Skip to content

feat(policy): check generated, executable, and dependency surfaces (#206, rollout PR 7/12)#219

Merged
EffortlessSteven merged 1 commit into
mainfrom
feat/xtask-gen-exec-dep-checks-20260511
May 12, 2026
Merged

feat(policy): check generated, executable, and dependency surfaces (#206, rollout PR 7/12)#219
EffortlessSteven merged 1 commit into
mainfrom
feat/xtask-gen-exec-dep-checks-20260511

Conversation

@EffortlessSteven

Copy link
Copy Markdown
Member

Summary

Seventh PR in the 12-PR file-policy rollout. Three new xtask subcommands sharing the same finding model + modes as check-file-policy but operating over different universes and ledgers.

Issue

Closes #206. Depends on #202 (ledgers), #212 (xtask), #204 (file-policy checker as the shape we mirror). Refines #180. Tracks #109.

Commands

Command Universe Ledger
cargo xtask check-generated entries only (no required receipts) policy/generated-allowlist.toml
cargo xtask check-executable-files tracked files with git mode 100755 policy/executable-allowlist.toml
cargo xtask check-dependency-surfaces Cargo.toml, Cargo.lock, deny.toml, crates//Cargo.toml, fuzz/Cargo. policy/dependency-surface-allowlist.toml

All three accept --mode advisory|blocking-allowlist|blocking-strict (default advisory).

Decision: receipt-universe vs match-universe split

For check-generated, the allowlist itself defines what is generated; there is no out-of-band "this file is generated" signal. So the receipt universe is empty. But the match universe must still be the full tracked-file set so a glob like **/*.snap registers as "used" if real snapshots exist.

The reconcile function now takes both:

  • receipt_universe → drives the unreceipted finding.
  • match_universe → drives the unused entry finding.

For executable + dep-surface checks, the two are identical (the scoped universe is what entries must cover and what they may match against).

Live result on this branch

check-generated:           generated=0   entries=1 unreceipted=0 missing=0 expired=0 stale=0 unused=0
check-executable-files:    files=0       entries=0 unreceipted=0 missing=0 expired=0 stale=0 unused=0
check-dependency-surfaces: dep_files=16  entries=4 unreceipted=0 missing=0 expired=0 stale=0 unused=0

The dep_files=16 resolves to: root Cargo.toml, root Cargo.lock, 13 crates/*/Cargo.toml, and fuzz/Cargo.toml. All covered by the 4 entries seeded in #215 (3 path entries + 1 glob).

Acceptance

  • cargo check --workspace --locked passes.
  • cargo clippy -p xtask --all-targets --locked -- -D warnings clean.
  • cargo fmt --all -- --check clean.
  • All three commands run cleanly in advisory mode.
  • Each produces target/policy/<name>-report.{md,json}.

Follow-ups

)

Seventh PR in the 12-PR file-policy rollout. Adds three xtask
subcommands that share the same finding model and modes as
check-file-policy but operate over different universes and ledgers.

## Commands

- `cargo xtask check-generated --mode <mode>`
    validates policy/generated-allowlist.toml. Universe is "entries
    only" — the allowlist is itself the declaration of what is
    generated, so there is no "unreceipted generated file" finding.
    Unused detection still runs against all tracked files so a glob
    like `**/*.snap` is correctly flagged "used" if real snapshots exist.

- `cargo xtask check-executable-files --mode <mode>`
    inspects tracked files with the git executable bit (`100755` per
    `git ls-files --stage -z`) and reconciles them against
    policy/executable-allowlist.toml. This is the only check whose
    universe is determined out-of-band (the git bit), so unreceipted
    findings are genuine "executable but not receipted" warnings.

- `cargo xtask check-dependency-surfaces --mode <mode>`
    reconciles Cargo.toml, Cargo.lock, deny.toml, crates/*/Cargo.toml,
    and fuzz/Cargo.* against policy/dependency-surface-allowlist.toml.

## Shared model

All three commands and check-file-policy now share the same:
- Mode enum (advisory | blocking-allowlist | blocking-strict)
- Finding shape (unreceipted, missing_fields, expired, stale, unused)
- Report format (target/policy/<name>-report.{md,json})
- Required-field validator (extended with generator + regen_command
  for the generated set)

The Find/match split between `receipt_universe` and `match_universe`
keeps EntriesOnly behavior correct: the receipt universe is empty so
no unreceipted findings fire, but the match universe is the full
tracked-file set so unused detection works on patterns.

## Acceptance

- cargo check --workspace --locked passes.
- cargo clippy -p xtask --all-targets --locked -- -D warnings clean.
- cargo fmt --all -- --check clean.
- Live results on current main:
    check-generated:           generated=0  entries=1 unreceipted=0 missing=0 expired=0 stale=0 unused=0
    check-executable-files:    files=0      entries=0 unreceipted=0 missing=0 expired=0 stale=0 unused=0
    check-dependency-surfaces: dep_files=16 entries=4 unreceipted=0 missing=0 expired=0 stale=0 unused=0

## Out of scope

- check-workflow-surfaces, check-process-policy, check-network-policy
  (PR 8 / #207)
- Unified policy-report (PR 9 / #208)
- CI wiring (PR 10 / #209)
- DRY-up of the duplicated workspace_root / today_iso / git ls-files
  helpers across the three checker modules (intentional follow-up
  after the ladder lands).

Closes #206.
@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, add credits to your account and enable them for code reviews in your settings.

@coderabbitai

coderabbitai Bot commented May 11, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@EffortlessSteven has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 30 minutes and 27 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d8ff0087-f400-4dda-8c4f-c5622f5f8bdd

📥 Commits

Reviewing files that changed from the base of the PR and between 72ba257 and 4fdb77f.

📒 Files selected for processing (2)
  • xtask/src/checks.rs
  • xtask/src/main.rs
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/xtask-gen-exec-dep-checks-20260511

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@factory-droid

factory-droid Bot commented May 11, 2026

Copy link
Copy Markdown

Droid finished @EffortlessSteven's task —— View job


Droid review validation complete (Phase 2).

No candidates were provided for validation (review_candidates.json comments array is empty).

Inspected surfaces: xtask/src/checks.rs (new 738-line policy reconciliation module), xtask/src/main.rs (new subcommand registrations). This is a pure xtask addition with no changes to shipper-core, shipper-cli, or any publish/reconcile surfaces. Subprocess invocation uses hardcoded git binary with static args (safe, consistent with existing patterns).

Result: Clean review — no actionable findings. LGTM.

@EffortlessSteven EffortlessSteven merged commit 8e45af0 into main May 12, 2026
20 checks passed
@EffortlessSteven EffortlessSteven deleted the feat/xtask-gen-exec-dep-checks-20260511 branch May 12, 2026 00:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat(policy): check generated, executable, and dependency surfaces (rollout PR 7/12)

1 participant