test(mountsync): measure scoped team syncer behavior

[khaliqgant]

Summary

• add a Tier-1 local real-Syncer scoping fixture for the team launchMember load model
• prove seeded overlay roots pull remote before push and do not mass-enqueue matching seed content
• prove in-scope member edits flow to WriteFilesBulk while out-of-scope new files are not enqueued
• reject empty, broad, admin, parent, and wrong-path member write scopes in the fixture harness

Scope label

Tier-1 GREEN means scoping-correctness only. It does NOT prove the full section-7 N-load gate. Tier-2 CF Durable Object saturation measurement remains open for <12-inflight / 429 Retry-After / no context-deadline / no object-reset.

Verification

• go test ./internal/mountsync -run 'TestTeamTier1' -count=1\n- go test ./internal/mountsync -count=1\n

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds a new test file internal/mountsync/team_scoped_measurement_test.go with three Tier-1 team-scoped Syncer integration tests, helper constructors for test syncer setup, scope validation logic, and a utility for extracting remote paths from bulk write batches.

Changes

Team-Scoped Syncer Integration Tests

Layer / File(s)	Summary
Syncer helper infrastructure internal/mountsync/team_scoped_measurement_test.go	Helper constructors newTier1TeamMemberSyncer / newTier1TeamMemberSyncerForTest enforce scope validation and verify assigned roots are under the configured remote root. validateTier1MemberWriteScopes parses and validates relayfile:fs:write:* grants, rejects broad workspace/admin write-like scopes, and requires at least one path-scoped grant matching the assigned root. bulkWritePaths extracts and sorts normalized remote file paths from bulk write batches.
Integration tests internal/mountsync/team_scoped_measurement_test.go	TestTeamTier1ScopedSyncerOverlayAndConcurrentWrites provisions per-member harnesses, verifies initial sync pulls the remote tree without bulk writes, then concurrently updates in-scope local README.md files and asserts each member results in exactly one in-scope bulk write reflecting the member's update. TestTeamTier1ScopedWriteTokenFiltersOutOfScopeNewFiles validates scope filtering by creating in-scope and out-of-scope files, running sync, and confirming only the in-scope file appears in bulk writes and remote state. TestTeamTier1MemberSyncerRejectsBroadWriteScopes defines invalid scope configurations and asserts Syncer construction fails for each.

🎯 3 (Moderate) | ⏱️ ~20 minutes

🐰 Three tests for team-scoped Syncers so fair,
With helpers that validate write grants with care,
Concurrent edits dance in remote sync,
Out-of-scope files filtered in a blink,
Team boundaries enforced—let's ship this with flair!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 14.29% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title accurately describes the main change: adding tests to measure scoped team syncer behavior in the mountsync package.
Description check	✅ Passed	The description is directly related to the changeset, detailing the specific tests added and their purposes in validating team scoped syncer functionality.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/team-tier1-scoped-syncer

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Relayfile Eval Review

Run: .relayfile/evals/runs/2026-06-01T03-01-54-680Z-HEAD-provider
Mode: provider
Git SHA: 5d6736d

Passed: 4 | Needs human: 0 | Reviewable: 0 | Missing output: 0 | Failed: 0 | Skipped: 0

Human Review Cases

No reviewable human-review cases captured Relayfile output.

[coderabbitai]

🧹 Nitpick comments (1)

internal/mountsync/team_scoped_measurement_test.go (1)

264-265: 💤 Low value

Consider allowing path-scoped relayfile:fs:manage: grants.

The production scopeGrantsWrite (per context snippet 2) treats manage equivalently to write for authorization. Rejecting all relayfile:fs:manage: scopes—even path-scoped ones matching the assigned root—creates an inconsistency where a valid token with relayfile:fs:manage:/project/cloud/packages/member-a/* would be rejected by the test harness but accepted by production.

If this strictness is intentional for Tier-1, consider adding a comment explaining why manage scopes are excluded.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/mountsync/team_scoped_measurement_test.go` around lines 264 - 265,
The test currently rejects any scope starting with "relayfile:fs:manage:" (case
handling the strings.HasPrefix(scope, "relayfile:fs:manage:") branch) which is
stricter than production's scopeGrantsWrite behavior; update the test to either
(A) allow path-scoped manage grants that are scoped under the token's assigned
root by performing the same path-prefix check you use for write scopes (treat
"manage" the same as "write" when the remainder of the scope is a path under the
assigned root), or (B) if you intentionally want the stricter policy for Tier‑1,
replace this blanket rejection with a comment referencing the intentional
divergence and why manage is excluded; adjust the logic in the function
containing this case to mirror scopeGrantsWrite path-checking or add the
explanatory comment accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@internal/mountsync/team_scoped_measurement_test.go`:
- Around line 264-265: The test currently rejects any scope starting with
"relayfile:fs:manage:" (case handling the strings.HasPrefix(scope,
"relayfile:fs:manage:") branch) which is stricter than production's
scopeGrantsWrite behavior; update the test to either (A) allow path-scoped
manage grants that are scoped under the token's assigned root by performing the
same path-prefix check you use for write scopes (treat "manage" the same as
"write" when the remainder of the scope is a path under the assigned root), or
(B) if you intentionally want the stricter policy for Tier‑1, replace this
blanket rejection with a comment referencing the intentional divergence and why
manage is excluded; adjust the logic in the function containing this case to
mirror scopeGrantsWrite path-checking or add the explanatory comment
accordingly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: a8953ef0-ce07-4413-8664-3b26b3377e1c

📥 Commits

Reviewing files that changed from the base of the PR and between 0c54aa4 and bbcdb58.

📒 Files selected for processing (1)

• internal/mountsync/team_scoped_measurement_test.go

[cubic-dev-ai]

No issues found across 1 file

_{Re-trigger cubic}

[agent-relay-bot]

Reviewed PR #227 and made one fix in team_scoped_measurement_test.go: the Tier-1 helper now rejects exact assigned-root write scopes without /*, because those tokens do not grant writes to child files under the syncer’s scope matching.

Local checks run with a temporary Go 1.22.12 toolchain:
go test ./internal/mountsync
go test ./internal/mountsync -run 'TestTeamTier1' -count=1 -timeout=30s
go test ./...
go build ./cmd/relayfile ./cmd/relayfile-mount ./cmd/relayfile-cli
go vet ./...
./scripts/check-contract-surface.sh

[agent-relay-bot]

✅ pr-reviewer applied fixes — committed and pushed 0b99b84 to this PR. The notes below describe what changed.

Reviewed PR #227 and made one fix in team_scoped_measurement_test.go: the Tier-1 helper now rejects exact assigned-root write scopes without /*, because those tokens do not grant writes to child files under the syncer’s scope matching.

Local checks run with a temporary Go 1.22.12 toolchain:
go test ./internal/mountsync
go test ./internal/mountsync -run 'TestTeamTier1' -count=1 -timeout=30s
go test ./...
go build ./cmd/relayfile ./cmd/relayfile-mount ./cmd/relayfile-cli
go vet ./...
./scripts/check-contract-surface.sh

[agent-relay-bot]

✅ pr-reviewer applied fixes — committed and pushed 0b99b84 to this PR. The notes below describe what changed.

Reviewed PR #227 and made one fix in team_scoped_measurement_test.go: the Tier-1 helper now rejects exact assigned-root write scopes without /*, because those tokens do not grant writes to child files under the syncer’s scope matching.

Local checks run with a temporary Go 1.22.12 toolchain:
go test ./internal/mountsync
go test ./internal/mountsync -run 'TestTeamTier1' -count=1 -timeout=30s
go test ./...
go build ./cmd/relayfile ./cmd/relayfile-mount ./cmd/relayfile-cli
go vet ./...
./scripts/check-contract-surface.sh