Enterprise hardening: fix 3 production bugs + expand AutoFix coverage + strengthen ML pipeline#259
Draft
DevOpsMadDog with Copilot wants to merge 4 commits into
Draft
Enterprise hardening: fix 3 production bugs + expand AutoFix coverage + strengthen ML pipeline#259DevOpsMadDog with Copilot wants to merge 4 commits into
DevOpsMadDog with Copilot wants to merge 4 commits into
Conversation
- Fix ThreatEnricher.enrich() missing method (broken autofix enrichment) - Fix generate_audit_bundle() missing category in controls (broken HIPAA test) - Fix concurrent ML training race condition with single-flight guard - Expand AutoFix templates from 10 to 17 CWEs (add CWE-287, CWE-312, CWE-319, CWE-352, CWE-400, CWE-601, CWE-862)" Agent-Logs-Url: https://github.com/DevOpsMadDog/Fixops/sessions/1eefb18c-3b10-4724-80ec-837d3a1eb06a Co-authored-by: DevOpsMadDog <235109555+DevOpsMadDog@users.noreply.github.com>
…t guard; improve executive summary MTTR/SLA" Agent-Logs-Url: https://github.com/DevOpsMadDog/Fixops/sessions/1eefb18c-3b10-4724-80ec-837d3a1eb06a Co-authored-by: DevOpsMadDog <235109555+DevOpsMadDog@users.noreply.github.com>
…ons, improve regex patterns Agent-Logs-Url: https://github.com/DevOpsMadDog/Fixops/sessions/1eefb18c-3b10-4724-80ec-837d3a1eb06a Co-authored-by: DevOpsMadDog <235109555+DevOpsMadDog@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Develop world-class product for enterprise readiness
Enterprise hardening: fix 3 production bugs + expand AutoFix coverage + strengthen ML pipeline
Mar 31, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Three bugs were causing silent failures in the AutoFix enrichment path, HIPAA compliance bundles, and concurrent ML retraining. Additionally, the AutoFix template library covered only 10 CWEs and the executive summary returned hardcoded zeros for MTTR.
Bug Fixes
ThreatEnricher.enrich()— method did not existCalled by the AutoFix engine for CVE enrichment but never implemented. Added full implementation:
Works in air-gapped mode via
skip_api=True.generate_audit_bundle()— controls missingcategory,title,automatedCompliance bundle controls were returned from DB assessments without framework metadata. Fixed by enriching each entry from
_framework_controls— HIPAA bundles now return controls with propercategory(Administrative / Physical / Technical).Concurrent ML training race condition (TOCTOU)
Multiple threads could each pass
_should_retrain()and simultaneously execute full training runs, causing 30s test timeouts in production-equivalent concurrency scenarios. Fixed with a_training_in_progresssingle-flight guard set atomically inside the lock before releasing it:Enterprise Improvements
AutoFix template library: 10 → 17 CWEs
Added enterprise-critical patterns missing from the offline fix library:
Each template includes Python + JavaScript patches, MITRE ATT&CK mappings, and compliance refs (GDPR Art.32, HIPAA §164.312, PCI-DSS).
Executive summary — replace hardcoded zeros with real data
mttr_hoursnow reads fromanalytics_db.calculate_mttr()instead of returning0sla.compliant_pctandsla.breached_countTests
ThreatEnricher.enrich()(empty input, KEV detection, EPSS cache, batch CVEs, air-gap mode)generate_audit_bundle()verifyingcategory,titlefields, and bundle structureWarning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
api.first.org/usr/bin/python python -m pytest tests/test_brain_pipeline.py -q --tb=short --timeout=10 --no-cov(dns block)/usr/bin/python python -m pytest tests/ -q --tb=no --timeout=10 --no-cov --ignore=tests/e2e --ignore=tests/e2e_real_data --ignore=tests/real_world_tests(dns block)collector/usr/bin/python python -m pytest tests/ -q --tb=no --timeout=10 --no-cov --ignore=tests/e2e --ignore=tests/e2e_real_data --ignore=tests/real_world_tests(dns block)/usr/bin/python python -m pytest tests/test_self_learning_unit.py tests/test_feedback.py tests/test_compliance_engine_unit.py tests/test_evidence_export_signed.py -q --tb=short --timeout=10 --no-cov git conf�� get --global sh copilot.originalbash(dns block)/usr/bin/python python -m pytest tests/test_autofix_engine_unit.py::TestEnrichFromGraph::test_returns_context_on_graph_failure tests/test_evidence_export_signed.py::TestEvidenceExportHIPAA -q --tb=short --timeout=10 --no-cov(dns block)www.cisa.gov/usr/bin/python python -m pytest tests/test_brain_pipeline.py -q --tb=short --timeout=10 --no-cov(dns block)/usr/bin/python python -m pytest tests/ -q --tb=no --timeout=10 --no-cov --ignore=tests/e2e --ignore=tests/e2e_real_data --ignore=tests/real_world_tests(dns block)If you need me to access, download, or install something from one of these locations, you can either:
Original prompt
Created from VS Code.