build(semgrep): add no-streamable-http-headers rule for Goose recipes#1141
Merged
build(semgrep): add no-streamable-http-headers rule for Goose recipes#1141
Conversation
The `headers:` field is not part of the Goose recipe schema for `streamable_http` extensions. Goose uses strict serde_yaml deserialization and rejects unknown fields with "Invalid recipe: did not find expected key", causing agent job failures at runtime. This pattern was introduced twice (PRs 1094, 1122) when configuring in-cluster MCP gateway auth. Both times the `headers: Authorization` approach had to be reverted. Auth is not needed when MCP_REQUIRE_AUTH=false; the correct pattern is to simply omit headers. Changes: - Add bazel/semgrep/rules/yaml/no-streamable-http-headers.yaml rule - Add bazel/semgrep/rules/BUILD yaml_rules filegroup and yaml_rules_test - Add bazel/semgrep/tests/fixtures/no-streamable-http-headers.yaml test case - Add recipes_semgrep_test to goose_agent/image/BUILD for CI enforcement against all recipe YAML files and config.yaml - Fix Bazel label: //bazel/semgrep/tests:yaml_fixtures (not tests/fixtures:) - Use mapping-level pattern (without list-item prefix) for broader matching Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
jomcgi
force-pushed
the
build/semgrep-no-streamable-http-headers
branch
from
6594452 to
c395b5a
Compare
Remove blank lines before --- document separators in the no-streamable-http-headers fixture file. Prettier normalizes this format; the CI format check auto-detects and rejects unformatted files. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The semgrep gazelle plugin marks manually-added semgrep_test rules as stale when a package has no .py files or configured target kinds (py_venv_binary, go_binary). The goose_agent image package has only Go and YAML files, so the plugin's staleRules() deletes the recipes_semgrep_test target on every `gazelle` run, causing the format check to fail (git diff --exit-code detects the deletion). Add `# gazelle:semgrep disabled` to prevent the plugin from processing this package. The recipes_semgrep_test enforces that recipe YAML files never include `headers:` in streamable_http extensions — an anti-pattern that caused two separate runtime failures (PRs 1094, 1122). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
no-streamable-http-headersto catch unsupportedheaders:fields in Goose recipestreamable_httpextensionsyaml_rulesfilegroup tobazel/semgrep/rules/BUILDfor YAML-language semgrep rulesbazel/semgrep/tests/fixtures/recipes_semgrep_testtogoose_agent/image/BUILDto enforce the rule in CI against all recipe YAML andconfig.yamlMotivation
The
headers:field is not part of the Goose recipe schema forstreamable_httpextensions. Goose's strictserde_yamldeserialization rejects unknown fields at runtime with:This pattern was introduced twice in recent PRs (#1094, #1122) while configuring MCP gateway auth — both times it had to be reverted. The correct approach is to omit
headers:entirely since the MCP gateway runs withMCP_REQUIRE_AUTH=falsefor in-cluster access.Rule details
no-streamable-http-headersyamlERRORheaders:inside anystreamable_httpextension blockheaders:, useenv_keysfor secrets or omit auth entirely for in-cluster accessTest plan
bazel/semgrep/tests/fixtures/no-streamable-http-headers.yamldocuments# ruleid:/# ok:casesrecipes_semgrep_testenforces the rule against current recipe files (all pass — no violations present)🤖 Generated with Claude Code