docs(agents): add AGENTS.md carrying the authorization rules PRs most often break#209
docs(agents): add AGENTS.md carrying the authorization rules PRs most often break#209beardthelion wants to merge 1 commit into
Conversation
… often break Encode the contributor-facing gate rules (the three owner-gate forms in use and the by-design non-owner exceptions, path-scoped reads and the listings contract, denial semantics, deny-test expectations, migration versioning, client denial surfacing, MSRV and the exact CI gate set) in a root AGENTS.md that coding agents load automatically, and point CONTRIBUTING.md at it. Enforcement labels state only what is on main today.
📝 WalkthroughWalkthroughAdded ChangesContributor security guidance
Estimated code review effort: 1 (Trivial) | ~3 minutes Possibly related issues
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@AGENTS.md`:
- Line 18: Update the gated-handler testing guidance in AGENTS.md to require
denial tests based on each route’s authorization rule, rather than universally
requiring non-owner denial. Preserve non-owner tests only where non-owners are
unauthorized, and require tests for the identities that are actually
unauthorized for routes such as star_repo, replica actions, bounty actions, and
author-based closing, including exact denial statuses and non-leaking response
bodies.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
|
|
||
| ## Adding or changing routes | ||
|
|
||
| - A new gated handler needs a test proving the gate fires: sign as a non-owner and as an anonymous caller, assert the exact denial status each way, and assert the body leaks nothing. The non-owner tests in `crates/gitlawb-node/src/test_support.rs` show the shape. |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win
Scope the denial-test requirement by authorization rule.
This blanket requirement says every new gated handler must deny a non-owner, but line 10 correctly documents routes where non-owners are valid callers (star_repo, replica actions, bounty actions, and author-based closing). Require tests for the identities that are unauthorized under each route’s rule instead.
Proposed wording
-- A new gated handler needs a test proving the gate fires: sign as a non-owner and as an anonymous caller, assert the exact denial status each way, and assert the body leaks nothing. The non-owner tests in `crates/gitlawb-node/src/test_support.rs` show the shape.
+- A new gated handler needs tests proving its route-specific gate fires: exercise an unauthorized authenticated caller and an anonymous caller where applicable, assert the exact denial status each way, and assert the body leaks nothing. The non-owner tests in `crates/gitlawb-node/src/test_support.rs` show the shape for owner-gated routes.📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - A new gated handler needs a test proving the gate fires: sign as a non-owner and as an anonymous caller, assert the exact denial status each way, and assert the body leaks nothing. The non-owner tests in `crates/gitlawb-node/src/test_support.rs` show the shape. | |
| A new gated handler needs tests proving its route-specific gate fires: exercise an unauthorized authenticated caller and an anonymous caller where applicable, assert the exact denial status each way, and assert the body leaks nothing. The non-owner tests in `crates/gitlawb-node/src/test_support.rs` show the shape for owner-gated routes. |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@AGENTS.md` at line 18, Update the gated-handler testing guidance in AGENTS.md
to require denial tests based on each route’s authorization rule, rather than
universally requiring non-owner denial. Preserve non-owner tests only where
non-owners are unauthorized, and require tests for the identities that are
actually unauthorized for routes such as star_repo, replica actions, bounty
actions, and author-based closing, including exact denial statuses and
non-leaking response bodies.
Adds a root
AGENTS.mdwritten for coding agents and human contributors alike, plus a pointer from CONTRIBUTING's PR guidelines. It carries only what a patch author cannot recover from the code alone: the owner-gate forms in use and the write routes that are non-owner by design, the path argument contract onauthorize_repo_read, denial semantics, the deny-test expectations for new and removed routes, migration versioning, client denial surfacing, and what CI actually blocks on vs what is convention.Two ground rules held while writing it: every named identifier, test, and CI claim was checked against current main, so the enforcement labels describe only what is merged today; and nothing already covered by README, CONTRIBUTING, SECURITY, or the PR template is repeated. The deny suite in review (#194, #195) is referenced with wording that stays true whether or not it has landed in a given checkout.
Docs-only: no runtime impact, no code or CI changes.
Summary by CodeRabbit