Skip to content

chore(policy): receipt high-risk non-Rust surfaces (#203, rollout PR 3/12)#215

Merged
EffortlessSteven merged 1 commit into
mainfrom
chore/policy-high-risk-receipts-20260511
May 11, 2026
Merged

chore(policy): receipt high-risk non-Rust surfaces (#203, rollout PR 3/12)#215
EffortlessSteven merged 1 commit into
mainfrom
chore/policy-high-risk-receipts-20260511

Conversation

@EffortlessSteven

Copy link
Copy Markdown
Member

Summary

Third PR in the 12-PR file-policy rollout. Populates the high-risk ledgers that #214 (PR 2) left as documented scaffolds: workflow, process, network. No checker, no enforcement, no CI wiring — pure first-pass receipts.

Issue

Closes #203. Depends on #202 (merged scaffolds). Refines #180. Tracks #109.

What's receipted

workflow-allowlist.toml — every .github/workflows/*.yml listed explicitly (no .github/** wildcard), 9 workflows + dependabot.yml. Each declares its process_policy and network_policy:

  • ci profile: ci.yml, coverage.yml, architecture-guard.yml, fuzz.yml, mutation.yml
  • release profile: release.yml
  • droid profile: droid-review.yml, droid.yml, droid-security-scan.yml

process-allowlist.toml — three named profiles with commands actually invoked today:

  • ci: cargo, rustup, rustc, cargo-fuzz, cargo-mutants, cargo-llvm-cov, cargo-nextest
  • release: + shipper, gh, tar, sha256sum, install, sudo
  • droid: bash, curl, sh, bun, mkdir, cat, jq (BYOK heredoc + Factory CLI fetch + droid-action-safe)

network-allowlist.toml — three named profiles with endpoints actually contacted today:

  • ci: github.com + crates.io family, rustup endpoints, codecov
  • release: + Trusted Publishing OIDC + uploads.github.com
  • droid: + app.factory.ai, api.factory.ai, api.minimax.io

Decisions

  • Decision: Use [[profile]] for the array-of-tables in process/network allowlists.
    • Rationale: The top-level policy = "process-allowlist" field is a string identifying the policy itself; reusing policy as the array name collides ("Cannot overwrite a value"). Each array entry IS a named profile, so [[profile]] is also semantically clearer.
  • Decision: Separate droid profile rather than folding Droid commands into ci.
    • Rationale: Droid workflows have a substantively different command/endpoint surface (curl|sh fetch, bun, MiniMax/Factory APIs) and live under different secrets (Dependabot-scoped). Mixing into ci would understate what's being authorized.

Validation

  • All 8 policy/*.toml files parse as valid TOML (Python tomllib).
  • cargo check --workspace --locked passes.
  • No source code touched.
  • No workflow files touched.

Follow-ups

PR 4 (#212) — add the xtask skeleton + cargo xtask non-rust inventory. After that, PR 5–8 implement the checkers that consume these ledgers.

Third PR in the 12-PR file-policy rollout decomposition. Populates the
high-risk ledgers that #214 left as scaffolds. No checker, no
enforcement, no CI wiring.

## workflow-allowlist.toml

Explicit receipt for every workflow currently in `.github/workflows/`.
No `.github/**` wildcard. Each entry declares its `process_policy` and
`network_policy`:

  ci.yml, coverage.yml, architecture-guard.yml,
  fuzz.yml, mutation.yml         → ci profile
  release.yml                    → release profile
  droid-review.yml, droid.yml,
  droid-security-scan.yml        → droid profile

Also receipts `.github/dependabot.yml` (configuration, not a workflow,
but governs bot behavior).

## process-allowlist.toml

Three named profiles seeded with the commands actually invoked today:

  ci      → cargo, rustup, rustc, cargo-fuzz, cargo-mutants,
            cargo-llvm-cov, cargo-nextest
  release → adds shipper, gh, tar, sha256sum, install, sudo
  droid   → bash, curl, sh, bun, mkdir, cat, jq
            (Factory CLI fetch + BYOK heredoc + droid-action-safe)

## network-allowlist.toml

Three named profiles seeded with endpoints actually contacted today:

  ci      → github.com + crates.io family, rustup endpoints, codecov
  release → adds Trusted Publishing OIDC + uploads.github.com
  droid   → adds app.factory.ai, api.factory.ai, api.minimax.io

Renames the array-of-tables from `[[policy]]` to `[[profile]]` to
avoid collision with the top-level `policy = "..."` field. All eight
ledgers now parse as valid TOML.

Acceptance: every `policy/*.toml` parses; `cargo check --workspace
--locked` passes. PR 8 (#207) adds the checker that scans workflows
and reconciles against these profiles.

Closes #203.
@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, add credits to your account and enable them for code reviews in your settings.

@factory-droid

factory-droid Bot commented May 11, 2026

Copy link
Copy Markdown

Droid finished @EffortlessSteven's task —— View job


Droid review complete.

Validated 2 candidates: 0 approved, 2 rejected (both false positives — no malformed dates found in policy/workflow-allowlist.toml).

Review summary: All date fields are correctly formatted as "YYYY-MM-DD". No actionable findings.

View validated results

@coderabbitai

coderabbitai Bot commented May 11, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@EffortlessSteven has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 3 minutes and 28 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1401eeb0-a33f-4406-a023-2f1a878af899

📥 Commits

Reviewing files that changed from the base of the PR and between 1e8aea6 and 4d13c43.

📒 Files selected for processing (3)
  • policy/network-allowlist.toml
  • policy/process-allowlist.toml
  • policy/workflow-allowlist.toml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/policy-high-risk-receipts-20260511

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@EffortlessSteven EffortlessSteven merged commit 5f286e1 into main May 11, 2026
20 checks passed
@EffortlessSteven EffortlessSteven deleted the chore/policy-high-risk-receipts-20260511 branch May 11, 2026 21:30
EffortlessSteven added a commit that referenced this pull request May 12, 2026
)

Eighth PR in the 12-PR file-policy rollout. Three new subcommands that
together cover the high-risk half of file policy: which workflows are
authorized, what commands they may invoke, and what endpoints they may
contact.

## Commands

- `cargo xtask check-workflow-surfaces`
    Universe: tracked `.github/workflows/*.yml`. Each must have a
    `[[workflow]]` entry in `policy/workflow-allowlist.toml`. Each entry
    must name a `process_policy` and `network_policy` that exist in
    their respective ledgers. Entries with `kind = "dependabot_config"`
    are catalog-only and exempt from the workflow-file reconciliation;
    their receipts are still validated (missing fields, expired, stale).

- `cargo xtask check-process-policy`
    For each receipted workflow (excluding `kind = "dependabot_config"`),
    scan its file content for known shell-command tokens; flag tokens
    not present in the workflow's declared `process` profile's
    `allowed_processes`.

- `cargo xtask check-network-policy`
    For each receipted workflow, regex-scan for `https?://<host>` URLs
    and reconcile hostnames against the declared `network` profile's
    `allowed_endpoints`. Subdomain coverage is recognized (e.g.,
    `raw.githubusercontent.com` covers `objects.githubusercontent.com`).

All three accept `--mode advisory|blocking-allowlist|blocking-strict`.

## Decisions

- **Grep heuristics, not YAML/AST parsing.** The PR spec explicitly
  said "start simple". The recognition vocabulary for `check-process-
  policy` is a fixed list of well-known shell commands; tokens outside
  that list are silently ignored. This produces false positives where
  a command name appears as a build target or argument (e.g., the word
  "shipper" in `cargo build -p shipper`). Advisory mode reports these;
  CI does not block on them. Refining the detector (e.g., requiring
  the token to appear inside a `run:` block) is a follow-up.

- **`dependabot_config` skip** in workflow-surfaces / process / network
  checks. The `.github/dependabot.yml` entry rides along in the
  workflow allowlist for catalog purposes (see #215 PR body), but it
  is not a workflow file and has no shell commands or URLs to scan.

- **Subdomain endpoint matching.** `allowed_endpoints = ["github.com"]`
  covers `api.github.com`, `objects.githubusercontent.com`, etc.,
  rather than requiring every host be enumerated. Tighter modes
  remain available via the explicit-only `allowed_endpoints`.

- **New direct dep: `regex = "1"`.** Used only by `check-network-policy`
  for the host extraction pattern. Could be replaced by hand-rolled
  parsing if dep weight becomes an issue.

## Acceptance

- `cargo check --workspace --locked` passes.
- `cargo clippy -p xtask --all-targets --locked -- -D warnings` clean.
- `cargo fmt --all -- --check` clean.
- Live results on current main:
    check-workflow-surfaces: workflows=9 entries=10 unreceipted=0 missing=0 expired=0 stale=0 unused=0 invalid_refs=0
    check-process-policy:    workflows=9 unknown_total=10  (all false positives — see PR body)
    check-network-policy:    workflows=9 unknown_total=0

## Out of scope

- Unified policy-report (PR 9 / #208)
- CI advisory wiring (PR 10 / #209)
- Promotion to blocking-allowlist (PR 11 / #210, PR 12 / #211)
- Refining the process-detector to suppress build-target false positives.
- DRY-up of the shared `workspace_root`, `today_iso`, `date_is_past`,
  `tracked_workflow_files` helpers across xtask modules.

Closes #207.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

chore(policy): receipt high-risk non-Rust surfaces (rollout PR 3/12)

1 participant