Skip to content

docs(agents): add AGENTS.md carrying the authorization rules PRs most often break#209

Open
beardthelion wants to merge 1 commit into
mainfrom
docs/agents-md
Open

docs(agents): add AGENTS.md carrying the authorization rules PRs most often break#209
beardthelion wants to merge 1 commit into
mainfrom
docs/agents-md

Conversation

@beardthelion

@beardthelion beardthelion commented Jul 16, 2026

Copy link
Copy Markdown
Collaborator

Adds a root AGENTS.md written for coding agents and human contributors alike, plus a pointer from CONTRIBUTING's PR guidelines. It carries only what a patch author cannot recover from the code alone: the owner-gate forms in use and the write routes that are non-owner by design, the path argument contract on authorize_repo_read, denial semantics, the deny-test expectations for new and removed routes, migration versioning, client denial surfacing, and what CI actually blocks on vs what is convention.

Two ground rules held while writing it: every named identifier, test, and CI claim was checked against current main, so the enforcement labels describe only what is merged today; and nothing already covered by README, CONTRIBUTING, SECURITY, or the PR template is repeated. The deny suite in review (#194, #195) is referenced with wording that stays true whether or not it has landed in a given checkout.

Docs-only: no runtime impact, no code or CI changes.

Summary by CodeRabbit

  • Documentation
    • Added a contributor guide covering authorization requirements, serving-path changes, database migrations, client behavior, and CI expectations.
    • Updated contribution guidelines to require reviewing the authorization guidance before modifying endpoints, visibility, or migrations.

… often break

Encode the contributor-facing gate rules (the three owner-gate forms in
use and the by-design non-owner exceptions, path-scoped reads and the
listings contract, denial semantics, deny-test expectations, migration
versioning, client denial surfacing, MSRV and the exact CI gate set) in
a root AGENTS.md that coding agents load automatically, and point
CONTRIBUTING.md at it. Enforcement labels state only what is on main
today.
@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

Added AGENTS.md with authorization, serving-path, migration, denial-handling, and CI guidance. Updated CONTRIBUTING.md to require consulting it for endpoint, visibility, or migration changes.

Changes

Contributor security guidance

Layer / File(s) Summary
Security-surface contribution rules
AGENTS.md, CONTRIBUTING.md
Documents authorization invariants, route and denial-test requirements, migration and client-denial rules, toolchain constraints, and the related pull request guideline.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Possibly related issues

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description has useful substance but does not follow the required PR template or include several requested sections. Rewrite it using the repo template: add Summary, Motivation & context, Kind of change, What changed, How to verify, checklist items, and reviewer notes.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly states the new AGENTS.md docs and the authorization guidance it adds.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch docs/agents-md

Comment @coderabbitai help to get the list of available commands.

@beardthelion beardthelion added the kind:docs Docs and comments only label Jul 16, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@AGENTS.md`:
- Line 18: Update the gated-handler testing guidance in AGENTS.md to require
denial tests based on each route’s authorization rule, rather than universally
requiring non-owner denial. Preserve non-owner tests only where non-owners are
unauthorized, and require tests for the identities that are actually
unauthorized for routes such as star_repo, replica actions, bounty actions, and
author-based closing, including exact denial statuses and non-leaking response
bodies.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e8c09ced-f890-411f-b65c-135fe8150aca

📥 Commits

Reviewing files that changed from the base of the PR and between ad7c2b2 and 4963910.

📒 Files selected for processing (2)
  • AGENTS.md
  • CONTRIBUTING.md

Comment thread AGENTS.md

## Adding or changing routes

- A new gated handler needs a test proving the gate fires: sign as a non-owner and as an anonymous caller, assert the exact denial status each way, and assert the body leaks nothing. The non-owner tests in `crates/gitlawb-node/src/test_support.rs` show the shape.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Scope the denial-test requirement by authorization rule.

This blanket requirement says every new gated handler must deny a non-owner, but line 10 correctly documents routes where non-owners are valid callers (star_repo, replica actions, bounty actions, and author-based closing). Require tests for the identities that are unauthorized under each route’s rule instead.

Proposed wording
-- A new gated handler needs a test proving the gate fires: sign as a non-owner and as an anonymous caller, assert the exact denial status each way, and assert the body leaks nothing. The non-owner tests in `crates/gitlawb-node/src/test_support.rs` show the shape.
+- A new gated handler needs tests proving its route-specific gate fires: exercise an unauthorized authenticated caller and an anonymous caller where applicable, assert the exact denial status each way, and assert the body leaks nothing. The non-owner tests in `crates/gitlawb-node/src/test_support.rs` show the shape for owner-gated routes.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- A new gated handler needs a test proving the gate fires: sign as a non-owner and as an anonymous caller, assert the exact denial status each way, and assert the body leaks nothing. The non-owner tests in `crates/gitlawb-node/src/test_support.rs` show the shape.
A new gated handler needs tests proving its route-specific gate fires: exercise an unauthorized authenticated caller and an anonymous caller where applicable, assert the exact denial status each way, and assert the body leaks nothing. The non-owner tests in `crates/gitlawb-node/src/test_support.rs` show the shape for owner-gated routes.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@AGENTS.md` at line 18, Update the gated-handler testing guidance in AGENTS.md
to require denial tests based on each route’s authorization rule, rather than
universally requiring non-owner denial. Preserve non-owner tests only where
non-owners are unauthorized, and require tests for the identities that are
actually unauthorized for routes such as star_repo, replica actions, bounty
actions, and author-based closing, including exact denial statuses and
non-leaking response bodies.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

kind:docs Docs and comments only

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant