`433b238`

S15: lint-policy-boundary guard + make target

Authored by mfwolffe <wolffemf@dukes.jmu.edu> 6 days ago

SHA: 433b2385ac353e62c776c36c87f1c53b4b152a41
Parents: e0a88b7
Tree: 0eb22ea

2 changed files

Status	File	+	-
M	`Makefile`	5	2
A	`scripts/lint-policy-boundary.sh`	71	0

Makefilemodified

  # Targets mirror what CI runs. The Makefile is the source of truth.
  .DEFAULT_GOAL := help
 -.PHONY: help dev build test test-race lint fmt tidy clean ci assets install-tools version
 +.PHONY: help dev build test test-race lint lint-policy fmt tidy clean ci assets install-tools version
  # Build metadata embedded into the binary via -ldflags.
  VERSION := $(shell git describe --tags --always --dirty 2>/dev/null || echo dev)
  		echo "warn: .refs/primer-css/dist not found; run 'git clone https://github.com/primer/css .refs/primer-css' first"; \
  	fi
 -ci: lint test build ## Full CI pipeline (matches .github/workflows/ci.yml).
 +ci: lint lint-policy test build ## Full CI pipeline (matches .github/workflows/ci.yml).
  	@echo "ci: ok"
 +lint-policy: ## Enforce policy-package boundary (no inline auth checks in handlers/git/cmd).
 +	@scripts/lint-policy-boundary.sh
++
  install-tools: ## Install development tools via 'go install'.
  	go install mvdan.cc/gofumpt@latest
  	go install golang.org/x/tools/cmd/goimports@latest

scripts/lint-policy-boundary.shadded

 +#!/usr/bin/env bash
 +# SPDX-License-Identifier: AGPL-3.0-or-later
 +#
 +# Fail when authorization decisions leak outside internal/auth/policy.
 +# After S15, every "is this actor allowed to do X?" check must flow
 +# through policy.Can(); handler/git/cmd code must not branch on
 +# ownership, visibility, or collaborator state inline.
 +#
 +# The check looks for these smells in handler/git/hook code:
 +#   - `OwnerUserID == ` or `== row.OwnerUserID` style equality compares
 +#   - `Visibility == reposdb.Repo` equality compares
 +#   - `IsArchived` used as a control-flow predicate (not a parameter)
 +#
 +# Pure data-plumbing references (constructing sqlc.Params, returning
 +# the column from a query, logging) are allowed — those don't decide
 +# anything.
 +#
 +# Allowed locations (carved out below):
 +#   internal/auth/policy/...
 +#   internal/repos/...           (repo-create + repo orchestration)
 +#   internal/web/handlers/repo/  (constructs the policy actor; lookup
 +#                                 wrapper is policy-aware)
 +#   *_test.go everywhere         (tests legitimately seed state)
 +#
 +# The script exits 0 when no violations are found, 1 otherwise. Run as
 +# part of `make ci`.
++
 +set -euo pipefail
++
 +cd "$(git rev-parse --show-toplevel)"
++
 +# Patterns that smell like an inline auth decision.
 +PATTERNS=(
 +  '\.OwnerUserID == '
 +  '\.OwnerUserID\.Int64 == '
 +  '== .*\.OwnerUserID'
 +  '\.Visibility == .*RepoVisibility'
 +  'if .*\.IsArchived '
 +)
++
 +# Files we're guarding — anywhere a request handler or hook lives.
 +INCLUDE=(
 +  ':!internal/auth/policy/*'
 +  ':!internal/repos/*'
 +  ':!internal/web/handlers/repo/*'
 +  ':!**/*_test.go'
 +)
++
 +violations=0
 +for pat in "${PATTERNS[@]}"; do
 +  matches=$(git grep -nE "$pat" -- \
 +    'internal/web/handlers' 'internal/git' 'cmd/shithubd' \
 +    "${INCLUDE[@]}" 2>/dev/null || true)
 +  if [[ -n "$matches" ]]; then
 +    echo "policy boundary violation — pattern: $pat"
 +    echo "$matches" | sed 's/^/  /'
 +    echo
 +    violations=1
 +  fi
 +done
++
 +if [[ "$violations" -ne 0 ]]; then
 +  echo "------------------------------------------------------------"
 +  echo "Authorization checks must flow through internal/auth/policy."
 +  echo "If your case is legitimate data plumbing (e.g. a sqlc.Params"
 +  echo "field), refactor to read the value from a struct field rather"
 +  echo "than compare inline."
 +  echo "------------------------------------------------------------"
 +  exit 1
 +fi
 +echo "policy boundary: clean"