`433b238`

S15: lint-policy-boundary guard + make target

Authored by mfwolffe <wolffemf@dukes.jmu.edu> 6 days ago

SHA: 433b2385ac353e62c776c36c87f1c53b4b152a41
Parents: e0a88b7
Tree: 0eb22ea

2 changed files

Status	File	+	-
M	`Makefile`	5	2
A	`scripts/lint-policy-boundary.sh`	71	0

Makefilemodified

  # Targets mirror what CI runs. The Makefile is the source of truth.
  .DEFAULT_GOAL := help
--.PHONY: help dev build test test-race lint fmt tidy clean ci assets install-tools version
++.PHONY: help dev build test test-race lint lint-policy fmt tidy clean ci assets install-tools version
  # Build metadata embedded into the binary via -ldflags.
  VERSION := $(shell git describe --tags --always --dirty 2>/dev/null || echo dev)
  		echo "warn: .refs/primer-css/dist not found; run 'git clone https://github.com/primer/css .refs/primer-css' first"; \
  	fi
--ci: lint test build ## Full CI pipeline (matches .github/workflows/ci.yml).
++ci: lint lint-policy test build ## Full CI pipeline (matches .github/workflows/ci.yml).
  	@echo "ci: ok"
++lint-policy: ## Enforce policy-package boundary (no inline auth checks in handlers/git/cmd).
++	@scripts/lint-policy-boundary.sh
++
  install-tools: ## Install development tools via 'go install'.
  	go install mvdan.cc/gofumpt@latest
  	go install golang.org/x/tools/cmd/goimports@latest

scripts/lint-policy-boundary.shadded

++#!/usr/bin/env bash
++# SPDX-License-Identifier: AGPL-3.0-or-later
++#
++# Fail when authorization decisions leak outside internal/auth/policy.
++# After S15, every "is this actor allowed to do X?" check must flow
++# through policy.Can(); handler/git/cmd code must not branch on
++# ownership, visibility, or collaborator state inline.
++#
++# The check looks for these smells in handler/git/hook code:
++#   - `OwnerUserID == ` or `== row.OwnerUserID` style equality compares
++#   - `Visibility == reposdb.Repo` equality compares
++#   - `IsArchived` used as a control-flow predicate (not a parameter)
++#
++# Pure data-plumbing references (constructing sqlc.Params, returning
++# the column from a query, logging) are allowed — those don't decide
++# anything.
++#
++# Allowed locations (carved out below):
++#   internal/auth/policy/...
++#   internal/repos/...           (repo-create + repo orchestration)
++#   internal/web/handlers/repo/  (constructs the policy actor; lookup
++#                                 wrapper is policy-aware)
++#   *_test.go everywhere         (tests legitimately seed state)
++#
++# The script exits 0 when no violations are found, 1 otherwise. Run as
++# part of `make ci`.
++
++set -euo pipefail
++
++cd "$(git rev-parse --show-toplevel)"
++
++# Patterns that smell like an inline auth decision.
++PATTERNS=(
++  '\.OwnerUserID == '
++  '\.OwnerUserID\.Int64 == '
++  '== .*\.OwnerUserID'
++  '\.Visibility == .*RepoVisibility'
++  'if .*\.IsArchived '
++)
++
++# Files we're guarding — anywhere a request handler or hook lives.
++INCLUDE=(
++  ':!internal/auth/policy/*'
++  ':!internal/repos/*'
++  ':!internal/web/handlers/repo/*'
++  ':!**/*_test.go'
++)
++
++violations=0
++for pat in "${PATTERNS[@]}"; do
++  matches=$(git grep -nE "$pat" -- \
++    'internal/web/handlers' 'internal/git' 'cmd/shithubd' \
++    "${INCLUDE[@]}" 2>/dev/null || true)
++  if [[ -n "$matches" ]]; then
++    echo "policy boundary violation — pattern: $pat"
++    echo "$matches" | sed 's/^/  /'
++    echo
++    violations=1
++  fi
++done
++
++if [[ "$violations" -ne 0 ]]; then
++  echo "------------------------------------------------------------"
++  echo "Authorization checks must flow through internal/auth/policy."
++  echo "If your case is legitimate data plumbing (e.g. a sqlc.Params"
++  echo "field), refactor to read the value from a struct field rather"
++  echo "than compare inline."
++  echo "------------------------------------------------------------"
++  exit 1
++fi
++echo "policy boundary: clean"