chore(policy): add non-Rust policy allowlist ledgers (#202, rollout PR 2/12)#214
Conversation
Second PR in the 12-PR file-policy rollout decomposition. Creates the policy/ directory and the 8 TOML ledger files referenced throughout the existing documentation. No checker, no behavior change, no CI wiring. Each ledger uses the agreed schema: schema_version = "1.0" policy = "<name>" owner = "EffortlessMetrics" status = "active" Substantively seeded: - policy/non-rust-allowlist.toml — receipts for the tracked non-Rust files that exist today: top-level docs (README, CHANGELOG, MISSION, ROADMAP, CONTRIBUTING, SECURITY, GAPS_CLOSEOUT), agent docs (AGENTS, CLAUDE, GEMINI), the license trio (LICENSE, LICENSE-APACHE, LICENSE-MIT), historical release artifacts (RELEASE_*v0.2.0, RELEASE_*v0.3.0), build/toolchain config (rust-toolchain.toml, clippy.toml, codecov.yml), and four documentation/test subtrees (docs/**/*.md, features/**/*.feature, templates/**, fuzz/**). - policy/generated-allowlist.toml — `**/*.snap` glob for the 813 tracked insta snapshots, with regen command `cargo insta accept`. - policy/dependency-surface-allowlist.toml — Cargo.toml, Cargo.lock, crates/*/Cargo.toml, fuzz/Cargo.toml. Scaffold-only (PR 3 #203 sweeps current state into entries): - policy/non-rust-debt.toml - policy/executable-allowlist.toml - policy/workflow-allowlist.toml - policy/process-allowlist.toml - policy/network-allowlist.toml The non-rust-debt ledger ships empty by design — entries are added intentionally from `cargo xtask non-rust propose` output (PR 6), never auto-generated into the file. Acceptance: every `policy/*.toml` parses as valid TOML; `cargo check --workspace --locked` still passes. Closes #202.
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (8)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Droid finished @EffortlessSteven's task —— View job Droid is reviewing code and running a security check… |
Third PR in the 12-PR file-policy rollout decomposition. Populates the high-risk ledgers that #214 left as scaffolds. No checker, no enforcement, no CI wiring. ## workflow-allowlist.toml Explicit receipt for every workflow currently in `.github/workflows/`. No `.github/**` wildcard. Each entry declares its `process_policy` and `network_policy`: ci.yml, coverage.yml, architecture-guard.yml, fuzz.yml, mutation.yml → ci profile release.yml → release profile droid-review.yml, droid.yml, droid-security-scan.yml → droid profile Also receipts `.github/dependabot.yml` (configuration, not a workflow, but governs bot behavior). ## process-allowlist.toml Three named profiles seeded with the commands actually invoked today: ci → cargo, rustup, rustc, cargo-fuzz, cargo-mutants, cargo-llvm-cov, cargo-nextest release → adds shipper, gh, tar, sha256sum, install, sudo droid → bash, curl, sh, bun, mkdir, cat, jq (Factory CLI fetch + BYOK heredoc + droid-action-safe) ## network-allowlist.toml Three named profiles seeded with endpoints actually contacted today: ci → github.com + crates.io family, rustup endpoints, codecov release → adds Trusted Publishing OIDC + uploads.github.com droid → adds app.factory.ai, api.factory.ai, api.minimax.io Renames the array-of-tables from `[[policy]]` to `[[profile]]` to avoid collision with the top-level `policy = "..."` field. All eight ledgers now parse as valid TOML. Acceptance: every `policy/*.toml` parses; `cargo check --workspace --locked` passes. PR 8 (#207) adds the checker that scans workflows and reconciles against these profiles. Closes #203.
Sixth PR in the 12-PR file-policy rollout. Adds
`cargo xtask non-rust propose`, which finds tracked non-Rust files
that are not yet covered by `policy/non-rust-allowlist.toml` and
writes draft entries to `target/policy/`:
target/policy/non-rust-proposed-allowlist.toml
target/policy/non-rust-proposal.md
The proposer NEVER mutates `policy/non-rust-allowlist.toml`. The
draft TOML is a starting point; a human (or follow-up agent) reviews,
edits, and intentionally copies entries into the real ledger.
## Behavior
- Walks `git ls-files -z` minus `*.rs` for the tracked non-Rust set.
- Loads `policy/non-rust-allowlist.toml` and the `[[file]]` / `[[glob]]`
selectors.
- Subtracts the covered set; the remainder is the unreceipted list.
- Writes one `[[file]]` entry per unreceipted path with TODO fields:
kind = "TODO"
surface = "TODO"
classification = "TODO"
owner = "TODO"
reason = "TODO: explain why this non-Rust surface remains. If
scheduled for conversion to Rust/xtask, say so and add
an `expires` date."
created = "<today>"
review_after = "<today + 90 days>"
- Writes a Markdown proposal that groups entries by top-level directory
and explains the review workflow.
## Decisions
- **Default review window: 90 days.** Honest enough for a first-pass
receipt; a reviewer can shorten or extend per entry. Matches what the
hand-seeded receipts in #214 used.
- **TOML rendered by hand, not via `toml::to_string`.** Keeps comment
blocks at the top and the order deterministic. The proposed-allowlist
schema is documented inline so reviewers see the explanation in the
file itself.
- **Duplicated allowlist deserialization + tracked-file enumeration
from check_file_policy.rs.** The shared helpers fit in ~30 lines
each; a DRY refactor is a small follow-up PR rather than scope creep
here.
## Acceptance
- `cargo check --workspace --locked` passes.
- `cargo clippy -p xtask --all-targets --locked -- -D warnings` clean.
- `cargo fmt --all -- --check` clean.
- `cargo xtask non-rust propose` ran on this branch:
`wrote 945 proposed entries to target/policy/non-rust-proposed-
allowlist.toml (and matching non-rust-proposal.md)`
- Both artifacts produced; the TOML parses as valid TOML.
- `policy/non-rust-allowlist.toml` is unchanged (proposer never
touches the real ledger).
Closes #205.
Summary
Second PR in the 12-PR file-policy rollout decomposition. Creates the
policy/directory and the 8 TOML ledger files. No checker, no enforcement, no CI wiring — pure scaffolding + first-pass receipts.Issue
Closes #202. Depends on #201 (merged docs framing). Refines #180. Tracks #109.
Decisions
non-rust-allowlist.toml,generated-allowlist.toml,dependency-surface-allowlist.tomlwith real entries that cover the current tracked state. Leavenon-rust-debt.toml,executable-allowlist.toml,workflow-allowlist.toml,process-allowlist.toml,network-allowlist.tomlas documented scaffolds.non-rust proposeoutput (feat(policy): propose non-Rust allowlist entries (rollout PR 6/12) #205) is the canonical source for non-rust-debt entries, so seeding empty is correct.review_afterdates ranging 90 days (docs, agent instructions, build config) to 1 year (license files).expiresnot used yet — that's for transitional ("scheduled to be converted to Rust/xtask") entries which haven't been identified.**/*.snapwith the regen command spelled out, rather than enumerating 813 individual files.Validation
policy/*.tomlparses as valid TOML (Pythontomllibcheck).cargo check --workspace --lockedpasses.Follow-ups
workflow-allowlist.tomland populate theci/releaseprofiles in process and network allowlists.xtaskskeleton andcargo xtask non-rust inventory.cargo xtask check-file-policy.docs/policy/NON_RUST_ROLLOUT.md(landed in docs(policy): clarify non-Rust allowlist rollout status (#201, rollout PR 1/12) #213) is the canonical ladder view.