ci(policy): require non-Rust file policy allowlist (#210, rollout PR 11/12)#223
Conversation
Eleventh PR in the 12-PR file-policy rollout. Promotes five of the seven advisory checks to --mode blocking-allowlist in CI: check-file-policy check-generated check-executable-files check-dependency-surfaces check-workflow-surfaces check-process-policy and check-network-policy stay at --mode advisory until PR 12 (#211). ## What this PR actually does Promoting check-file-policy from advisory to blocking surfaced two real problems with the prior architecture: 1. **Double counting.** The non-Rust-allowlist checker only consulted `policy/non-rust-allowlist.toml`. Files already receipted in companion ledgers (`generated`, `executable`, `dependency-surface`, `workflow`) were reported as unreceipted by this checker — 945 false unreceipted entries, dominated by the 813 `**/*.snap` files in the generated ledger. 2. **Missing receipts for the actually-uncovered ~107.** PR 2's seeded receipts covered top-level docs, agent files, license, release artifacts, build config, and four broad subtree globs. Repo-internal dotfile dirs (`.cargo/`, `.config/`, `.factory/`, selected `.github/` files), per-crate agent docs, per-crate READMEs, proptest regression seeds, the policy ledgers themselves, and `xtask/Cargo.toml` were all uncovered. This PR resolves both: ### Refactor: companion-ledger pre-filter `xtask/src/check_file_policy.rs` now loads the other four ledgers (`generated-allowlist.toml`, `executable-allowlist.toml`, `dependency-surface-allowlist.toml`, `workflow-allowlist.toml`), builds a `CompanionSelector` set, and excludes any tracked file matched by any companion selector before reconciliation. The non-Rust checker now sees ONLY files that aren't receipted elsewhere. Universe drops from 1018 → 178 (the 813 + 9 + ~16 + others handled by companions). ### Receipts: cover the remaining 107 Adds broad-glob receipts for: .cargo/** .config/** .factory/** .github/CODEOWNERS .github/copilot-instructions.md .github/settings.yml .gitignore crates/**/AGENTS.md crates/**/CLAUDE.md crates/*/README.md crates/*/proptest-regressions/** policy/** And adds `xtask/Cargo.toml` to `dependency-surface-allowlist.toml` (where it belongs — it's a dep manifest). Removed the `fuzz/**` glob from non-rust-allowlist (it was unused after the companion-ledger filter — fuzz tracked files are now all covered by `.rs` exclusion or `fuzz/Cargo.toml` in dep-surface). ### CI: promote five checks `.github/workflows/ci.yml` `policy` job (was `Policy (advisory)`, renamed to `Policy`) now runs the five blocking checks plus the two advisory checks plus `cargo xtask policy-report`. The unified report step uses `if: always()` so the artifact lands even when one of the blocking checks fails. Upload still uses `actions/upload-artifact@v7` and `if-no-files-found: error`. ### Docs - `docs/FILE_POLICY.md` "Rollout" section marks PR 11 as the *current state of the rollout* and explains the rename. - `docs/POLICY_ALLOWLISTS.md` and `docs/policy/NON_RUST_ROLLOUT.md` flip PR 10 to "landed" and PR 11 to "in flight". ## Acceptance (local) cargo xtask check-file-policy --mode blocking-allowlist file-policy (blocking-allowlist): tracked=178 entries=35 unreceipted=0 missing_fields=0 expired=0 stale=0 unused=0 cargo xtask check-generated --mode blocking-allowlist (clean) cargo xtask check-executable-files --mode blocking-allowlist (clean) cargo xtask check-dependency-surfaces --mode blocking-allowlist (clean) cargo xtask check-workflow-surfaces --mode blocking-allowlist (clean) cargo check --workspace --locked OK cargo clippy -p xtask --all-targets --locked -- -D warnings clean cargo fmt --all -- --check clean ## Out of scope - PR 12 (#211): promote check-process-policy and check-network-policy to blocking-allowlist after a clean observational window. - blocking-strict mode (which fails on unused entries and stale review dates) remains deferred to a future cleanup pass. Closes #210.
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (7)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Droid finished @EffortlessSteven's task —— View job Droid review complete. ✅ No candidate comments emitted — diff is clean. Five file-policy checks promoted to blocking-allowlist in CI, companion-ledger pre-filter refactored correctly, and all TOML receipts valid. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: dff49756a9
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| review_after = "2026-08-11" | ||
|
|
||
| [[file]] | ||
| path = "xtask/Cargo.toml" |
There was a problem hiding this comment.
Keep xtask manifest in the dependency universe
This new companion receipt causes check-file-policy to defer xtask/Cargo.toml to check-dependency-surfaces, but that checker’s universe in xtask/src/checks.rs::dependency_surface_files only includes root Cargo.toml/Cargo.lock/deny.toml, crates/*/Cargo.toml, and fuzz/Cargo.*. As a result this entry is always reported as unused (and would fail once blocking-strict is enabled), so either the dependency-surface universe should include xtask/Cargo.toml or this manifest should stay covered by the general non-Rust allowlist.
Useful? React with 👍 / 👎.
Summary
Eleventh PR in the 12-PR file-policy rollout. The promotion PR. Five of seven advisory checks become merge-blocking, with one significant refactor + 12 new receipts to make blocking-allowlist actually pass on the current main.
Issue
Closes #210. Builds on PR 10 (#209, CI advisory wiring). Refines #180. Tracks #109.
What changed
1. Refactor: companion-ledger pre-filter (
xtask/src/check_file_policy.rs)The non-Rust-allowlist checker now loads the other four ledgers (
generated,executable,dependency-surface,workflow) and excludes any tracked file already matched by a companion selector before reconciliation. Universe drops from 1018 → 178 — the 813 snapshots, 9 workflows, 16 dep-surface manifests etc. are now correctly deferred to their dedicated checkers instead of being double-counted as unreceipted bycheck-file-policy.2. Receipts: cover the remaining 107
After the companion filter, 107 actually-uncovered files remained. Receipted as broad globs in
policy/non-rust-allowlist.toml:.cargo/**.config/**.factory/**.github/CODEOWNERS,.github/copilot-instructions.md,.github/settings.yml.gitignorecrates/**/AGENTS.md,crates/**/CLAUDE.mdcrates/*/README.mdcrates/*/proptest-regressions/**policy/**Plus
xtask/Cargo.tomladded todependency-surface-allowlist.toml(it's a dep manifest, not a non-Rust doc).Removed the now-unused
fuzz/**glob from non-rust-allowlist.3. CI: promote five checks
.github/workflows/ci.yml'spolicyjob (renamed fromPolicy (advisory)toPolicy) now invokes each check explicitly:4. Docs
docs/FILE_POLICY.md"Rollout" section now records PR 11 as the current state of the rollout and explains the rename.docs/POLICY_ALLOWLISTS.mdanddocs/policy/NON_RUST_ROLLOUT.mdflip PR 10 → landed, PR 11 → in flight.Live local results
All five blocking checks exit 0 on current main. CI will exit 1 on an unreceipted new non-Rust file.
Acceptance
cargo check --workspace --lockedpasses.cargo clippy -p xtask --all-targets --locked -- -D warningsclean.cargo fmt --all -- --checkclean.policy/*.tomlfiles parse..github/workflows/ci.ymlparses.Policyjob's artifact upload usesif: always()so failures still produce the report.Follow-ups
check-process-policyandcheck-network-policytoblocking-allowlistafter observing the first scheduled-scan + multi-PR window with the new gates active. Will also want the process-detector false positives narrowed first (see feat(policy): check workflow, process, and network surfaces (#207, rollout PR 8/12) #220).workspace_root,today_iso,date_is_past, etc.) across xtask modules.executable-allowlist.tomlproperly OR add an exec-bit smoke test that posts a "no executables detected" entry.