feat(policy): add unified policy-report (#208, rollout PR 9/12)#221
Conversation
Ninth PR in the 12-PR file-policy rollout. Adds `cargo xtask
policy-report` which runs every advisory check and aggregates the
results into target/policy/policy-report.{md,json}.
## Behavior
policy-report invokes each of the seven check functions in advisory
mode:
check_file_policy::check
checks::check_generated
checks::check_executable_files
checks::check_dependency_surfaces
workflow_checks::check_workflow_surfaces
workflow_checks::check_process_policy
workflow_checks::check_network_policy
Each sub-check writes its own target/policy/*-report.json (as in
previous PRs). policy-report then reads back the seven JSON artifacts,
lifts each one's `summary` block, picks a headline metric per area
(unreceipted | invalid_policy_refs | unknown_total | missing_fields |
expired | stale | unused — first non-zero wins; falls back to a
universe-size-keyed "clean" row), and emits a unified MD + JSON.
## Decisions
- **Advisory only.** No --mode flag. Promotion to blocking is the job
of PRs 10/11/12; they tighten CI's invocation of the individual
checks. Adding modes here would duplicate state.
- **Re-run vs read-only.** policy-report always re-runs the sub-checks
so the aggregated report reflects current state, not stale artifacts
from a prior session. Cost is small — each sub-check is a few
hundred ms.
- **Untyped JSON re-read for aggregation.** Each sub-report has a
different schema. Lifting the `summary` block as `serde_json::Value`
is simpler and more robust than maintaining seven typed deserializers
in xtask. The headline metric is computed from the same Value.
## Acceptance
- cargo check --workspace --locked passes.
- cargo clippy -p xtask --all-targets --locked -- -D warnings clean.
- cargo fmt --all -- --check clean.
- `cargo xtask policy-report` ran on this branch:
wrote unified policy-report (7 areas, 7 headline rows)
- target/policy/policy-report.md and target/policy/policy-report.json
both produced.
Headline on current main:
| Non-Rust file policy | unreceipted | 945 |
| Generated files | _clean_ | 0 (universe) |
| Executable files | _clean_ | 0 (universe) |
| Dependency surfaces | _clean_ | 16 (universe) |
| Workflow surfaces | _clean_ | 9 (universe) |
| Process policy | unknown_total | 10 |
| Network policy | _clean_ | 9 (universe) |
The two non-clean rows match the documented expected state: 945
unreceipted files because PR 2's seeded receipts intentionally cover
only a slice of the workspace, and 10 false-positive process tokens
because the PR 8 detector is grep-style (see #220 PR body OPEN
question).
## Out of scope
- PR 10 (#209) — wire the advisory checks into CI as a job and upload
target/policy/ as an artifact.
- PR 11 (#210) — promote file/generated/executable/dependency/workflow
checks to blocking.
- PR 12 (#211) — promote process/network checks to blocking.
Closes #208.
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Droid finished @EffortlessSteven's task —— View job Factory Droid Validation CompletePR #221 — Result: 1 candidate reviewed → 0 approved, 1 rejected (below bar)
Validation summary: PR #221 adds Inspected surfaces: xtask/src/policy_report.rs (full file), xtask/src/main.rs (subcommand registration) Residual risk: Registry ambiguity on No comments posted (candidate rejected). |
Summary
Ninth PR in the 12-PR file-policy rollout. Adds
cargo xtask policy-report— runs every advisory check and aggregates the seven*-report.jsonartifacts into a singletarget/policy/policy-report.{md,json}.Issue
Closes #208. Consumes outputs from #217 (file-policy), #219 (gen/exec/dep), #220 (workflow/process/network). Refines #180. Tracks #109.
Headline on current main
The two non-clean rows are the documented expected state — 945 unreceipted is PR 2's deliberately-partial seed, 10 unknown commands are PR 8's grep-detector false positives.
Decisions
--modeflag. Promotion to blocking belongs to PRs 10/11/12 (they tighten how CI invokes the individual sub-checks). Adding modes here would duplicate state.unreceipted, invalid_policy_refs, unknown_total, missing_fields, expired, stale, unused. If everything is zero, emits a "clean" row keyed on the universe size.summaryblock asserde_json::Valueis simpler than maintaining seven typed deserializers.Acceptance
cargo check --workspace --lockedpasses.cargo clippy -p xtask --all-targets --locked -- -D warningsclean.cargo fmt --all -- --checkclean.cargo xtask policy-reportproduces both artifacts (policy-report.md,policy-report.json).Follow-ups
target/policy/as an artifact.workspace_root/today_isohelpers across the now-five xtask modules.