feat(policy): check generated, executable, and dependency surfaces (#206, rollout PR 7/12)#219
Conversation
) Seventh PR in the 12-PR file-policy rollout. Adds three xtask subcommands that share the same finding model and modes as check-file-policy but operate over different universes and ledgers. ## Commands - `cargo xtask check-generated --mode <mode>` validates policy/generated-allowlist.toml. Universe is "entries only" — the allowlist is itself the declaration of what is generated, so there is no "unreceipted generated file" finding. Unused detection still runs against all tracked files so a glob like `**/*.snap` is correctly flagged "used" if real snapshots exist. - `cargo xtask check-executable-files --mode <mode>` inspects tracked files with the git executable bit (`100755` per `git ls-files --stage -z`) and reconciles them against policy/executable-allowlist.toml. This is the only check whose universe is determined out-of-band (the git bit), so unreceipted findings are genuine "executable but not receipted" warnings. - `cargo xtask check-dependency-surfaces --mode <mode>` reconciles Cargo.toml, Cargo.lock, deny.toml, crates/*/Cargo.toml, and fuzz/Cargo.* against policy/dependency-surface-allowlist.toml. ## Shared model All three commands and check-file-policy now share the same: - Mode enum (advisory | blocking-allowlist | blocking-strict) - Finding shape (unreceipted, missing_fields, expired, stale, unused) - Report format (target/policy/<name>-report.{md,json}) - Required-field validator (extended with generator + regen_command for the generated set) The Find/match split between `receipt_universe` and `match_universe` keeps EntriesOnly behavior correct: the receipt universe is empty so no unreceipted findings fire, but the match universe is the full tracked-file set so unused detection works on patterns. ## Acceptance - cargo check --workspace --locked passes. - cargo clippy -p xtask --all-targets --locked -- -D warnings clean. - cargo fmt --all -- --check clean. - Live results on current main: check-generated: generated=0 entries=1 unreceipted=0 missing=0 expired=0 stale=0 unused=0 check-executable-files: files=0 entries=0 unreceipted=0 missing=0 expired=0 stale=0 unused=0 check-dependency-surfaces: dep_files=16 entries=4 unreceipted=0 missing=0 expired=0 stale=0 unused=0 ## Out of scope - check-workflow-surfaces, check-process-policy, check-network-policy (PR 8 / #207) - Unified policy-report (PR 9 / #208) - CI wiring (PR 10 / #209) - DRY-up of the duplicated workspace_root / today_iso / git ls-files helpers across the three checker modules (intentional follow-up after the ladder lands). Closes #206.
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Droid finished @EffortlessSteven's task —— View job Droid review validation complete (Phase 2). No candidates were provided for validation (review_candidates.json comments array is empty). Inspected surfaces: xtask/src/checks.rs (new 738-line policy reconciliation module), xtask/src/main.rs (new subcommand registrations). This is a pure xtask addition with no changes to shipper-core, shipper-cli, or any publish/reconcile surfaces. Subprocess invocation uses hardcoded Result: Clean review — no actionable findings. LGTM. |
Summary
Seventh PR in the 12-PR file-policy rollout. Three new xtask subcommands sharing the same finding model + modes as
check-file-policybut operating over different universes and ledgers.Issue
Closes #206. Depends on #202 (ledgers), #212 (xtask), #204 (file-policy checker as the shape we mirror). Refines #180. Tracks #109.
Commands
cargo xtask check-generatedpolicy/generated-allowlist.tomlcargo xtask check-executable-files100755policy/executable-allowlist.tomlcargo xtask check-dependency-surfacespolicy/dependency-surface-allowlist.tomlAll three accept
--mode advisory|blocking-allowlist|blocking-strict(defaultadvisory).Decision: receipt-universe vs match-universe split
For
check-generated, the allowlist itself defines what is generated; there is no out-of-band "this file is generated" signal. So the receipt universe is empty. But the match universe must still be the full tracked-file set so a glob like**/*.snapregisters as "used" if real snapshots exist.The
reconcilefunction now takes both:receipt_universe→ drives the unreceipted finding.match_universe→ drives the unused entry finding.For executable + dep-surface checks, the two are identical (the scoped universe is what entries must cover and what they may match against).
Live result on this branch
The
dep_files=16resolves to: rootCargo.toml, rootCargo.lock, 13crates/*/Cargo.toml, andfuzz/Cargo.toml. All covered by the 4 entries seeded in #215 (3 path entries + 1 glob).Acceptance
cargo check --workspace --lockedpasses.cargo clippy -p xtask --all-targets --locked -- -D warningsclean.cargo fmt --all -- --checkclean.target/policy/<name>-report.{md,json}.Follow-ups
check-workflow-surfaces,check-process-policy,check-network-policy.policy-reportaggregates these alongsidecheck-file-policy.workspace_root/today_iso/git ls-fileshelpers across the three checker modules can be lifted to axtask/src/util.rsafter the ladder lands.