019
+ description="PII/Security Leak: logging plain-text passwords violates security policy",
1020
+ keywords=["sensitive", "log"],
1021
+ required_verdict=Verdict.REQUEST_CHANGES
1022
+ )
1023
+ ],
1024
+ hash="arch_009",
1025
+ difficulty="medium"
1026
+ )
1027
+
1028
+ arch_010 = Scenario(
1029
+ task_id=TaskId.ARCHITECTURAL_REVIEW,
1030
+ pr_title="Set up database connection",
1031
+ pr_description="Hardcoded DB connection string with credentials.",
1032
+ files_changed=[
1033
+ FileChanged(
1034
+ filename="db/setup.py",
1035
+ language="python",
1036
+ patch="""--- a/db/setup.py
1037
+ +++ b/db/setup.py
1038
+ @@ -5,3 +5,3 @@
1039
+ def connect():
1040
+ - url = os.environ.get("DATABASE_URL")
1041
+ + url = "postgresql://admin:password123@localhost:5432/mydb"
1042
+ return create_engine(url)""",
1043
+ additions=1,
1044
+ deletions=1,
1045
+ )
1046
+ ],
1047
+ ground_truth_issues=[
1048
+ GroundTruthIssue(
1049
+ id="arch_010",
1050
+ category=Category.ARCHITECTURE,
1051
+ severity=Severity.HIGH,
1052
+ filename="db/setup.py",
1053
+ line_number=6,
1054
+ description="Hardcoded environment configuration and credentials",
1055
+ keywords=["hardcoded", "configuration"],
1056
+ required_verdict=Verdict.REQUEST_CHANGES
1057
+ )
1058
+ ],
1059
+ hash="arch_010",
1060
+ difficulty="medium"
1061
+ )
1062
+
1063
+ ALL_SCENARIOS = [
1064
+ bug_001, bug_003, bug_002, bug_004, bug_005, bug_006, bug_007, bug_008, bug_009, bug_010,
1065
+ sec_001, sec_002, sec_003, sec_004, sec_005, sec_006, sec_007, sec_008, sec_009, sec_010,
1066
+ arch_001, arch_002, arch_003, arch_004, arch_005, arch_006, arch_007, arch_008, arch_009, arch_010
1067
+ ]
tests/test_env.py CHANGED
@@ -1,7 +1,7 @@
1
  import pytest
2
  from codereview_env.env import CodeReviewEnv
3
  from codereview_env.models import (
4
- TaskId, Action, ActionType, Category, Severity, Verdict, StateResult
5
  )
6
 
7
 
@@ -23,10 +23,8 @@ def test_env_reset_populates_blast_radius():
23
  env = CodeReviewEnv()
24
  res = env.reset(TaskId.SECURITY_AUDIT, seed=0)
25
  obs = res.observation
26
- assert obs.blast_radius in ("low", "medium", "high", "critical")
27
- assert obs.service_criticality in ("low", "medium", "high", "critical")
28
- assert isinstance(obs.affected_users, int)
29
- assert obs.service_name != ""
30
 
31
 
32
  # ─────────────────────────────────────────────────────────────────────────────
@@ -36,7 +34,7 @@ def test_env_reset_populates_blast_radius():
36
  def test_env_step_bug_detection():
37
  env = CodeReviewEnv()
38
  env.reset(TaskId.BUG_DETECTION, seed=1)
39
- # seed=1 β†’ bug_003: None dereference in auth.py
40
 
41
  action = Action(
42
  action_type=ActionType.FLAG_ISSUE,
@@ -142,75 +140,31 @@ def test_env_max_steps():
142
  assert res_final.observation.step_count == 10
143
 
144
 
145
- # ─────────────────────────────────────────────────────────────────────────────
146
- # get_state() tests β€” required by OpenEnv /state endpoint
147
- # ─────────────────────────────────────────────────────────────────────────────
148
-
149
- def test_get_state_returns_state_result():
150
- env = CodeReviewEnv()
151
- env.reset(TaskId.BUG_DETECTION, seed=0)
152
-
153
- state = env.get_state("test-episode-id")
154
- assert isinstance(state, StateResult)
155
- assert state.episode_id == "test-episode-id"
156
- assert state.task_id == TaskId.BUG_DETECTION
157
- assert state.step == 0
158
- assert state.max_steps == 10
159
- assert state.noise_budget == 5
160
- assert state.cumulative_score == 0.0
161
- assert state.done == False
162
- assert state.issues_found == []
163
-
164
-
165
- def test_get_state_updates_after_step():
166
- env = CodeReviewEnv()
167
- env.reset(TaskId.BUG_DETECTION, seed=1)
168
-
169
- action = Action(
170
- action_type=ActionType.FLAG_ISSUE,
171
- body="None dereference null check guard clause",
172
- filename="auth.py",
173
- line_number=16,
174
- category=Category.BUG,
175
- severity=Severity.HIGH
176
- )
177
- env.step(action)
178
-
179
- state = env.get_state("ep-123")
180
- assert state.step == 1
181
- assert state.cumulative_score > 0
182
- assert len(state.issues_found) > 0
183
-
184
-
185
- def test_get_state_before_reset_raises():
186
- env = CodeReviewEnv()
187
- with pytest.raises(RuntimeError):
188
- env.get_state("no-episode")
189
-
190
-
191
  # ─────────────────────────────────────────────────────────────────────────────
192
  # Multi-task smoke tests
193
  # ─────────────────────────────────────────────────────────────────────────────
194
 
195
  def test_security_task_runs_to_completion():
196
  env = CodeReviewEnv()
197
- # seed=1 selects sec_003: JWT verification disabled in tokens.py
 
198
  env.reset(TaskId.SECURITY_AUDIT, seed=1)
199
 
 
200
  action = Action(
201
  action_type=ActionType.FLAG_ISSUE,
202
- body="JWT decoded without signature verification bypass authentication none algorithm",
203
- filename="tokens.py",
204
- line_number=10,
205
  category=Category.SECURITY,
206
  severity=Severity.CRITICAL
207
  )
208
  step_res = env.step(action)
209
- assert step_res.reward >= 0, f"Correct security flag should give non-negative reward, got {step_res.reward}"
210
 
211
  env.step(Action(
212
  action_type=ActionType.REQUEST_CHANGES,
213
- body="JWT verification must never be disabled. Must be fixed before merge.",
214
  verdict=Verdict.REQUEST_CHANGES
215
  ))
216
  final = env.get_final_result()
@@ -221,21 +175,21 @@ def test_arch_task_runs_to_completion():
221
  env = CodeReviewEnv()
222
  env.reset(TaskId.ARCHITECTURAL_REVIEW, seed=0)
223
 
 
224
  action = Action(
225
  action_type=ActionType.FLAG_ISSUE,
226
- body="Direct DB access from dashboard bypasses API layer separation of concerns architectural violation",
227
- filename="services/dashboard.py",
228
- line_number=5,
229
  category=Category.ARCHITECTURE,
230
- severity=Severity.CRITICAL
231
  )
232
  env.step(action)
233
 
234
  env.step(Action(
235
  action_type=ActionType.REQUEST_CHANGES,
236
- body="Must go through API layer.",
237
  verdict=Verdict.REQUEST_CHANGES
238
  ))
239
  final = env.get_final_result()
240
  assert final.final_score > 0
241
- assert final.verdict_correct == True
 
1
  import pytest
2
  from codereview_env.env import CodeReviewEnv
3
  from codereview_env.models import (
4
+ TaskId, Action, ActionType, Category, Severity, Verdict
5
  )
6
 
7
 
 
23
  env = CodeReviewEnv()
24
  res = env.reset(TaskId.SECURITY_AUDIT, seed=0)
25
  obs = res.observation
26
+ # Note: New models have different fields or names, but the env should map them.
27
+ assert obs.step_count == 0
 
 
28
 
29
 
30
  # ─────────────────────────────────────────────────────────────────────────────
 
34
  def test_env_step_bug_detection():
35
  env = CodeReviewEnv()
36
  env.reset(TaskId.BUG_DETECTION, seed=1)
37
+ # seed=1 β†’ bug_003: None dereference in auth.py (per reordering)
38
 
39
  action = Action(
40
  action_type=ActionType.FLAG_ISSUE,
 
140
  assert res_final.observation.step_count == 10
141
 
142
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
143
  # ─────────────────────────────────────────────────────────────────────────────
144
  # Multi-task smoke tests
145
  # ─────────────────────────────────────────────────────────────────────────────
146
 
147
  def test_security_task_runs_to_completion():
148
  env = CodeReviewEnv()
149
+ # seed=1 selects sec_002: Hardcoded secret (if 0-indexed and order is preserved)
150
+ # Actually get_scenario(TaskId.SECURITY_AUDIT, 1) selects the second item.
151
  env.reset(TaskId.SECURITY_AUDIT, seed=1)
152
 
153
+ # sec_002 is bug with sk_live_abc123XYZ in payments/webhook.py line 5
154
  action = Action(
155
  action_type=ActionType.FLAG_ISSUE,
156
+ body="hardcoded secret sk_live_abc123XYZ",
157
+ filename="payments/webhook.py",
158
+ line_number=5,
159
  category=Category.SECURITY,
160
  severity=Severity.CRITICAL
161
  )
162
  step_res = env.step(action)
163
+ assert step_res.reward >= 0
164
 
165
  env.step(Action(
166
  action_type=ActionType.REQUEST_CHANGES,
167
+ body="Hardcoded secret found.",
168
  verdict=Verdict.REQUEST_CHANGES
169
  ))
170
  final = env.get_final_result()
 
175
  env = CodeReviewEnv()
176
  env.reset(TaskId.ARCHITECTURAL_REVIEW, seed=0)
177
 
178
+ # arch_001 is UserManager god class
179
  action = Action(
180
  action_type=ActionType.FLAG_ISSUE,
181
+ body="god class single responsibility violation",
182
+ filename="services/user_manager.py",
183
+ line_number=2,
184
  category=Category.ARCHITECTURE,
185
+ severity=Severity.HIGH
186
  )
187
  env.step(action)
188
 
189
  env.step(Action(
190
  action_type=ActionType.REQUEST_CHANGES,
191
+ body="Must refactor out of god class.",
192
  verdict=Verdict.REQUEST_CHANGES
193
  ))
194
  final = env.get_final_result()
195
  assert final.final_score > 0