Skip to content

feat(policy): check non-Rust file allowlist (#204, rollout PR 5/12)#217

Merged
EffortlessSteven merged 1 commit into
mainfrom
feat/xtask-check-file-policy-20260511
May 11, 2026
Merged

feat(policy): check non-Rust file allowlist (#204, rollout PR 5/12)#217
EffortlessSteven merged 1 commit into
mainfrom
feat/xtask-check-file-policy-20260511

Conversation

@EffortlessSteven

Copy link
Copy Markdown
Member

Summary

Fifth PR in the 12-PR file-policy rollout. First real enforcement command. Adds cargo xtask check-file-policy --mode <mode> which reconciles tracked non-Rust files against policy/non-rust-allowlist.toml.

Issue

Closes #204. Depends on #202 (ledger scaffolds, merged), #212 (xtask scaffold, merged). Refines #180. Tracks #109.

Behavior

Walks git ls-files -z minus *.rs, reconciles against [[file]] (exact path) and [[glob]] (globset pattern) entries. Reports five finding categories:

  • unreceipted files — no allowlist entry matches
  • missing required fields — entry without path|pattern, kind, surface, classification, owner, reason, covered_by, created, or review_after
  • expired entriesentry.expires < today (when set)
  • stale reviewentry.review_after < today
  • unused entries — allowlist entry matched no tracked file

Modes

Mode Exit Fails on
advisory (default) always 0 nothing
blocking-allowlist 1 on any unreceipted + missing fields + expired
blocking-strict 1 on any all five categories

blocking-strict is wired but reserved until a dedicated stale/unused cleanup pass, per docs/policy/NON_RUST_ROLLOUT.md.

Decisions

  • Added toml, globset, chrono (no defaults, clock only) as direct xtask deps. toml is non-negotiable. globset handles docs/**/*.md-style patterns correctly. chrono for "today" — ISO 8601 dates would sort lexically but NaiveDate parse+compare is the defensive choice. clock feature is the only weight added.
  • Bail with issue count + pointer. Failure exits via bail!("...; see target/policy/file-policy-report.md") so the artifact path is in the operator's terminal.

Acceptance

  • cargo check --workspace --locked passes.
  • cargo clippy -p xtask --all-targets --locked -- -D warnings clean.
  • cargo fmt --all -- --check clean.
  • cargo xtask check-file-policy --mode advisory exits 0 and reports:
    tracked=1018 entries=24 unreceipted=945 missing_fields=0 expired=0 stale=0 unused=0
  • cargo xtask check-file-policy --mode blocking-allowlist exits 1:
    Error: check-file-policy: blocking-allowlist mode found 945 blocking issue(s); see target/policy/file-policy-report.md
  • Both target/policy/file-policy-report.md and .json produced.

Note on the 945-unreceipted count

Expected. Generated files (**/*.snap), workflow files, dependency-surface files, etc. live in their own ledgers (generated-allowlist.toml, workflow-allowlist.toml, dependency-surface-allowlist.toml). This checker is scoped to non-rust-allowlist.toml only. PRs 7 (#206) and 8 (#207) add the companion checkers; PR 9 (#208) aggregates into a unified policy-report. Not a blocker for merging this PR — advisory mode is the configured state, and the report is informational evidence for later PRs.

Follow-ups

Fifth PR in the 12-PR file-policy rollout. Adds the first real
enforcement command: cargo xtask check-file-policy --mode <mode>.

## Behavior

Reads policy/non-rust-allowlist.toml, walks tracked non-Rust files
(via `git ls-files -z` minus `*.rs`), reconciles each file against
[[file]] (exact path) and [[glob]] (globset pattern) entries.

Surfaces five finding categories:

- unreceipted files (no allowlist entry matches)
- entries with missing required fields (path|pattern, kind, surface,
  classification, owner, reason, covered_by, created, review_after)
- expired entries (entry.expires < today, when set)
- stale review entries (entry.review_after < today)
- unused entries (entry matched no tracked file)

## Modes

- advisory             — report everything; exit 0 always. Default.
- blocking-allowlist   — exit 1 on unreceipted, missing fields, or
                         expired entries. Stale/unused stay informational.
- blocking-strict      — exit 1 on all five categories. Reserved for
                         after the stale/unused cleanup pass (see
                         docs/policy/NON_RUST_ROLLOUT.md).

Writes target/policy/file-policy-report.{md,json} consumed by PR 9's
unified policy-report (#208).

## Decisions

- Added toml, globset, chrono (no defaults, clock only) as direct deps.
  toml is non-negotiable. globset handles `docs/**/*.md`-style patterns
  correctly. chrono is for `today`; ISO 8601 dates would sort lexically
  but chrono's `NaiveDate` parse + compare is the defensive choice and
  the crate weight is small (clock feature only).
- Failure exits via `bail!` with the issue count and a pointer to the
  Markdown report.

## Acceptance

- cargo check --workspace --locked passes.
- cargo clippy -p xtask --all-targets --locked -- -D warnings clean.
- cargo fmt --all -- --check clean.
- cargo xtask check-file-policy --mode advisory exits 0 and reports:
    tracked=1018 entries=24 unreceipted=945 missing_fields=0 expired=0
    stale=0 unused=0
- cargo xtask check-file-policy --mode blocking-allowlist exits 1
  with `found 945 blocking issue(s)`. (Most "unreceipted" entries are
  generated files / workflows / non-rust-allowlist-out-of-scope items
  that subsequent PRs cover in their own ledgers; PR 7-8 add the
  matching checkers, PR 9 aggregates.)

## Out of scope

- check-generated, check-executable-files, check-dependency-surfaces
  (PR 7 / #206)
- check-workflow-surfaces, check-process-policy, check-network-policy
  (PR 8 / #207)
- Unified policy-report (PR 9 / #208)
- CI wiring (PR 10 / #209)

Closes #204.
@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, add credits to your account and enable them for code reviews in your settings.

@coderabbitai

coderabbitai Bot commented May 11, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@EffortlessSteven has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 30 minutes and 16 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9727e133-420c-4f47-9dc2-4c9f114d331d

📥 Commits

Reviewing files that changed from the base of the PR and between 92e4498 and 0ddd1e7.

⛔ Files ignored due to path filters (1)
  • Cargo.lock is excluded by !**/*.lock
📒 Files selected for processing (3)
  • xtask/Cargo.toml
  • xtask/src/check_file_policy.rs
  • xtask/src/main.rs
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/xtask-check-file-policy-20260511

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@factory-droid

factory-droid Bot commented May 11, 2026

Copy link
Copy Markdown

Droid finished @EffortlessSteven's task —— View job


Factory Droid Review — PR #217

Status: APPROVED — No findings

No candidate comments were produced by the reviewer. The diff was inspected against the shipper product contract (publish correctness, state/receipt coherence, token handling, xtask non-Rust file-policy enforcement).

Inspected surfaces:

  • xtask/src/check_file_policy.rs — TOML parsing (toml 0.8), chrono date handling, globset glob matching, findings reconciliation, report generation
  • xtask/src/main.rs — new check-file-policy subcommand wiring
  • xtask/Cargo.toml — new direct dependencies: toml, globset, chrono
  • Cargo.lock — indirect dependency additions consistent with new deps

Checks performed:

  • Read the full diff (512-line new module)
  • Verified no unsafe code introduced
  • Verified no token/log secrets handling introduced (xtask-level only)
  • Verified bail! error messages include the report path pointer (target/policy/file-policy-report.md)
  • Verified mode semantics match PR description: advisory (never fails), blocking-allowlist (unreceipted + missing + expired), blocking-strict (all five categories)
  • Verified date comparison uses chrono::NaiveDate with explicit format %Y-%m-%d rather than raw lexical compare
  • Verified git ls-files -z with NUL terminator parsing handles paths with spaces correctly
  • Verified entries sorted before reconciliation for deterministic output

Why no comments:
The PR adds a self-contained xtask checker with no impact on shipper-core, shipper-cli, or shipper façade crates. No publish-state, registry-truth, or token-resolution surfaces were touched. The new dependencies (toml 0.8, globset, chrono with clock feature) are appropriately scoped to the xtask and add no weight to production binaries.

Residual risk:
Registry-side ambiguity remains outside scope (this PR does not address Reconcile competency). The 945 unreceipted files are expected per PR description and addressed in follow-up PRs 6–9.

Validation signal:

  • cargo check --workspace --locked passes (per PR acceptance criteria)
  • cargo clippy -p xtask --all-targets --locked -- -D warnings clean
  • cargo fmt --all -- --check clean

@EffortlessSteven EffortlessSteven merged commit e660fc0 into main May 11, 2026
21 checks passed
@EffortlessSteven EffortlessSteven deleted the feat/xtask-check-file-policy-20260511 branch May 11, 2026 23:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat(policy): check non-Rust file allowlist (rollout PR 5/12)

1 participant