feat (jans-cedarling): Support new Policy Store ZIP format

[haileyesus2433]

Prepare

• Read PR guidelines
• Read license information

---

Description

Target issue

closes #12253

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

Summary by CodeRabbit

• New Features

  • Directory-based and Cedar Archive (.cjar) policy stores with automatic format detection (URI/path); load archives from bytes (including WASM) and via URL/local paths
  • Trusted-issuer-aware JWT validation with required-claims enforcement and multi-token validation

• Documentation

  • Expanded "Policy Store Formats" and "Policy Store Sources" guidance across Go, Java, JavaScript (WASM), Python, Rust, and bindings

• Improvements

  • Manifest integrity checks, richer policy-store metadata, unified VFS/backends, and improved HTTP retry/backoff behavior

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[mo-auto]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds new directory-based and Cedar Archive (.cjar) policy store formats with auto-detection, ZIP-backed VFS, manifest/metadata/schema/policy/entity/issuer parsing and validation, archive-bytes/WASM entrypoints, conversion to legacy PolicyStore, trusted-issuer JWT validation, async HTTP retry refactor, docs, tests, and benchmarks.

Changes

Cohort / File(s)	Summary
Docs & Tutorials docs/cedarling/reference/cedarling-policy-store.md, docs/cedarling/reference/cedarling-properties.md, docs/cedarling/tutorials/go.md, .../java.md, .../javascript.md, .../python.md, .../rust.md	Add Policy Store Formats and Policy Store Sources guidance, WASM notes, examples for directory/.cjar/archive-bytes across language tutorials and properties.
Bindings & WASM examples jans-cedarling/bindings/*/README.md, jans-cedarling/bindings/cedarling_wasm/example_data.js	Document new policy store sources per binding; add WASM examples and sample CEDARLING_POLICY_STORE_URI.
WASM API jans-cedarling/bindings/cedarling_wasm/src/lib.rs	New exported async init_from_archive_bytes(config, archive_bytes) to initialize Cedarling from archive bytes; JsValue deserialization integration.
Cargo / Build / Lint jans-cedarling/cedarling/Cargo.toml, clippy.toml	Add dependencies (vfs, hex, sha2, zip, tempfile), add benchmark entry; add clippy disallowed-method entry for SystemTime::now.
VFS & Archive handling jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs, .../vfs_adapter.rs	Introduce ArchiveVfs (ZIP-backed VFS), PhysicalVfs and MemoryVfs adapters, path normalization, directory listing, secure path-traversal protections and platform-specific constructors.
Policy-store core types jans-cedarling/cedarling/src/common/policy_store.rs, .../metadata.rs	New modules, re-exports, PolicyStoreMetadata/PolicyStoreManifest/FileInfo types; PolicyStoreWithID gains optional metadata; RawPolicy now includes description.
Manifest & manifest validator jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs	Load and validate manifest.json, compute/verify SHA‑256 checksums, discover unlisted files, provide ManifestValidationResult and errors.
Loader & conversion manager jans-cedarling/cedarling/src/common/policy_store/loader.rs, .../manager.rs	DefaultPolicyStoreLoader supports directories, archives, and bytes; LoadedPolicyStore types; PolicyStoreManager converts LoadedPolicyStore -> legacy PolicyStore with ConversionError and logging-aware conversion.
Parsers: policy / schema / entity / issuer .../policy_parser.rs, .../schema_parser.rs, .../entity_parser.rs, .../issuer_parser.rs	New robust parsers and validation: policy/template ID extraction, Cedar schema parsing, entity JSON parsing (duplicates, hierarchy), trusted-issuer parsing and token_metadata validation.
Validation utilities .../validator.rs, .../log_entry.rs	MetadataValidator, validation helpers (ID/version/date checks), PolicyStoreLogEntry, accessor methods on PolicyStoreMetadata, and constants.
Tests, test utils & security tests .../test_utils.rs, .../loader_tests.rs, .../archive_security_tests.rs, .../test.rs, src/tests/policy_store_loader.rs	PolicyStoreTestBuilder, fixtures, extensive unit/integration/security tests covering directories, archives, manifests, entities, issuers, path traversal, corrupt archives, and end-to-end scenarios.
Benchmarks jans-cedarling/cedarling/benches/policy_store_benchmark.rs	Criterion benchmarks for creating/parsing archives and directory creation (native), measuring archive parsing and entity counts.
Bootstrap & config decoding jans-cedarling/cedarling/src/bootstrap_config/policy_store_config.rs, .../decode.rs, .../mod.rs	New PolicyStoreSource variants: Directory, CjarFile, CjarUrl, ArchiveBytes; TryFrom conversion with validation, MissingCjarUrl error, and auto-detection of local path type.
Init & service integration jans-cedarling/cedarling/src/init/policy_store.rs, .../service_factory.rs	Dispatch new sources (directory, cjar file/url, archive bytes), HTTP fetch for CjarUrl, convert loaded stores to legacy via PolicyStoreManager, expose policy_store_metadata() accessor.
HTTP / retry refactor jans-cedarling/cedarling/src/http/mod.rs, http_utils/src/lib.rs	Switch to async reqwest Client with http_utils Sender-based exponential backoff; add get_bytes/send_text/send_bytes and centralize retry loop; new decode error variants.
JWT trusted-issuer validation jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs, .../jwt/mod.rs, .../validation.rs, .../validation/validator.rs	TrustedIssuerValidator implementation (issuer resolution, OIDC/JWKS fetch + caching, required-claims validation), re-exports, integration into JwtService, and new error mapping.
Varying visibility & API tweaks .../lib.rs, .../lock/mod.rs, .../log/log_strategy.rs, .../common/app_types.rs, .../authz/trust_mode.rs	Public re-exports for JWT validator, expose LockService and LogStrategy, PdpID visibility change, minor test adjustments and API surface visibility changes.

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~150 minutes

Possibly related issues

• #12887 — Documentation and .cjar support: this PR adds .cjar archive handling, archive-bytes WASM entrypoints, and docs consistent with that request.
• #12881 — End-to-end loader tests: this PR introduces extensive integration tests (src/tests/policy_store_loader.rs) exercising directory/.cjar loading and manifest scenarios.
• #12769 — PolicyStoreManager & format detection: this PR implements PolicyStoreManager, automatic source detection, and bootstrap/init wiring for new sources.
• #11207 — Schema/metadata validation: this PR adds Cedar schema parsing/validation and policy-store metadata/manifest validation code.

Possibly related PRs

• PR #12819 — Strong overlap: directory/.cjar loaders, ArchiveVfs, loader/manager/manifest modules, and bootstrap changes appear to target the same subsystem.
• PR #12903 — WASM & docs overlap: adds docs and WASM archive-bytes initialization (init_from_archive_bytes) similar to this PR.
• PR #12768 — Default-entities interaction: touches default-entity parsing/representation that interacts with the new entity parser and manager conversion.

Suggested reviewers

• olehbozhok
• dagregi

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title 'feat (jans-cedarling): Support new Policy Store ZIP format' clearly and concisely describes the main feature addition—support for the new Policy Store ZIP format, which is the primary objective of this changeset.
Description check	✅ Passed	The PR description is mostly complete with target issue (#12253) clearly identified, testing/documentation confirmation checkboxes marked, and author confirmation of following guidelines. However, implementation details section is empty.
Linked Issues check	✅ Passed	The changeset comprehensively implements all major coding requirements from #12253: new Policy Store sources (Directory, CjarFile, CjarUrl, ArchiveBytes) [#12253], policy/template/schema parsing [#12253], entity validation [#12253], trusted issuer validation with TrustedIssuerValidator [#12253], manifest integrity checks [#12253], archive security [#12253], and extensive tests/benchmarks/fixtures [#12253].
Out of Scope Changes check	✅ Passed	All changes are within scope: policy store format handling, directory/archive loading, validation logic, entity/issuer parsing, manifest checking, HTTP client improvements, JWT validation enhancements, and comprehensive tests directly support #12253 objectives; no unrelated feature additions or refactorings detected.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

---

📜 Recent review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7788ea3 and bda40f6.

📒 Files selected for processing (2)

• jans-cedarling/cedarling/src/common/policy_store/loader.rs
• jans-cedarling/cedarling/src/init/policy_store.rs

🧰 Additional context used

📓 Path-based instructions (1)

jans-cedarling/**/*.rs

📄 CodeRabbit inference engine (jans-cedarling/AGENTS.md)

jans-cedarling/**/*.rs: Check formatting compliance with cargo fmt --check and follow rustfmt settings in rustfmt.toml
Review clippy.toml for project-specific lint rules
Use rustfmt with project's rustfmt.toml settings for all Rust code
Enforce maximum line width of 100 characters in Rust code
Use HorizontalVertical imports layout with StdExternalCrate grouping in rustfmt.toml
Use 4-space indentation (no tabs) in all Rust code
Group imports with std/external crates first, then internal modules, using imports_granularity = "Module"
Follow existing import patterns in the codebase
Use snake_case for variables, functions, and modules in Rust
Use PascalCase for types, traits, and enums in Rust
Use SCREAMING_SNAKE_CASE for constants in Rust
Follow Rust naming conventions as established by the language
Use thiserror crate for custom error types
Prefer Result<T, E> over panics for error handling
Use derive_more crate for error derivation when needed
Include context in error messages for better debugging
Use typed-builder crate for complex struct construction
Leverage serde for serialization/deserialization in Rust
Use smol_str for string optimization where appropriate in Rust
Prefer strong typing over stringly-typed APIs in Rust
Use standard Rust docstrings without Python-style sections (avoid # Arguments, # Returns)
Document public API items with docstrings focusing on 'why' not 'what'
Include examples in docstrings for complex functionality
Keep documentation concise, focusing on explanatory content rather than obvious details
Each Rust file must contain the Apache 2.0 license header with copyright attribution to Gluu, Inc.

Files:

• jans-cedarling/cedarling/src/init/policy_store.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

🧠 Learnings (18)

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Follow existing import patterns in the codebase

Applied to files:

• jans-cedarling/cedarling/src/init/policy_store.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use derive_more crate for error derivation when needed

Applied to files:

• jans-cedarling/cedarling/src/init/policy_store.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Leverage serde for serialization/deserialization in Rust

Applied to files:

• jans-cedarling/cedarling/src/init/policy_store.rs

📚 Learning: 2025-12-24T14:16:17.748Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12896
File: jans-cedarling/cedarling/src/entity_builder/trusted_issuer_index.rs:23-30
Timestamp: 2025-12-24T14:16:17.748Z
Learning: In jans-cedarling Rust code targeting WASM, avoid using `eprintln!` for warnings in constructors or initialization functions. Instead, accept an `Option<&Arc<LogStrategy>>` parameter and use `logger.log_any(LogEntry::new_with_data(LogType::System, None).set_message(...).set_log_level(LogLevel::WARN))` to emit warnings that work in WASM environments.

Applied to files:

• jans-cedarling/cedarling/src/init/policy_store.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T14:10:48.131Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12819
File: jans-cedarling/cedarling/src/common/policy_store/manager.rs:101-107
Timestamp: 2025-12-10T14:10:48.131Z
Learning: In all Rust source files under the jans-cedarling directory, avoid using println! or eprintln! because they do not work in WASM builds. Use the provided Logger API, e.g. logger.log(&System::log_msg(...)) to log messages. Ensure the logger is properly initialized in the WASM context and replace direct prints with the logger pattern in relevant code paths (especially in WASM targets).

Applied to files:

• jans-cedarling/cedarling/src/init/policy_store.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-26T17:33:20.543Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12903
File: jans-cedarling/bindings/cedarling_wasm/src/lib.rs:83-97
Timestamp: 2025-12-26T17:33:20.543Z
Learning: In jans-cedarling WASM bindings (jans-cedarling/bindings/cedarling_wasm/**/*.rs), explicit documentation sections like `# Arguments` and `# Example` are acceptable because these bindings expose Rust to JavaScript consumers who benefit from more explicit parameter documentation and JavaScript usage examples.

Applied to files:

• jans-cedarling/cedarling/src/init/policy_store.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-10-30T13:03:03.905Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12544
File: jans-cedarling/cedarling/src/tests/authorize_resource_entity.rs:65-109
Timestamp: 2025-10-30T13:03:03.905Z
Learning: In Rust, when `use tokio::test;` is present at the top of a file, the `#[test]` attribute refers to `tokio::test` (the async test macro), not the standard library's `#[test]`. This is a valid pattern for writing async tests with Tokio.

Applied to files:

• jans-cedarling/cedarling/src/init/policy_store.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Follow Rust naming conventions as established by the language

Applied to files:

• jans-cedarling/cedarling/src/init/policy_store.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Keep documentation concise, focusing on explanatory content rather than obvious details

Applied to files:

• jans-cedarling/cedarling/src/init/policy_store.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Prefer strong typing over stringly-typed APIs in Rust

Applied to files:

• jans-cedarling/cedarling/src/init/policy_store.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Group imports with std/external crates first, then internal modules, using imports_granularity = "Module"

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use HorizontalVertical imports layout with StdExternalCrate grouping in rustfmt.toml

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Review clippy.toml for project-specific lint rules

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Check formatting compliance with `cargo fmt --check` and follow rustfmt settings in rustfmt.toml

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use smol_str for string optimization where appropriate in Rust

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-04T12:17:12.662Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12797
File: jans-cedarling/AGENTS.md:82-88
Timestamp: 2025-12-04T12:17:12.662Z
Learning: In the jans-cedarling project, the AGENTS.md file is AI-generated and used only by AI agents, so markdown linting issues (such as MD031, MD040) for this file can be ignored during code reviews.

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-01T00:02:51.580Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12768
File: jans-cedarling/cedarling/src/common/default_entities_limits.rs:52-119
Timestamp: 2025-12-01T00:02:51.580Z
Learning: In the jans-cedarling Rust codebase, avoid Python/Java-style doc comments with explicit `# Arguments` and `# Errors` sections. The project relies on Rust's type signatures and cargo doc's automatic documentation generation.

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use standard Rust docstrings without Python-style sections (avoid `# Arguments`, `# Returns`)

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/loader.rs

🧬 Code graph analysis (2)

jans-cedarling/cedarling/src/init/policy_store.rs (1)

jans-cedarling/cedarling/src/common/policy_store/loader.rs (4)

• load_policy_store_archive (87-109)
• load_policy_store_archive (116-120)
• new (219-221)
• load_policy_store_archive_bytes (128-159)

jans-cedarling/cedarling/src/common/policy_store/loader.rs (5)

jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs (3)

• from_file (129-150)
• from_buffer (167-170)
• from_reader (71-108)

jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs (4)

• new (48-55)
• new (92-94)
• load_manifest (97-129)
• default (77-79)

jans-cedarling/cedarling/src/common/policy_store/vfs_adapter.rs (4)

• new (82-85)
• new (171-174)
• default (97-99)
• default (211-213)

jans-cedarling/cedarling/src/common/policy_store/validator.rs (1)

• parse_and_validate (125-137)

jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs (2)

• parse_policies (135-150)
• parse_policy (53-86)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: cleanup
• GitHub Check: rust_benchmarks
• GitHub Check: python_tests (3.11)
• GitHub Check: golang_tests
• GitHub Check: wasm_tests
• GitHub Check: rust_tests
• GitHub Check: python_tests (3.10)

🔇 Additional comments (11)

jans-cedarling/cedarling/src/common/policy_store/loader.rs (1)

161-708: Excellent loader implementation with proper VFS abstraction.

The loader design is well-structured:

• Generic over VfsFileSystem trait for flexibility
• Proper separation of concerns (loading, parsing, validation)
• Case-insensitive extension checking (lines 469, 536, 590)
• WASM compatibility with appropriate cfg gates
• Comprehensive error handling with contextual information
• Test helpers properly isolated with #[cfg(test)]

The previously reviewed items (unused parameters, no-op calls, memory optimizations) have been acknowledged and accepted by the author.

jans-cedarling/cedarling/src/init/policy_store.rs (10)

11-13: LGTM! Import additions are well-structured.

The new imports (ConversionError, PolicyStoreManager, PolicyStoreWithID) are properly grouped with existing policy_store imports and follow the project's import patterns.

---

29-34: LGTM! Error variants follow best practices.

The new error variants properly use thiserror with the #[from] attribute for automatic conversion (Conversion variant) and provide descriptive error messages. This follows the project's error handling guidelines.

---

58-58: LGTM! Proper handling of legacy format metadata.

Correctly sets metadata: None for legacy formats with a clear explanatory comment, while new format loaders populate metadata from LoadedPolicyStore.

---

102-105: LGTM! New source types properly integrated.

The match arms correctly distinguish between async operations (CjarFile, CjarUrl, Directory) and synchronous in-memory loading (ArchiveBytes), with consistent error propagation.

---

122-148: LGTM! Non-WASM Cedar Archive file loader is well-implemented.

The loader properly:

• Uses async/await with spawn_blocking for file I/O (via loader module)
• Wraps errors with descriptive context
• Converts to legacy format for backward compatibility
• Preserves metadata from LoadedPolicyStore

---

150-166: LGTM! WASM stub correctly prevents unsupported operations.

The WASM implementation properly returns an error indicating file path loading is unsupported. The pattern of calling the loader stub (as discussed in past reviews) ensures the error variant is constructed and the code path is exercised during compilation.

---

168-201: LGTM! Cedar Archive URL loader is well-designed.

The loader properly:

• Fetches archive bytes via HTTP with retry logic
• Delegates to bytes loader for cross-platform compatibility
• Provides descriptive error context for both fetch and load failures
• Works in both native and WASM environments

Creating a new HttpClient per call is acceptable since policy store loading is an infrequent operation.

---

203-231: LGTM! Non-WASM directory loader is well-implemented.

The loader properly:

• Uses async/await with spawn_blocking for directory I/O
• Wraps errors with descriptive context using the Directory variant
• Follows the same proven pattern as the Cedar Archive file loader

---

233-249: LGTM! WASM stub correctly prevents directory operations.

The WASM implementation properly returns an error indicating directory loading is unsupported, following the same pattern as the Cedar Archive file WASM stub.

---

251-281: LGTM! Archive bytes loader is excellent.

The loader properly:

• Uses synchronous implementation (correct for in-memory operations)
• Works across all platforms including WASM
• Provides excellent documentation explaining the use cases (WASM custom fetch, embedding, non-standard sources)
• Follows the consistent conversion pattern

The bytes.to_vec() copy is an acceptable tradeoff for API clarity, as discussed in past reviews.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 49

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (6)

jans-cedarling/http_utils/src/lib.rs (1)

86-109: Preserve error context for debugging.

While silent retries avoid WASM console issues, completely discarding error information (_err) makes debugging production failures nearly impossible. When all retries are exhausted, callers receive only MaxRetriesExceeded with no indication of what actually failed (network timeout, 404, 503, etc.).

Per coding guidelines: "Include context in error messages for better debugging."

🔎 Proposed fix: Enhance error to preserve last failure

Modify the error enum to capture the underlying cause:

 #[derive(Debug, Error)]
 pub enum HttpRequestError {
-    #[error("max retries exceeded")]
-    MaxRetriesExceeded,
+    #[error("max retries exceeded, last error: {0}")]
+    MaxRetriesExceeded(String),
     #[error("failed to deserialize response to JSON: {0}")]
     DeserializeToJson(#[source] reqwest::Error),
     #[error("failed to initialize HTTP client: {0}")]
     InitializeHttpClient(#[source] reqwest::Error),
 }

Then track the last error in the retry loop:

     let backoff = &mut self.backoff;
     backoff.reset();
+    let mut last_error: Option<String> = None;

     loop {
         let response = match request().send().await {
             Ok(resp) => resp,
-            Err(_err) => {
+            Err(err) => {
+                last_error = Some(err.to_string());
                 // Retry silently - callers receive the final error if all retries fail.
                 // TODO: add optional debug-level logging hook here once a logger can be
                 //       passed in without pulling logging into this low-level crate.
                 backoff
                     .snooze()
                     .await
-                    .map_err(|_| HttpRequestError::MaxRetriesExceeded)?;
+                    .map_err(|_| HttpRequestError::MaxRetriesExceeded(
+                        last_error.clone().unwrap_or_else(|| "unknown error".to_string())
+                    ))?;
                 continue;
             },
         };

         let response = match response.error_for_status() {
             Ok(resp) => resp,
-            Err(_err) => {
+            Err(err) => {
+                last_error = Some(format!("HTTP {}: {}", 
+                    err.status().map(|s| s.as_str()).unwrap_or("unknown"),
+                    err));
                 // Retry silently - callers receive the final error if all retries fail.
                 // TODO: add optional debug-level logging hook here once a logger can be
                 //       passed in without pulling logging into this low-level crate.
                 backoff
                     .snooze()
                     .await
-                    .map_err(|_| HttpRequestError::MaxRetriesExceeded)?;
+                    .map_err(|_| HttpRequestError::MaxRetriesExceeded(
+                        last_error.clone().unwrap_or_else(|| "unknown error".to_string())
+                    ))?;
                 continue;
             },
         };

jans-cedarling/cedarling/src/lock/mod.rs (1)

95-110: Reorder imports to comply with coding guidelines.

The imports should be grouped with std/external crates first, then internal modules. Currently, internal and external imports are mixed.

🔎 Proposed fix to reorder imports

-use crate::app_types::PdpID;
-use crate::common::issuer_utils::normalize_issuer;
-use crate::log::LoggerWeak;
-use crate::log::interface::Loggable;
-use crate::{LockServiceConfig, LogWriter};
 use futures::channel::mpsc;
-use lock_config::*;
-use log_entry::LockLogEntry;
-use log_worker::*;
-use register_client::{ClientRegistrationError, register_client};
 use reqwest::Client;
 use reqwest::header::{HeaderMap, HeaderValue};
-use ssa_validation::validate_ssa_jwt;
 use std::sync::{Arc, RwLock};
 use std::time::Duration;
 use tokio_util::sync::CancellationToken;
+
+use crate::app_types::PdpID;
+use crate::common::issuer_utils::normalize_issuer;
+use crate::log::interface::Loggable;
+use crate::log::LoggerWeak;
+use crate::{LockServiceConfig, LogWriter};
+use lock_config::*;
+use log_entry::LockLogEntry;
+use log_worker::*;
+use register_client::{ClientRegistrationError, register_client};
+use ssa_validation::validate_ssa_jwt;

Based on coding guidelines: "Group imports with std/external crates first, then internal modules, using imports_granularity = "Module"".

jans-cedarling/cedarling/src/log/log_strategy.rs (2)

37-60: Consider documenting the visibility restriction rationale.

The new constructor's visibility was changed to pub(crate), restricting direct construction to within the crate. While this aligns with the controlled API pattern (public type, private constructors), adding a doc comment explaining that LogStrategy instances should be obtained via log::init_logger would improve API clarity for maintainers.

📝 Suggested documentation addition

 impl LogStrategy {
-    /// Creates a new `LogStrategy` based on the provided configuration.
-    /// Initializes the corresponding logger accordingly.
+    /// Creates a new `LogStrategy` based on the provided configuration.
+    /// Initializes the corresponding logger accordingly.
+    /// 
+    /// Note: This constructor is crate-private. External users should obtain
+    /// `LogStrategy` instances via `log::init_logger`.
     pub(crate) fn new(

---

62-74: Add documentation for the new lock_service parameter.

The new_with_logger constructor gained a lock_service: Option<LockService> parameter but lacks documentation explaining its purpose. Add a doc comment describing when to provide a LockService during initialization versus setting it later via set_lock_service.

📝 Suggested documentation addition

+    /// Creates a new `LogStrategy` with a pre-configured logger.
+    /// 
+    /// # Parameters
+    /// - `logger`: The logger implementation to use
+    /// - `pdp_id`: Policy Decision Point identifier
+    /// - `app_name`: Optional application name
+    /// - `lock_service`: Optional lock service for distributed logging coordination
     pub(crate) fn new_with_logger(
         logger: LogStrategyLogger,
         pdp_id: PdpID,
         app_name: Option<ApplicationName>,
         lock_service: Option<LockService>,
     ) -> Self {

jans-cedarling/bindings/cedarling_wasm/README.md (1)

332-334: Remove empty code blocks at the end of the file.

The file ends with empty fenced code blocks that serve no purpose and trigger linting warnings.

🔎 Proposed fix

-For complete configuration documentation, see [cedarling-properties.md](../../../docs/cedarling/cedarling-properties.md) or on [our page](https://docs.jans.io/stable/cedarling/cedarling-properties/) .
-
-```
-
-```
+For complete configuration documentation, see [cedarling-properties.md](../../../docs/cedarling/cedarling-properties.md) or on [our page](https://docs.jans.io/stable/cedarling/cedarling-properties/).

docs/cedarling/tutorials/java.md (1)

203-222: JavaScript syntax in Java documentation.

The principals definition contains JavaScript syntax (const principals = [...]) instead of valid Java:

🔎 Proposed fix

     String principals = """
-        const principals = [
+        [
           {
             "cedar_entity_mapping": {
               "entity_type": "Jans::Workload",
               "id": "some_workload_id"
             },
-            "client_id": "some_client_id",
+            "client_id": "some_client_id"
           },
           {
             "cedar_entity_mapping": {
               "entity_type": "Jans::User",
               "id": "random_user_id"
             },
             "roles": ["admin", "manager"]
-          },
-        ];
+          }
+        ]
         """;

📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6d80354 and 19d33b4.

📒 Files selected for processing (59)

• docs/cedarling/reference/cedarling-policy-store.md
• docs/cedarling/reference/cedarling-properties.md
• docs/cedarling/tutorials/go.md
• docs/cedarling/tutorials/java.md
• docs/cedarling/tutorials/javascript.md
• docs/cedarling/tutorials/python.md
• docs/cedarling/tutorials/rust.md
• jans-cedarling/bindings/cedarling-java/README.md
• jans-cedarling/bindings/cedarling_go/README.md
• jans-cedarling/bindings/cedarling_python/PYTHON_TYPES.md
• jans-cedarling/bindings/cedarling_python/README.md
• jans-cedarling/bindings/cedarling_uniffi/README.md
• jans-cedarling/bindings/cedarling_wasm/README.md
• jans-cedarling/bindings/cedarling_wasm/example_data.js
• jans-cedarling/bindings/cedarling_wasm/src/lib.rs
• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/benches/policy_store_benchmark.rs
• jans-cedarling/cedarling/src/authz/trust_mode.rs
• jans-cedarling/cedarling/src/bootstrap_config/decode.rs
• jans-cedarling/cedarling/src/bootstrap_config/jwt_config.rs
• jans-cedarling/cedarling/src/bootstrap_config/policy_store_config.rs
• jans-cedarling/cedarling/src/common/app_types.rs
• jans-cedarling/cedarling/src/common/policy_store.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/claim_mapping.rs
• jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/errors.rs
• jans-cedarling/cedarling/src/common/policy_store/issuer_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/log_entry.rs
• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs
• jans-cedarling/cedarling/src/common/policy_store/metadata.rs
• jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/test.rs
• jans-cedarling/cedarling/src/common/policy_store/test_utils.rs
• jans-cedarling/cedarling/src/common/policy_store/validator.rs
• jans-cedarling/cedarling/src/common/policy_store/vfs_adapter.rs
• jans-cedarling/cedarling/src/http/mod.rs
• jans-cedarling/cedarling/src/init/policy_store.rs
• jans-cedarling/cedarling/src/init/service_factory.rs
• jans-cedarling/cedarling/src/jwt/mod.rs
• jans-cedarling/cedarling/src/jwt/test_utils.rs
• jans-cedarling/cedarling/src/jwt/validation.rs
• jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
• jans-cedarling/cedarling/src/jwt/validation/validator.rs
• jans-cedarling/cedarling/src/lib.rs
• jans-cedarling/cedarling/src/lock/mod.rs
• jans-cedarling/cedarling/src/log/log_strategy.rs
• jans-cedarling/cedarling/src/log/mod.rs
• jans-cedarling/cedarling/src/log/stdout_logger/native_logger.rs
• jans-cedarling/cedarling/src/tests/mod.rs
• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/clippy.toml
• jans-cedarling/http_utils/src/lib.rs
• jans-cedarling/schema/policy_store_schema.json

🧰 Additional context used

📓 Path-based instructions (3)

jans-cedarling/**/*.rs

📄 CodeRabbit inference engine (jans-cedarling/AGENTS.md)

jans-cedarling/**/*.rs: Check formatting compliance with cargo fmt --check and follow rustfmt settings in rustfmt.toml
Review clippy.toml for project-specific lint rules
Use rustfmt with project's rustfmt.toml settings for all Rust code
Enforce maximum line width of 100 characters in Rust code
Use HorizontalVertical imports layout with StdExternalCrate grouping in rustfmt.toml
Use 4-space indentation (no tabs) in all Rust code
Group imports with std/external crates first, then internal modules, using imports_granularity = "Module"
Follow existing import patterns in the codebase
Use snake_case for variables, functions, and modules in Rust
Use PascalCase for types, traits, and enums in Rust
Use SCREAMING_SNAKE_CASE for constants in Rust
Follow Rust naming conventions as established by the language
Use thiserror crate for custom error types
Prefer Result<T, E> over panics for error handling
Use derive_more crate for error derivation when needed
Include context in error messages for better debugging
Use typed-builder crate for complex struct construction
Leverage serde for serialization/deserialization in Rust
Use smol_str for string optimization where appropriate in Rust
Prefer strong typing over stringly-typed APIs in Rust
Use standard Rust docstrings without Python-style sections (avoid # Arguments, # Returns)
Document public API items with docstrings focusing on 'why' not 'what'
Include examples in docstrings for complex functionality
Keep documentation concise, focusing on explanatory content rather than obvious details
Each Rust file must contain the Apache 2.0 license header with copyright attribution to Gluu, Inc.

Files:

• jans-cedarling/cedarling/src/lock/mod.rs
• jans-cedarling/cedarling/src/jwt/validation/validator.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/init/service_factory.rs
• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/errors.rs
• jans-cedarling/cedarling/src/common/policy_store/log_entry.rs
• jans-cedarling/bindings/cedarling_wasm/src/lib.rs
• jans-cedarling/cedarling/src/log/log_strategy.rs
• jans-cedarling/cedarling/src/bootstrap_config/jwt_config.rs
• jans-cedarling/cedarling/src/init/policy_store.rs
• jans-cedarling/cedarling/src/jwt/test_utils.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/validator.rs
• jans-cedarling/cedarling/src/log/mod.rs
• jans-cedarling/cedarling/src/bootstrap_config/policy_store_config.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
• jans-cedarling/cedarling/src/lib.rs
• jans-cedarling/cedarling/src/http/mod.rs
• jans-cedarling/cedarling/src/jwt/validation.rs
• jans-cedarling/cedarling/src/common/policy_store/issuer_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
• jans-cedarling/http_utils/src/lib.rs
• jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs
• jans-cedarling/cedarling/benches/policy_store_benchmark.rs
• jans-cedarling/cedarling/src/common/app_types.rs
• jans-cedarling/cedarling/src/common/policy_store/test.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/src/jwt/mod.rs
• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/src/common/policy_store/vfs_adapter.rs
• jans-cedarling/cedarling/src/common/policy_store/claim_mapping.rs
• jans-cedarling/cedarling/src/bootstrap_config/decode.rs
• jans-cedarling/cedarling/src/common/policy_store.rs
• jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
• jans-cedarling/cedarling/src/log/stdout_logger/native_logger.rs
• jans-cedarling/cedarling/src/common/policy_store/metadata.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs
• jans-cedarling/cedarling/src/authz/trust_mode.rs
• jans-cedarling/cedarling/src/common/policy_store/test_utils.rs
• jans-cedarling/cedarling/src/tests/mod.rs
• jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs

jans-cedarling/**/*test*.rs

📄 CodeRabbit inference engine (jans-cedarling/AGENTS.md)

jans-cedarling/**/*test*.rs: Use test_utils crate for shared test helpers
Include both positive and negative test cases in test files
For error checking in tests, use assert!(matches!(...), "explicit comment") instead of assert!(result.is_err())
Use expect_err("explicit comment") instead of panic() in tests
Always include explicit comments explaining what error is expected in test assertions

Files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/jwt/test_utils.rs
• jans-cedarling/cedarling/src/common/policy_store/test.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/test_utils.rs

jans-cedarling/**/Cargo.toml

📄 CodeRabbit inference engine (jans-cedarling/AGENTS.md)

Build all workspace members using cargo build --workspace

Files:

• jans-cedarling/cedarling/Cargo.toml

🧠 Learnings (47)

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use PascalCase for types, traits, and enums in Rust

Applied to files:

• jans-cedarling/cedarling/src/lock/mod.rs
• jans-cedarling/cedarling/src/common/policy_store/errors.rs
• jans-cedarling/cedarling/src/bootstrap_config/jwt_config.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/bootstrap_config/policy_store_config.rs
• jans-cedarling/cedarling/src/lib.rs
• jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
• jans-cedarling/cedarling/src/common/app_types.rs
• jans-cedarling/cedarling/src/authz/trust_mode.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Group imports with std/external crates first, then internal modules, using imports_granularity = "Module"

Applied to files:

• jans-cedarling/cedarling/src/lock/mod.rs
• jans-cedarling/cedarling/src/init/policy_store.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/bootstrap_config/policy_store_config.rs
• jans-cedarling/cedarling/src/lib.rs
• jans-cedarling/cedarling/src/jwt/validation.rs
• jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/src/common/app_types.rs
• jans-cedarling/cedarling/src/common/policy_store/vfs_adapter.rs
• jans-cedarling/cedarling/src/common/policy_store.rs
• jans-cedarling/cedarling/src/log/stdout_logger/native_logger.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs
• jans-cedarling/cedarling/src/tests/mod.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Prefer strong typing over stringly-typed APIs in Rust

Applied to files:

• jans-cedarling/cedarling/src/lock/mod.rs
• jans-cedarling/cedarling/src/common/policy_store/errors.rs
• jans-cedarling/cedarling/src/bootstrap_config/jwt_config.rs
• jans-cedarling/cedarling/src/common/policy_store/metadata.rs
• jans-cedarling/cedarling/src/authz/trust_mode.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Follow Rust naming conventions as established by the language

Applied to files:

• jans-cedarling/cedarling/src/lock/mod.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/bootstrap_config/policy_store_config.rs
• jans-cedarling/cedarling/src/lib.rs
• jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
• docs/cedarling/tutorials/javascript.md

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use snake_case for variables, functions, and modules in Rust

Applied to files:

• jans-cedarling/cedarling/src/lock/mod.rs
• jans-cedarling/cedarling/src/lib.rs
• jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
• jans-cedarling/cedarling/src/tests/mod.rs

📚 Learning: 2025-12-10T14:10:48.131Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12819
File: jans-cedarling/cedarling/src/common/policy_store/manager.rs:101-107
Timestamp: 2025-12-10T14:10:48.131Z
Learning: In all Rust source files under the jans-cedarling directory, avoid using println! or eprintln! because they do not work in WASM builds. Use the provided Logger API, e.g. logger.log(&System::log_msg(...)) to log messages. Ensure the logger is properly initialized in the WASM context and replace direct prints with the logger pattern in relevant code paths (especially in WASM targets).

Applied to files:

• jans-cedarling/cedarling/src/lock/mod.rs
• jans-cedarling/cedarling/src/jwt/validation/validator.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/init/service_factory.rs
• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/errors.rs
• jans-cedarling/cedarling/src/common/policy_store/log_entry.rs
• jans-cedarling/bindings/cedarling_wasm/src/lib.rs
• jans-cedarling/cedarling/src/log/log_strategy.rs
• jans-cedarling/cedarling/src/bootstrap_config/jwt_config.rs
• jans-cedarling/cedarling/src/init/policy_store.rs
• jans-cedarling/cedarling/src/jwt/test_utils.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/validator.rs
• jans-cedarling/cedarling/src/log/mod.rs
• jans-cedarling/cedarling/src/bootstrap_config/policy_store_config.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
• jans-cedarling/cedarling/src/lib.rs
• jans-cedarling/cedarling/src/http/mod.rs
• jans-cedarling/cedarling/src/jwt/validation.rs
• jans-cedarling/cedarling/src/common/policy_store/issuer_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
• jans-cedarling/http_utils/src/lib.rs
• jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs
• jans-cedarling/cedarling/benches/policy_store_benchmark.rs
• jans-cedarling/cedarling/src/common/app_types.rs
• jans-cedarling/cedarling/src/common/policy_store/test.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/src/jwt/mod.rs
• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/src/common/policy_store/vfs_adapter.rs
• jans-cedarling/cedarling/src/common/policy_store/claim_mapping.rs
• jans-cedarling/cedarling/src/bootstrap_config/decode.rs
• jans-cedarling/cedarling/src/common/policy_store.rs
• jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
• jans-cedarling/cedarling/src/log/stdout_logger/native_logger.rs
• jans-cedarling/cedarling/src/common/policy_store/metadata.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs
• jans-cedarling/cedarling/src/authz/trust_mode.rs
• jans-cedarling/cedarling/src/common/policy_store/test_utils.rs
• jans-cedarling/cedarling/src/tests/mod.rs
• jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/bindings/cedarling_python/**/*.py : Validate Python type annotations using `mypy cedarling_python` in the bindings directory

Applied to files:

• jans-cedarling/bindings/cedarling_python/PYTHON_TYPES.md
• jans-cedarling/bindings/cedarling_python/README.md

📚 Learning: 2025-11-28T05:59:26.842Z

Learnt from: haileyesus2433
Repo: JanssenProject/jans PR: 12455
File: jans-cedarling/cedarling/src/jwt/mod.rs:143-145
Timestamp: 2025-11-28T05:59:26.842Z
Learning: In jans-cedarling JWT service, the local-JWKS-only configuration (no trusted issuers) loads keys but does not initialize validators. This means signed tokens will hit ValidateJwtError::MissingValidator and be skipped. This is acceptable as the intended use case is authorize_unsigned. Validator setup for JWKS-only signed authorization is planned for future implementation.

Applied to files:

• jans-cedarling/cedarling/src/jwt/validation/validator.rs
• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/bootstrap_config/jwt_config.rs
• jans-cedarling/cedarling/src/jwt/validation.rs
• jans-cedarling/cedarling/src/jwt/mod.rs
• jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use thiserror crate for custom error types

Applied to files:

• jans-cedarling/cedarling/src/jwt/validation/validator.rs
• jans-cedarling/cedarling/src/common/policy_store/errors.rs
• jans-cedarling/cedarling/src/lib.rs
• jans-cedarling/http_utils/src/lib.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Include context in error messages for better debugging

Applied to files:

• jans-cedarling/cedarling/src/jwt/validation/validator.rs
• jans-cedarling/cedarling/src/common/policy_store/errors.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/src/tests/**/*.rs : Place integration tests in src/tests/ directory

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/bootstrap_config/policy_store_config.rs
• jans-cedarling/cedarling/src/common/policy_store/test.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/src/log/stdout_logger/native_logger.rs
• jans-cedarling/cedarling/src/authz/trust_mode.rs
• jans-cedarling/cedarling/src/common/policy_store/test_utils.rs
• jans-cedarling/cedarling/src/tests/mod.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Include both positive and negative test cases in test files

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/test.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/src/log/stdout_logger/native_logger.rs
• jans-cedarling/cedarling/src/common/policy_store/test_utils.rs
• jans-cedarling/cedarling/src/tests/mod.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Use test_utils crate for shared test helpers

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• docs/cedarling/tutorials/go.md
• jans-cedarling/cedarling/src/common/policy_store/test.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/src/jwt/mod.rs
• jans-cedarling/cedarling/src/common/policy_store.rs
• jans-cedarling/cedarling/src/log/stdout_logger/native_logger.rs
• jans-cedarling/cedarling/src/authz/trust_mode.rs
• jans-cedarling/cedarling/src/common/policy_store/test_utils.rs
• jans-cedarling/cedarling/src/tests/mod.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/authorize_*.rs : Follow existing test patterns in authorize_*.rs files

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/test.rs
• jans-cedarling/cedarling/src/common/policy_store/claim_mapping.rs
• jans-cedarling/cedarling/src/authz/trust_mode.rs
• jans-cedarling/cedarling/src/tests/mod.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Always include explicit comments explaining what error is expected in test assertions

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/test.rs
• jans-cedarling/cedarling/src/common/policy_store/claim_mapping.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Run specific test files using `cargo test -p cedarling --test authorize_unsigned` format

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• docs/cedarling/tutorials/java.md
• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/test.rs
• jans-cedarling/cedarling/src/tests/mod.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Use `expect_err("explicit comment")` instead of `panic()` in tests

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/test.rs
• jans-cedarling/cedarling/src/common/policy_store/claim_mapping.rs
• jans-cedarling/cedarling/src/log/stdout_logger/native_logger.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Run main crate tests with `cargo test -p cedarling`

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• docs/cedarling/tutorials/go.md
• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/src/common/policy_store/test.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• docs/cedarling/tutorials/javascript.md

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : For error checking in tests, use `assert!(matches!(...), "explicit comment")` instead of `assert!(result.is_err())`

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/jwt/test_utils.rs
• jans-cedarling/cedarling/src/common/policy_store/test.rs
• jans-cedarling/cedarling/src/common/policy_store/claim_mapping.rs
• jans-cedarling/cedarling/src/authz/trust_mode.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use standard Rust docstrings without Python-style sections (avoid `# Arguments`, `# Returns`)

Applied to files:

• docs/cedarling/tutorials/rust.md
• jans-cedarling/bindings/cedarling_python/README.md
• jans-cedarling/cedarling/src/lib.rs
• jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
• jans-cedarling/bindings/cedarling_go/README.md
• jans-cedarling/cedarling/src/common/policy_store/claim_mapping.rs
• jans-cedarling/bindings/cedarling_uniffi/README.md

📚 Learning: 2025-12-26T17:33:14.632Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12903
File: jans-cedarling/bindings/cedarling_wasm/src/lib.rs:83-97
Timestamp: 2025-12-26T17:33:14.632Z
Learning: In jans-cedarling WASM bindings (jans-cedarling/bindings/cedarling_wasm/**/*.rs), explicit documentation sections like `# Arguments` and `# Example` are acceptable because these bindings expose Rust to JavaScript consumers who benefit from more explicit parameter documentation and JavaScript usage examples.

Applied to files:

• docs/cedarling/tutorials/rust.md
• jans-cedarling/bindings/cedarling_wasm/README.md
• docs/cedarling/reference/cedarling-properties.md
• jans-cedarling/bindings/cedarling-java/README.md
• jans-cedarling/bindings/cedarling_wasm/example_data.js
• jans-cedarling/bindings/cedarling_python/README.md
• jans-cedarling/cedarling/src/lib.rs
• docs/cedarling/tutorials/go.md
• jans-cedarling/bindings/cedarling_go/README.md
• jans-cedarling/bindings/cedarling_uniffi/README.md
• jans-cedarling/clippy.toml
• docs/cedarling/tutorials/javascript.md
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Keep documentation concise, focusing on explanatory content rather than obvious details

Applied to files:

• docs/cedarling/tutorials/rust.md
• docs/cedarling/reference/cedarling-properties.md
• jans-cedarling/bindings/cedarling-java/README.md
• docs/cedarling/tutorials/go.md
• jans-cedarling/bindings/cedarling_go/README.md
• jans-cedarling/cedarling/src/common/policy_store/claim_mapping.rs
• jans-cedarling/bindings/cedarling_uniffi/README.md
• docs/cedarling/tutorials/javascript.md

📚 Learning: 2025-12-19T06:30:26.460Z

Learnt from: duttarnab
Repo: JanssenProject/jans PR: 12806
File: demos/janssen-tarp/browser-extension/src/ai/index.ts:61-72
Timestamp: 2025-12-19T06:30:26.460Z
Learning: Jans Tarp (demos/janssen-tarp) is a testing and development tool for OIDC flows and Cedarling authorization. For this project, storing access tokens and id tokens in browser storage (chrome.storage.local) is acceptable because it's designed for testing/development scenarios, not production use.

Applied to files:

• jans-cedarling/bindings/cedarling_wasm/README.md
• jans-cedarling/bindings/cedarling_wasm/example_data.js
• jans-cedarling/bindings/cedarling_uniffi/README.md
• docs/cedarling/tutorials/javascript.md

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use derive_more crate for error derivation when needed

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/errors.rs
• jans-cedarling/cedarling/src/init/policy_store.rs
• jans-cedarling/cedarling/src/http/mod.rs
• jans-cedarling/http_utils/src/lib.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Prefer Result<T, E> over panics for error handling

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/errors.rs
• jans-cedarling/http_utils/src/lib.rs
• jans-cedarling/cedarling/src/common/policy_store/test.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Follow existing import patterns in the codebase

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/errors.rs
• jans-cedarling/bindings/cedarling_wasm/src/lib.rs
• jans-cedarling/cedarling/src/init/policy_store.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/bootstrap_config/policy_store_config.rs
• jans-cedarling/cedarling/src/lib.rs
• jans-cedarling/cedarling/src/jwt/validation.rs
• docs/cedarling/tutorials/go.md
• jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/src/common/policy_store/test.rs
• jans-cedarling/cedarling/src/common/policy_store/vfs_adapter.rs
• jans-cedarling/cedarling/src/common/policy_store/claim_mapping.rs
• jans-cedarling/cedarling/src/bootstrap_config/decode.rs
• jans-cedarling/cedarling/src/common/policy_store.rs
• jans-cedarling/cedarling/src/log/stdout_logger/native_logger.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs
• jans-cedarling/cedarling/src/tests/mod.rs

📚 Learning: 2025-12-01T00:02:51.580Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12768
File: jans-cedarling/cedarling/src/common/default_entities_limits.rs:52-119
Timestamp: 2025-12-01T00:02:51.580Z
Learning: In the jans-cedarling Rust codebase, avoid Python/Java-style doc comments with explicit `# Arguments` and `# Errors` sections. The project relies on Rust's type signatures and cargo doc's automatic documentation generation.

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/errors.rs
• jans-cedarling/cedarling/src/common/policy_store/claim_mapping.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Review clippy.toml for project-specific lint rules

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/errors.rs
• jans-cedarling/cedarling/src/bootstrap_config/policy_store_config.rs
• jans-cedarling/cedarling/src/lib.rs
• docs/cedarling/tutorials/go.md
• jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/src/common/policy_store/test.rs
• jans-cedarling/cedarling/src/common/policy_store/claim_mapping.rs
• jans-cedarling/cedarling/src/log/stdout_logger/native_logger.rs
• jans-cedarling/clippy.toml
• docs/cedarling/tutorials/javascript.md

📚 Learning: 2025-12-24T14:16:17.748Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12896
File: jans-cedarling/cedarling/src/entity_builder/trusted_issuer_index.rs:23-30
Timestamp: 2025-12-24T14:16:17.748Z
Learning: In jans-cedarling Rust code targeting WASM, avoid using `eprintln!` for warnings in constructors or initialization functions. Instead, accept an `Option<&Arc<LogStrategy>>` parameter and use `logger.log_any(LogEntry::new_with_data(LogType::System, None).set_message(...).set_log_level(LogLevel::WARN))` to emit warnings that work in WASM environments.

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/log_entry.rs
• jans-cedarling/bindings/cedarling_wasm/src/lib.rs
• jans-cedarling/cedarling/src/log/log_strategy.rs
• jans-cedarling/cedarling/src/log/mod.rs
• jans-cedarling/cedarling/src/log/stdout_logger/native_logger.rs
• jans-cedarling/clippy.toml

📚 Learning: 2025-11-07T07:42:08.807Z

Learnt from: duttarnab
Repo: JanssenProject/jans PR: 12652
File: jans-auth-server/model/src/main/java/io/jans/as/model/config/adminui/UIConfiguration.java:9-9
Timestamp: 2025-11-07T07:42:08.807Z
Learning: In the UIConfiguration class (jans-auth-server/model/src/main/java/io/jans/as/model/config/adminui/UIConfiguration.java), the cedarlingPolicyStoreRetrievalPoint field is intentionally kept as a String type for database persistence, rather than using the CedarlingPolicyStrRetrievalPoint enum. The enum type is used in the API/service layer classes, with conversion happening at the boundaries.

Applied to files:

• docs/cedarling/reference/cedarling-properties.md
• jans-cedarling/bindings/cedarling-java/README.md
• jans-cedarling/bindings/cedarling_uniffi/README.md

📚 Learning: 2025-12-26T17:33:14.632Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12903
File: jans-cedarling/bindings/cedarling_wasm/src/lib.rs:83-97
Timestamp: 2025-12-26T17:33:14.632Z
Learning: In Rust WASM bindings under bindings/cedarling_wasm (e.g., jans-cedarling/bindings/cedarling_wasm/src/lib.rs), require explicit documentation sections such as # Arguments and # Example for functions exported to JavaScript. This helps JS consumers understand parameter usage and provide usage examples. Ensure documentation is included in the relevant Rust doc comments where bindings are exposed.

Applied to files:

• jans-cedarling/bindings/cedarling_wasm/src/lib.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Leverage serde for serialization/deserialization in Rust

Applied to files:

• jans-cedarling/bindings/cedarling_wasm/src/lib.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/bootstrap_config/policy_store_config.rs
• jans-cedarling/cedarling/src/lib.rs
• docs/cedarling/tutorials/go.md
• jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/test.rs
• jans-cedarling/cedarling/src/common/policy_store/metadata.rs
• docs/cedarling/tutorials/javascript.md

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/bindings/cedarling_python/cedarling_python/**/*.pyi : Check if type hints in `.pyi` files need adjustment to match Rust interface changes

Applied to files:

• jans-cedarling/bindings/cedarling_python/README.md

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Document public API items with docstrings focusing on 'why' not 'what'

Applied to files:

• jans-cedarling/cedarling/src/lib.rs
• jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
• jans-cedarling/bindings/cedarling_go/README.md
• jans-cedarling/bindings/cedarling_uniffi/README.md

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Build main cedarling crate using `cargo build -p cedarling`

Applied to files:

• docs/cedarling/tutorials/go.md
• jans-cedarling/cedarling/Cargo.toml
• docs/cedarling/tutorials/javascript.md

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Generate and view documentation with `cargo doc -p cedarling --no-deps --open`

Applied to files:

• docs/cedarling/tutorials/go.md
• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/bindings/cedarling_go/README.md
• docs/cedarling/tutorials/javascript.md

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Build updated Python bindings using `cd bindings/cedarling_python && maturin develop` and consult README.md if errors occur

Applied to files:

• docs/cedarling/tutorials/go.md

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Run benchmarks using `cargo bench -p cedarling`

Applied to files:

• docs/cedarling/tutorials/go.md
• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/benches/policy_store_benchmark.rs
• jans-cedarling/cedarling/src/common/policy_store/test.rs
• docs/cedarling/tutorials/javascript.md

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use rustfmt with project's rustfmt.toml settings for all Rust code

Applied to files:

• docs/cedarling/tutorials/go.md

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Check formatting compliance with `cargo fmt --check` and follow rustfmt settings in rustfmt.toml

Applied to files:

• jans-cedarling/cedarling/Cargo.toml

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/Cargo.toml : Build all workspace members using `cargo build --workspace`

Applied to files:

• jans-cedarling/cedarling/Cargo.toml
• docs/cedarling/tutorials/javascript.md

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use HorizontalVertical imports layout with StdExternalCrate grouping in rustfmt.toml

Applied to files:

• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/src/common/policy_store/vfs_adapter.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Include examples in docstrings for complex functionality

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/claim_mapping.rs

📚 Learning: 2025-10-30T13:03:03.905Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12544
File: jans-cedarling/cedarling/src/tests/authorize_resource_entity.rs:65-109
Timestamp: 2025-10-30T13:03:03.905Z
Learning: In Rust, when `use tokio::test;` is present at the top of a file, the `#[test]` attribute refers to `tokio::test` (the async test macro), not the standard library's `#[test]`. This is a valid pattern for writing async tests with Tokio.

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store.rs
• jans-cedarling/cedarling/src/log/stdout_logger/native_logger.rs

📚 Learning: 2025-12-10T14:10:52.927Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12819
File: jans-cedarling/cedarling/src/common/policy_store/manager.rs:101-107
Timestamp: 2025-12-10T14:10:52.927Z
Learning: Applies to jans-cedarling/**/*.rs: Avoid using `println!` or `eprintln!` as they don't work in WASM. Use the Logger with `logger.log(&System::log_msg(...))` pattern instead.

Applied to files:

• jans-cedarling/clippy.toml

📚 Learning: 2025-12-17T13:08:11.604Z

Learnt from: dagregi
Repo: JanssenProject/jans PR: 12833
File: jans-cedarling/schema/minimal_policy_store.json:13-21
Timestamp: 2025-12-17T13:08:11.604Z
Learning: In jans-cedarling/schema/cedarling_core.cedarschema, the Access_token entity intentionally includes both a `scope?: Set<String>` attribute and `tags Set<String>` declaration. This dual approach is by design, allowing scope to be accessed either as an attribute or dynamically as a tag depending on the use case.

Applied to files:

• jans-cedarling/schema/policy_store_schema.json

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use typed-builder crate for complex struct construction

Applied to files:

• docs/cedarling/tutorials/javascript.md
• jans-cedarling/cedarling/src/common/policy_store/test_utils.rs

🧬 Code graph analysis (10)

jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs (2)

jans-cedarling/cedarling/src/common/policy_store/test_utils.rs (8)

• create_corrupted_archive (419-424)
• create_deep_nested_archive (427-440)
• create_path_traversal_archive (405-416)
• new (60-75)
• default (53-55)
• invalid_metadata_json (354-360)
• invalid_policy_syntax (363-366)
• minimal_valid (294-300)

jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs (1)

• from_buffer (155-158)

jans-cedarling/cedarling/src/tests/policy_store_loader.rs (3)

jans-cedarling/cedarling/src/tests/utils/cedarling_util.rs (1)

• get_cedarling_with_callback (51-61)

jans-cedarling/cedarling/src/common/policy_store/test_utils.rs (3)

• new (60-75)
• minimal_valid (294-300)
• default (53-55)

jans-cedarling/cedarling/src/common/policy_store/loader.rs (1)

• load_policy_store_archive_bytes (128-135)

jans-cedarling/cedarling/src/common/policy_store/log_entry.rs (3)

jans-cedarling/cedarling/src/log/memory_logger/mod.rs (1)

• log (106-121)

jans-cedarling/cedarling/src/log/log_strategy.rs (1)

• new (37-60)

jans-cedarling/cedarling/src/log/log_entry.rs (1)

• new_opt_request_id (424-440)

jans-cedarling/bindings/cedarling_wasm/src/lib.rs (1)

jans-cedarling/cedarling/src/bootstrap_config/decode.rs (1)

• from_raw_config (42-158)

jans-cedarling/cedarling/src/log/log_strategy.rs (3)

jans-cedarling/cedarling/src/common/app_types.rs (1)

• new (19-22)

jans-cedarling/cedarling/src/lib.rs (1)

• new (114-156)

jans-cedarling/cedarling/src/log/stdout_logger/native_logger.rs (2)

• new (23-28)
• new (90-94)

jans-cedarling/cedarling/src/lib.rs (4)

jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs (2)

• validate_required_claims (324-331)
• validate_required_claims (351-375)

jans-cedarling/cedarling/src/init/service_factory.rs (1)

• policy_store (55-62)

jans-cedarling/cedarling/src/common/policy_store/validator.rs (4)

• name (153-155)
• id (148-150)
• version (163-165)
• cedar_version (143-145)

jans-cedarling/cedarling/src/log/log_entry.rs (1)

• new_with_data (51-60)

jans-cedarling/cedarling/src/common/app_types.rs (2)

jans-cedarling/cedarling/src/lib.rs (1)

• new (114-156)

jans-cedarling/cedarling/src/log/log_strategy.rs (1)

• new (37-60)

jans-cedarling/cedarling/src/jwt/mod.rs (1)

jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs (4)

• validate_required_claims (324-331)
• validate_required_claims (351-375)
• with_logger (161-198)
• key_service (478-480)

jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs (2)

jans-cedarling/cedarling/src/jwt/token_cache.rs (1)

• cache_duration (131-158)

jans-cedarling/cedarling/src/jwt/key_service.rs (1)

• has_keys (157-159)

jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs (2)

jans-cedarling/cedarling/src/common/policy_store/loader.rs (2)

• new (195-197)
• load_manifest (353-374)

jans-cedarling/cedarling/src/common/policy_store/vfs_adapter.rs (2)

• new (81-84)
• new (164-167)

🪛 markdownlint-cli2 (0.18.1)

jans-cedarling/bindings/cedarling_wasm/README.md

73-73: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

---

75-75: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

81-81: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

271-271: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

---

284-284: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

---

296-296: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

docs/cedarling/tutorials/python.md

104-104: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

115-115: Ordered list item prefix
Expected: 1; Actual: 5; Style: 1/1/1

(MD029, ol-prefix)

---

117-117: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

122-122: Ordered list item prefix
Expected: 1; Actual: 6; Style: 1/1/1

(MD029, ol-prefix)

jans-cedarling/bindings/cedarling_go/README.md

289-289: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

[coderabbitai]

Review continued from previous batch...

[coderabbitai]

Actionable comments posted: 4

Fix all issues with AI Agents 🤖

In @jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs:
- Around line 223-240: The logger parameter in detect_duplicates is
&Option<Logger> but you call log_any directly on it; change the call to only
invoke log_any when the Option is Some by using logger.as_ref().map(|l|
l.log_any(...)) or an if let Some(l) = logger.as_ref() {
l.log_any(PolicyStoreLogEntry::warn(...)); } so the PolicyStoreLogEntry::warn
message (including entity.uid, existing.filename, entity.filename) is logged
only when a Logger exists; keep the rest of detect_duplicates behavior (insert
latest entity into entity_map).

In @jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs:
- Around line 1270-1350: The test test_archive_vfs_with_manifest_validation
incorrectly expects manifest validation to fail even though the manifest's
policy_store_id matches the input; change the assertion to expect success (call
validator.validate(Some("abc123def456")) and
assert!(validation_result.is_valid)) and update the comment to state that
validation should succeed for matching IDs, or alternatively change the validate
input to a different ID (e.g., "different_id") if you intend to test ID
mismatch; locate the failing expectation around the ManifestValidator::new(...)
/ validator.validate(Some(...)) call and update the assertion and its comment
accordingly.

In @jans-cedarling/cedarling/src/init/policy_store.rs:
- Around line 122-166: The WASM-specific load_policy_store_from_cjar_file
currently calls loader::load_policy_store_archive(_path) only to convert its
error into a PolicyStoreLoadError::Archive; simplify by directly returning
Err(PolicyStoreLoadError::Archive(...)) from inside
load_policy_store_from_cjar_file for the wasm32 cfg instead of invoking
loader::load_policy_store_archive, constructing the same "Loading from file path
is not supported in WASM. Use CjarUrl instead. Original error: <...>" message
(or omit the original error) so the stub does not call the loader; keep the
function signature and error variant names (load_policy_store_from_cjar_file,
PolicyStoreLoadError::Archive) the same.

In @jans-cedarling/cedarling/src/jwt/mod.rs:
- Around line 333-336: The local variable `validator` is declared with an
unnecessary explicit type `Arc<std::sync::RwLock<JwtValidator>>`; remove the
explicit type annotation and let the compiler infer it from the expression
`self.validators.get(&validator_key).ok_or(ValidateJwtError::MissingValidator(validator_key.owned()))?`
so the line becomes a simple `let validator = ...` while keeping the same
`validator` name and use of `JwtValidator`, `self.validators.get`, and
`ValidateJwtError::MissingValidator`.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

jans-cedarling/bindings/cedarling_wasm/README.md (1)

45-67: Inconsistent blank line formatting in platform-specific instructions.

The Linux (line 52) and MacOS (line 60) sections introduce blank lines before their content blocks, while the Windows section (line 42) does not. This creates visual inconsistency in the markdown structure.

🔎 Suggested fix for consistent formatting

Either remove blank lines from Linux and MacOS sections to match Windows, or add blank line after Windows header for consistency:

    - **Windows**

        - Place the Rust artifacts...

♻️ Duplicate comments (2)

jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs (1)

259-285: Hierarchy validation logic looks correct and matches entity model.

The validate_hierarchy implementation correctly ensures all parent UIDs referenced from entities exist in the parsed set and reports precise, per‑entity errors with filenames and UIDs. This aligns with the requirements for parent existence checks; the use of clone().into_inner() here is acceptable given prior discussion and expected entity volumes.

jans-cedarling/cedarling/src/common/policy_store/loader.rs (1)

87-109: Add manifest validation for .cjar path loading to match directory/bytes semantics.

load_policy_store_directory and load_policy_store_archive_bytes both validate the manifest when present, but load_policy_store_archive currently just calls:

let archive_vfs = ArchiveVfs::from_file(&path)?;
let loader = DefaultPolicyStoreLoader::new(archive_vfs);
loader.load_directory(".")

and returns without any manifest check. That means a .cjar loaded from disk can bypass manifest validation that would apply to the same content when loaded from a directory or from bytes.

For consistency and security, consider mirroring the directory/bytes behavior here: load the store, then, if loaded.manifest.is_some(), run manifest validation against the archive VFS and propagate any ManifestError as a PolicyStoreError.

📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ed8d0cc and 4d6b214.

📒 Files selected for processing (16)

• docs/cedarling/tutorials/go.md
• jans-cedarling/bindings/cedarling_go/README.md
• jans-cedarling/bindings/cedarling_wasm/README.md
• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/http/mod.rs
• jans-cedarling/cedarling/src/init/policy_store.rs
• jans-cedarling/cedarling/src/jwt/mod.rs
• jans-cedarling/cedarling/src/jwt/validation/validator.rs
• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/http_utils/src/lib.rs

🧰 Additional context used

📓 Path-based instructions (3)

jans-cedarling/**/*.rs

📄 CodeRabbit inference engine (jans-cedarling/AGENTS.md)

jans-cedarling/**/*.rs: Check formatting compliance with cargo fmt --check and follow rustfmt settings in rustfmt.toml
Review clippy.toml for project-specific lint rules
Use rustfmt with project's rustfmt.toml settings for all Rust code
Enforce maximum line width of 100 characters in Rust code
Use HorizontalVertical imports layout with StdExternalCrate grouping in rustfmt.toml
Use 4-space indentation (no tabs) in all Rust code
Group imports with std/external crates first, then internal modules, using imports_granularity = "Module"
Follow existing import patterns in the codebase
Use snake_case for variables, functions, and modules in Rust
Use PascalCase for types, traits, and enums in Rust
Use SCREAMING_SNAKE_CASE for constants in Rust
Follow Rust naming conventions as established by the language
Use thiserror crate for custom error types
Prefer Result<T, E> over panics for error handling
Use derive_more crate for error derivation when needed
Include context in error messages for better debugging
Use typed-builder crate for complex struct construction
Leverage serde for serialization/deserialization in Rust
Use smol_str for string optimization where appropriate in Rust
Prefer strong typing over stringly-typed APIs in Rust
Use standard Rust docstrings without Python-style sections (avoid # Arguments, # Returns)
Document public API items with docstrings focusing on 'why' not 'what'
Include examples in docstrings for complex functionality
Keep documentation concise, focusing on explanatory content rather than obvious details
Each Rust file must contain the Apache 2.0 license header with copyright attribution to Gluu, Inc.

Files:

• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/src/jwt/validation/validator.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/http_utils/src/lib.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs
• jans-cedarling/cedarling/src/http/mod.rs
• jans-cedarling/cedarling/src/jwt/mod.rs
• jans-cedarling/cedarling/src/init/policy_store.rs

jans-cedarling/**/*test*.rs

📄 CodeRabbit inference engine (jans-cedarling/AGENTS.md)

jans-cedarling/**/*test*.rs: Use test_utils crate for shared test helpers
Include both positive and negative test cases in test files
For error checking in tests, use assert!(matches!(...), "explicit comment") instead of assert!(result.is_err())
Use expect_err("explicit comment") instead of panic() in tests
Always include explicit comments explaining what error is expected in test assertions

Files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs

jans-cedarling/**/Cargo.toml

📄 CodeRabbit inference engine (jans-cedarling/AGENTS.md)

Build all workspace members using cargo build --workspace

Files:

• jans-cedarling/cedarling/Cargo.toml

🧠 Learnings (46)

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/src/tests/**/*.rs : Place integration tests in src/tests/ directory

Applied to files:

• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Include both positive and negative test cases in test files

Applied to files:

• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/authorize_*.rs : Follow existing test patterns in authorize_*.rs files

Applied to files:

• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Use test_utils crate for shared test helpers

Applied to files:

• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/src/jwt/mod.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Run specific test files using `cargo test -p cedarling --test authorize_unsigned` format

Applied to files:

• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Run main crate tests with `cargo test -p cedarling`

Applied to files:

• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Group imports with std/external crates first, then internal modules, using imports_granularity = "Module"

Applied to files:

• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs
• jans-cedarling/cedarling/src/init/policy_store.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Follow existing import patterns in the codebase

Applied to files:

• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/src/jwt/validation/validator.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs
• jans-cedarling/cedarling/src/init/policy_store.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : For error checking in tests, use `assert!(matches!(...), "explicit comment")` instead of `assert!(result.is_err())`

Applied to files:

• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Always include explicit comments explaining what error is expected in test assertions

Applied to files:

• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Use `expect_err("explicit comment")` instead of `panic()` in tests

Applied to files:

• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs

📚 Learning: 2025-11-28T05:59:26.842Z

Learnt from: haileyesus2433
Repo: JanssenProject/jans PR: 12455
File: jans-cedarling/cedarling/src/jwt/mod.rs:143-145
Timestamp: 2025-11-28T05:59:26.842Z
Learning: In jans-cedarling JWT service, the local-JWKS-only configuration (no trusted issuers) loads keys but does not initialize validators. This means signed tokens will hit ValidateJwtError::MissingValidator and be skipped. This is acceptable as the intended use case is authorize_unsigned. Validator setup for JWKS-only signed authorization is planned for future implementation.

Applied to files:

• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/jwt/validation/validator.rs
• jans-cedarling/cedarling/src/jwt/mod.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Review clippy.toml for project-specific lint rules

Applied to files:

• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/bindings/cedarling_go/README.md
• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/bindings/cedarling_wasm/README.md
• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-26T17:33:20.543Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12903
File: jans-cedarling/bindings/cedarling_wasm/src/lib.rs:83-97
Timestamp: 2025-12-26T17:33:20.543Z
Learning: In jans-cedarling WASM bindings (jans-cedarling/bindings/cedarling_wasm/**/*.rs), explicit documentation sections like `# Arguments` and `# Example` are acceptable because these bindings expose Rust to JavaScript consumers who benefit from more explicit parameter documentation and JavaScript usage examples.

Applied to files:

• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/bindings/cedarling_go/README.md
• jans-cedarling/bindings/cedarling_wasm/README.md
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs
• jans-cedarling/cedarling/src/jwt/mod.rs

📚 Learning: 2025-12-10T14:10:48.131Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12819
File: jans-cedarling/cedarling/src/common/policy_store/manager.rs:101-107
Timestamp: 2025-12-10T14:10:48.131Z
Learning: In all Rust source files under the jans-cedarling directory, avoid using println! or eprintln! because they do not work in WASM builds. Use the provided Logger API, e.g. logger.log(&System::log_msg(...)) to log messages. Ensure the logger is properly initialized in the WASM context and replace direct prints with the logger pattern in relevant code paths (especially in WASM targets).

Applied to files:

• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/src/jwt/validation/validator.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/http_utils/src/lib.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs
• jans-cedarling/cedarling/src/http/mod.rs
• jans-cedarling/cedarling/src/jwt/mod.rs
• jans-cedarling/cedarling/src/init/policy_store.rs

📚 Learning: 2025-12-24T14:16:17.748Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12896
File: jans-cedarling/cedarling/src/entity_builder/trusted_issuer_index.rs:23-30
Timestamp: 2025-12-24T14:16:17.748Z
Learning: In jans-cedarling Rust code targeting WASM, avoid using `eprintln!` for warnings in constructors or initialization functions. Instead, accept an `Option<&Arc<LogStrategy>>` parameter and use `logger.log_any(LogEntry::new_with_data(LogType::System, None).set_message(...).set_log_level(LogLevel::WARN))` to emit warnings that work in WASM environments.

Applied to files:

• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Keep documentation concise, focusing on explanatory content rather than obvious details

Applied to files:

• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/bindings/cedarling_go/README.md
• jans-cedarling/bindings/cedarling_wasm/README.md
• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs
• jans-cedarling/cedarling/src/jwt/mod.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Include examples in docstrings for complex functionality

Applied to files:

• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/bindings/cedarling_go/README.md
• jans-cedarling/bindings/cedarling_wasm/README.md

📚 Learning: 2025-12-04T12:17:12.662Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12797
File: jans-cedarling/AGENTS.md:82-88
Timestamp: 2025-12-04T12:17:12.662Z
Learning: In the jans-cedarling project, the AGENTS.md file is AI-generated and used only by AI agents, so markdown linting issues (such as MD031, MD040) for this file can be ignored during code reviews.

Applied to files:

• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/bindings/cedarling_go/README.md
• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use PascalCase for types, traits, and enums in Rust

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use standard Rust docstrings without Python-style sections (avoid `# Arguments`, `# Returns`)

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/bindings/cedarling_go/README.md
• jans-cedarling/bindings/cedarling_wasm/README.md
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs
• jans-cedarling/cedarling/src/jwt/mod.rs

📚 Learning: 2025-12-01T00:02:51.580Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12768
File: jans-cedarling/cedarling/src/common/default_entities_limits.rs:52-119
Timestamp: 2025-12-01T00:02:51.580Z
Learning: In the jans-cedarling Rust codebase, avoid Python/Java-style doc comments with explicit `# Arguments` and `# Errors` sections. The project relies on Rust's type signatures and cargo doc's automatic documentation generation.

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/bindings/cedarling_go/README.md
• jans-cedarling/bindings/cedarling_wasm/README.md
• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs
• jans-cedarling/cedarling/src/jwt/mod.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Document public API items with docstrings focusing on 'why' not 'what'

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/bindings/cedarling_go/README.md
• jans-cedarling/bindings/cedarling_wasm/README.md
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs
• jans-cedarling/cedarling/src/jwt/mod.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use 4-space indentation (no tabs) in all Rust code

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• docs/cedarling/tutorials/go.md

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Check formatting compliance with `cargo fmt --check` and follow rustfmt settings in rustfmt.toml

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use HorizontalVertical imports layout with StdExternalCrate grouping in rustfmt.toml

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Enforce maximum line width of 100 characters in Rust code

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/bindings/cedarling_go/README.md
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use thiserror crate for custom error types

Applied to files:

• jans-cedarling/cedarling/src/jwt/validation/validator.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use derive_more crate for error derivation when needed

Applied to files:

• jans-cedarling/cedarling/src/jwt/validation/validator.rs
• jans-cedarling/cedarling/src/init/policy_store.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Include context in error messages for better debugging

Applied to files:

• jans-cedarling/cedarling/src/jwt/validation/validator.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Prefer Result<T, E> over panics for error handling

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs

📚 Learning: 2025-12-19T06:30:26.460Z

Learnt from: duttarnab
Repo: JanssenProject/jans PR: 12806
File: demos/janssen-tarp/browser-extension/src/ai/index.ts:61-72
Timestamp: 2025-12-19T06:30:26.460Z
Learning: Jans Tarp (demos/janssen-tarp) is a testing and development tool for OIDC flows and Cedarling authorization. For this project, storing access tokens and id tokens in browser storage (chrome.storage.local) is acceptable because it's designed for testing/development scenarios, not production use.

Applied to files:

• jans-cedarling/bindings/cedarling_wasm/README.md

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Generate and view documentation with `cargo doc -p cedarling --no-deps --open`

Applied to files:

• jans-cedarling/bindings/cedarling_wasm/README.md
• jans-cedarling/cedarling/Cargo.toml
• docs/cedarling/tutorials/go.md

📚 Learning: 2025-11-05T19:45:46.720Z

Learnt from: iromli
Repo: JanssenProject/jans PR: 12623
File: docker-jans-auth-server/Dockerfile:75-78
Timestamp: 2025-11-05T19:45:46.720Z
Learning: The jans-lock-cedarling artifact is available in the Janssen Maven repository at https://jenkins.jans.io/maven/io/jans/jans-lock-cedarling/0.0.0-nightly/ for the nightly version.

Applied to files:

• jans-cedarling/bindings/cedarling_wasm/README.md

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Follow Rust naming conventions as established by the language

Applied to files:

• jans-cedarling/bindings/cedarling_wasm/README.md
• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Run benchmarks using `cargo bench -p cedarling`

Applied to files:

• jans-cedarling/cedarling/Cargo.toml

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/Cargo.toml : Build all workspace members using `cargo build --workspace`

Applied to files:

• jans-cedarling/cedarling/Cargo.toml

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Build main cedarling crate using `cargo build -p cedarling`

Applied to files:

• jans-cedarling/cedarling/Cargo.toml
• docs/cedarling/tutorials/go.md

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use smol_str for string optimization where appropriate in Rust

Applied to files:

• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T14:10:52.927Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12819
File: jans-cedarling/cedarling/src/common/policy_store/manager.rs:101-107
Timestamp: 2025-12-10T14:10:52.927Z
Learning: Applies to jans-cedarling/**/*.rs: Avoid using `println!` or `eprintln!` as they don't work in WASM. Use the Logger with `logger.log(&System::log_msg(...))` pattern instead.

Applied to files:

• jans-cedarling/cedarling/Cargo.toml

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Prefer strong typing over stringly-typed APIs in Rust

Applied to files:

• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Leverage serde for serialization/deserialization in Rust

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use snake_case for variables, functions, and modules in Rust

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use typed-builder crate for complex struct construction

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs

📚 Learning: 2025-10-30T13:03:03.905Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12544
File: jans-cedarling/cedarling/src/tests/authorize_resource_entity.rs:65-109
Timestamp: 2025-10-30T13:03:03.905Z
Learning: In Rust, when `use tokio::test;` is present at the top of a file, the `#[test]` attribute refers to `tokio::test` (the async test macro), not the standard library's `#[test]`. This is a valid pattern for writing async tests with Tokio.

Applied to files:

• jans-cedarling/cedarling/src/jwt/mod.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Build updated Python bindings using `cd bindings/cedarling_python && maturin develop` and consult README.md if errors occur

Applied to files:

• docs/cedarling/tutorials/go.md

🧬 Code graph analysis (5)

jans-cedarling/cedarling/src/tests/policy_store_loader.rs (3)

jans-cedarling/cedarling/src/tests/utils/cedarling_util.rs (1)

• get_cedarling_with_callback (51-61)

jans-cedarling/cedarling/src/common/policy_store/test_utils.rs (3)

• new (59-74)
• minimal_valid (293-299)
• default (52-54)

jans-cedarling/cedarling/src/common/policy_store/loader.rs (1)

• load_policy_store_archive_bytes (128-159)

jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs (2)

jans-cedarling/cedarling/src/common/policy_store/test_utils.rs (5)

• create_corrupted_archive (418-423)
• create_deep_nested_archive (426-439)
• create_path_traversal_archive (404-415)
• new (59-74)
• default (52-54)

jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs (2)

• from_buffer (167-170)
• from_file (129-150)

jans-cedarling/cedarling/src/common/policy_store/loader.rs (5)

jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs (3)

• from_file (129-150)
• from_buffer (167-170)
• from_reader (71-108)

jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs (4)

• new (48-55)
• new (92-94)
• load_manifest (97-129)
• default (77-79)

jans-cedarling/cedarling/src/common/policy_store/vfs_adapter.rs (4)

• new (82-85)
• new (171-174)
• default (97-99)
• default (211-213)

jans-cedarling/cedarling/src/common/policy_store/validator.rs (1)

• parse_and_validate (125-137)

jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs (3)

• parse_policy (53-86)
• parse_template (94-129)
• create_policy_set (156-183)

jans-cedarling/cedarling/src/http/mod.rs (2)

jans-cedarling/http_utils/src/lib.rs (1)

• new (63-65)

jans-cedarling/http_utils/src/backoff.rs (1)

• new_exponential (20-27)

jans-cedarling/cedarling/src/jwt/mod.rs (2)

jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs (4)

• validate_required_claims (318-325)
• validate_required_claims (345-369)
• with_logger (158-195)
• key_service (472-474)

jans-cedarling/cedarling/src/jwt/validation/validator.rs (1)

• iss (276-278)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (12)

• GitHub Check: golang_tests
• GitHub Check: rust_benchmarks
• GitHub Check: python_tests (3.11)
• GitHub Check: python_tests (3.10)
• GitHub Check: rust_tests
• GitHub Check: wasm_tests
• GitHub Check: python_tests (3.10)
• GitHub Check: golang_tests
• GitHub Check: rust_tests
• GitHub Check: rust_benchmarks
• GitHub Check: python_tests (3.11)
• GitHub Check: wasm_tests

🔇 Additional comments (38)

jans-cedarling/bindings/cedarling_wasm/README.md (3)

150-179: Excellent addition of Policy Store Sources documentation to Go tutorial.

The new "Policy Store Sources" section clearly explains the three supported loading methods (directory, local .cjar, remote .cjar) with executable examples. The cross-reference to Policy Store Formats documentation is appropriate and helpful.

---

73-90: Strong API documentation for init_from_archive_bytes.

The documentation clearly explains the purpose, parameters, and includes a practical example showing custom fetch with authentication headers. The JSDoc-style formatting with explicit # Arguments and # Example sections is appropriate for WASM bindings that expose interfaces to JavaScript consumers.

---

270-312: Comprehensive Policy Store Sources section for WASM.

Clear documentation of WASM-specific limitations (no filesystem access) with three complete, runnable examples covering URL-based loading, inline JSON, and custom fetch scenarios. The Cedar Archive packaging guidance and cross-reference to detailed format documentation provide good support for developers adopting the new policy store format.

jans-cedarling/bindings/cedarling_go/README.md (2)

294-303: ID Token Trust Mode section is now well-documented with explicit options.

The expanded ID Token Trust Mode section clearly enumerates all four validation modes (strict, never, always, ifpresent) with explicit validation rules. This aligns well with the configuration example on line 148 and the testing configuration on line 317.

---

270-293: Policy Store Sources section comprehensively documents all loading methods.

The new Policy Store Sources section (lines 270–293) effectively documents all supported policy store loading mechanisms—local JSON files, directories with human-readable Cedar files, local and remote .cjar archives, and Lock Server—with clear Go configuration examples. The documentation link correctly references the Policy Store Formats section in the cedarling-policy-store.md file. This addresses the PR objectives and resolves earlier feedback about missing Cedar Archive examples.

jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs (6)

1-10: License header and module documentation are compliant.

The Apache 2.0 license header with Gluu copyright and module-level documentation follow project standards.

---

12-15: Import ordering is correct.

Imports properly group external crates first, then internal modules with appropriate separation, following project guidelines.

---

17-58: Well-structured parsing implementation.

The ParsedSchema struct and parse() method provide a clean API for Cedar schema parsing. The two-stage parsing approach (fragment → schema) properly leverages Cedar's validation, and error handling consistently includes filename context for debugging.

---

60-87: Methods implement correct validation logic.

The get_schema() getter and validate() method provide appropriate access and validation. The empty-schema check in validate() adds a useful constraint beyond Cedar's structural validation.

Previous review feedback regarding the getter redundancy and documentation style has been addressed per your preference.

---

90-518: Excellent test coverage with proper patterns.

The test suite comprehensively covers valid schemas, parse errors, validation edge cases, and metadata handling. Tests properly use expect_err() and assert!(matches!(...)) patterns per project guidelines, ensuring robust error checking.

---

1-518: Implementation is production-ready.

This Cedar schema parser module provides a robust, well-tested API for parsing and validating Cedar schemas. The code demonstrates solid Rust practices with proper error handling, comprehensive test coverage, and clear documentation. Previous review feedback has been addressed, and the implementation aligns with project standards.

jans-cedarling/cedarling/src/jwt/validation/validator.rs (1)

322-323: LGTM! Error variant correctly implements trusted issuer validation failures.

The new TrustedIssuerValidation variant properly wraps TrustedIssuerError using the #[source] attribute for error chaining, following Rust error handling best practices and the project's use of the thiserror crate.

jans-cedarling/cedarling/src/jwt/mod.rs (1)

79-79: The visibility of test_utils is correctly set to pub(crate), not pub. No change occurred, and no action is needed. Test utilities remain crate-private as intended, with all usages contained within the cedarling crate.

Likely an incorrect or invalid review comment.

jans-cedarling/cedarling/src/common/policy_store/manager.rs (6)

1-37: LGTM!

License header, module documentation with architecture diagram, and imports are all properly structured. Imports follow the expected grouping pattern with std/external crates first, then internal modules.

---

39-65: LGTM!

Error enum correctly uses thiserror as per coding guidelines, with descriptive error messages that include context for debugging.

---

108-158: LGTM!

The main conversion flow is well-structured with clear separation of concerns. The optional logger integration properly uses the log_any trait method on Option<Logger>.

---

169-220: LGTM!

Schema conversion implementation correctly handles parsing, validation, and conversion to the legacy CedarSchema format. The note about double-parsing (lines 189-192) appropriately documents the trade-off.

---

338-361: Potential inconsistency in entity validation flow.

The entity conversion calls create_entities_store(all_parsed_entities) on line 358, which includes potentially duplicate entities, but the result is discarded. The final output uses unique_entities from detect_duplicates.

If Cedar's create_entities_store rejects duplicate UIDs, this validation will fail even though the intended behavior (per PR objectives) is "last-write-wins" for duplicates. Conversely, if it accepts duplicates, the validation may pass scenarios that will behave differently at runtime.

Consider validating with unique_entities instead:

-        // Step 4: Validate entities can form a valid Cedar entity store
-        // This validates entity constraints like types and attribute compatibility
-        EntityParser::create_entities_store(all_parsed_entities).map_err(|e| {
+        // Step 4: Validate unique entities can form a valid Cedar entity store
+        // This validates entity constraints like types and attribute compatibility
+        // We validate after deduplication to match runtime behavior (last-write-wins)
+        let unique_entities_vec: Vec<_> = unique_entities.values().cloned().collect();
+        EntityParser::create_entities_store(unique_entities_vec).map_err(|e| {
             ConversionError::EntityConversion(format!("Failed to create entity store: {}", e))
         })?;

Please verify whether EntityParser::create_entities_store accepts or rejects duplicate entity UIDs, and whether the validation should occur before or after deduplication to match the intended runtime behavior.

---

417-442: LGTM!

Version parsing tests correctly cover valid versions with/without 'v' prefix and invalid format error handling. Tests follow project patterns with explicit error assertions using matches!.

jans-cedarling/cedarling/src/http/mod.rs (5)

49-66: LGTM!

The get and get_bytes methods provide a clean API for fetching text and binary content with consistent retry behavior. Good use of the new send_text and send_bytes methods from Sender.

---

83-84: LGTM!

The type alias provides backward compatibility for existing code using HttpClientError while migrating to the unified HttpRequestError type.

---

133-171: LGTM!

Tests properly verify retry behavior on both network failures and HTTP error status codes. The use of expect_at_least(1) correctly accounts for the retry mechanism making multiple requests.

---

173-229: LGTM!

Good test coverage for the new get_bytes method, including successful fetch, HTTP error retries, and max retries exceeded scenarios. Tests follow the same patterns as the existing get tests.

---

10-47: Good refactoring to use http_utils Sender and Backoff.

The migration to use Sender and Backoff from http_utils is well-implemented. The create_sender helper cleanly encapsulates the backoff strategy creation.

The max_retries parameter semantics are correct: the parameter is passed directly to Backoff::new_exponential as max_attempts, where max_attempts=N allows exactly N calls to snooze() (representing N retries after the initial attempt). This aligns properly with the parameter name max_retries.

jans-cedarling/http_utils/src/lib.rs (3)

43-55: LGTM!

New error variants properly cover the text and bytes decoding failure cases with appropriate source error chaining via #[source].

---

67-111: LGTM!

The send_with_retry refactoring cleanly extracts the core retry loop. The TODO comments appropriately document the logging limitation in this low-level crate, which aligns with the learning about avoiding println!/eprintln! in WASM builds.

---

113-176: LGTM!

The public API surface is well-designed:

• send<T> for JSON deserialization
• send_text for raw text responses
• send_bytes for binary content

Each method appropriately maps to its corresponding error variant. The documentation correctly notes that RequestBuilder must be re-created for each attempt.

jans-cedarling/cedarling/src/init/policy_store.rs (5)

11-35: LGTM!

Import additions and new error variants are properly structured. The #[from] derive on ConversionError enables clean error propagation with the ? operator.

---

55-68: LGTM!

Setting metadata: None for legacy format entries correctly distinguishes between new format loads (which have metadata) and legacy format loads.

---

102-106: LGTM!

Clean dispatch to the appropriate loader function for each new PolicyStoreSource variant.

---

168-201: LGTM!

The URL-based loading correctly uses the new get_bytes method for fetching archives and works across all platforms including WASM.

---

251-281: LGTM!

The load_policy_store_from_archive_bytes function provides a flexible entry point for loading archives from any source. Good documentation explaining the use cases (WASM with custom fetch, embedded archives, non-standard sources).

The bytes.to_vec() call on line 265 is necessary since the loader likely needs ownership of the data.

jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs (1)

289-667: Tests provide good coverage and follow error‑checking guidelines.

The unit tests exercise simple/complex entities, array vs object formats, invalid JSON and type names, duplicates, hierarchy validation, store creation, and optional schema validation. They consistently use expect_err plus matches! with explicit messages, matching the project’s testing guidelines.

jans-cedarling/cedarling/Cargo.toml (1)

50-53: New dependencies and benchmark wiring look consistent with usage.

vfs, hex, sha2, zip, and tempfile match the VFS/ZIP/manifest/test code in this PR, and the policy_store_benchmark entry is wired correctly as an additional bench target (assuming the bench file exists in the repo).

Also applies to: 68-68, 86-88

jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs (1)

34-583: Comprehensive archive security test coverage; patterns align with guidelines.

The test modules here thoroughly exercise path traversal protections, malformed/corrupted archives, invalid inputs across metadata/entities/issuers, manifest checksum behavior, resource‑exhaustion scenarios, and extension validation. Assertions consistently use expect_err plus matches! (or positive expect) with descriptive messages, matching the project’s testing guidelines.

jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs (1)

122-1153: Loader tests give strong end‑to‑end coverage across directory, archive, entities, and issuers.

The tests in this file exercise directory validation, optional components, policy/template parsing, schema parsing/validation, entity parsing (including complex attributes), issuer parsing/validation (including duplicates and required fields), and multiple VFS backends and archive variants. They follow the local style of using expect/expect_err and explicit matches! assertions, which should make regressions easier to diagnose.

jans-cedarling/cedarling/src/common/policy_store/loader.rs (2)

452-503: Case-insensitive JSON extension validation for trusted issuers looks correct.

The trusted-issuer loader now lowercases entry.name before checking .ends_with(".json") and reports a detailed InvalidFileExtension with both expected and actual extensions. This handles .json, .JSON, and mixed-case correctly and yields actionable errors when the extension is wrong.

---

536-600: Case-insensitive .cedar and .json validation and recursive scanning are correctly implemented.

The helpers load_cedar_files_recursive and load_json_files:

• Recursively traverse subdirectories for policies,
• Enforce case-insensitive .cedar/.json extensions via to_lowercase().ends_with(...), and
• Return InvalidFileExtension with both expected and actual suffixes when mismatched.

This matches the requirements for strict extension enforcement and supports nested policy layouts.

[coderabbitai]

Actionable comments posted: 9

Fix all issues with AI Agents 🤖

In @jans-cedarling/bindings/cedarling_go/README.md:
- Around line 276-292: The README's Go example uses a single map literal "config
:= map[string]any{...}" with repeated keys ("CEDARLING_POLICY_STORE_LOCAL_FN"
and "CEDARLING_POLICY_STORE_URI"), causing earlier entries to be overwritten;
fix by replacing the single combined block with separate example blocks (or
distinct snippets) showing alternative configs: one block for the JSON file
using "CEDARLING_POLICY_STORE_LOCAL_FN", one for a Cedar directory using
"CEDARLING_POLICY_STORE_LOCAL_FN", one for a local .cjar using
"CEDARLING_POLICY_STORE_LOCAL_FN", one for a remote .cjar using
"CEDARLING_POLICY_STORE_URI", and one for the Lock Server using
"CEDARLING_POLICY_STORE_URI" so each "config := map[string]any{...}" contains
only one unique key assignment per example.

In @jans-cedarling/cedarling/Cargo.toml:
- Around line 50-53: Update the pinned dependency versions in Cargo.toml: bump
vfs from "0.12" to "0.12.2" and sha2 from "0.10.8" to "0.10.9" (or switch those
entries to caret semantics like ^0.12 and ^0.10 to automatically include patch
updates); leave hex = "0.4.3" and zip = "7.0.0" as-is. Ensure the changes
reference the dependency names vfs and sha2 in the Cargo.toml so future cargo
resolves the newer patch releases.

In @jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs:
- Around line 461-472: The test currently silently skips checksum mutation when
schema.cedarschema is missing or ≤10 bytes; update the block around
schema_path/temp_dir so it fails loudly or forces a mutation: explicitly assert
schema_path.exists() and that fs::read(&schema_path).unwrap().len() > 10 (or, if
you prefer, create/overwrite schema.cedarschema with a deliberately mutated
payload) instead of silently returning—use the symbols schema_path,
schema.cedarschema, schema_content, and mid_index to locate the logic and ensure
the test either modifies the file or fails so checksum detection is actually
exercised.
- Around line 374-377: The long string passed to zip.write_all in
archive_security_tests.rs exceeds the 100-char limit; split the JSON byte string
into multiple adjacent byte string literals (or build it in a short variable) so
no source line is over 100 chars. Locate the zip.start_file("metadata.json",
...) / zip.write_all(...) call and replace the single long br#"... "# literal
with two or more br#"..."# literals concatenated (e.g.
br#"{"cedar_version":"4.4.0","policy_store":"# and
br#"{"id":"abc123def456","name":"Test","version":"1.0.0"}}"#) or assign the JSON
to a short-named variable assembled from short literals and pass that to
zip.write_all.

In @jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs:
- Around line 248-257: The error currently returned from create_entities_store
wraps Entities::from_entities failure with a hardcoded file "entity_store" which
lacks context; update the PolicyStoreError::CedarEntityError construction in
create_entities_store to include identifying details about the entities being
created (e.g., collect and include a concise summary like joined entity names or
ids from entities.into_iter() before calling Entities::from_entities) and pass
that summary into the error (or into CedarEntityErrorType::EntityStoreCreation)
so the error message indicates which entities caused the failure while
preserving the original inner error text from Entities::from_entities.

In @jans-cedarling/cedarling/src/init/policy_store.rs:
- Around line 122-281: The repeated post-load conversion logic should be
extracted into a single helper (e.g., fn convert_loaded_to_legacy(loaded:
LoadedPolicyStore) -> Result<PolicyStoreWithID, SomeError>) that encapsulates
cloning metadata, calling PolicyStoreManager::convert_to_legacy, and building
PolicyStoreWithID; update load_policy_store_from_cjar_file,
load_policy_store_from_cjar_url, load_policy_store_from_directory, and
load_policy_store_from_archive_bytes to call this helper after obtaining
`loaded` and map its error into PolicyStoreLoadError as needed so each loader
just loads and delegates conversion.

In @jans-cedarling/http_utils/src/lib.rs:
- Around line 157-176: The send_bytes function currently returns Vec<u8> and
calls response.bytes().await.map(|b| b.to_vec()), causing an unnecessary
allocation/copy for large payloads; change the signature of pub async fn
send_bytes<F>(&mut self, request: F) -> Result<Vec<u8>, HttpRequestError> to
return bytes::Bytes (Result<Bytes, HttpRequestError>), remove the .to_vec() so
you return the Bytes directly from response.bytes().await, and update the error
mapping (HttpRequestError::DecodeResponseBytes) if its payload type assumes
Vec<u8> — also ensure callers/imports accept bytes::Bytes (or re-export
bytes::Bytes) and adjust any downstream code that expects Vec<u8>.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

jans-cedarling/http_utils/src/lib.rs (1)

67-111: Silently swallowing errors harms observability.

The retry loop discards both network errors (line 83) and HTTP error status responses (line 97) without any indication to callers. When MaxRetriesExceeded is eventually returned, the user has no context about which errors triggered the retries or why the request failed.

While the TODO comments acknowledge adding a logging hook later, this creates a significant observability gap for troubleshooting network issues.

Consider one of these approaches:

• Store and return the last error encountered alongside MaxRetriesExceeded (e.g., MaxRetriesExceeded { last_error: Box<dyn Error> }).
• Accept an optional error callback in the constructor to enable callers to log/track retry attempts.
• At minimum, preserve and expose retry count and error summaries.

♻️ Duplicate comments (7)

jans-cedarling/cedarling/src/common/policy_store/loader.rs (1)

87-109: Critical: Missing manifest validation for archive loading.

load_policy_store_archive does not validate the manifest when present, creating an inconsistency with both load_policy_store_directory (lines 54-56) and load_policy_store_archive_bytes (lines 137-156). This allows archives loaded from file paths to bypass integrity checks that archives loaded from bytes must pass.

Per PR objectives, manifest validation should be performed for all archive loading paths to ensure integrity.

🔎 Proposed fix

     tokio::task::spawn_blocking(move || {
         use super::archive_handler::ArchiveVfs;
         let archive_vfs = ArchiveVfs::from_file(&path)?;
         let loader = DefaultPolicyStoreLoader::new(archive_vfs);
-        loader.load_directory(".")
+        let loaded = loader.load_directory(".")?;
+
+        // Validate manifest if present (same validation used for archive-backed loading)
+        #[cfg(not(target_arch = "wasm32"))]
+        if let Some(ref _manifest) = loaded.manifest {
+            use super::manifest_validator::ManifestValidator;
+            use std::path::PathBuf;
+
+            // Create a new ArchiveVfs instance for validation
+            let validator_vfs = ArchiveVfs::from_file(&path)?;
+            let validator = ManifestValidator::new(validator_vfs, PathBuf::from("."));
+            let result = validator.validate(Some(&loaded.metadata.policy_store.id));
+
+            // If validation fails, return the first error
+            if !result.is_valid
+                && let Some(error) = result.errors.first()
+            {
+                return Err(PolicyStoreError::ManifestError {
+                    err: error.error_type.clone(),
+                });
+            }
+        }
+
+        Ok(loaded)
     })

jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs (1)

262-286: Hierarchy validation is correctly implemented.

The validation properly checks that all parent references point to existing entities and provides clear error messages with file context.

jans-cedarling/cedarling/src/init/policy_store.rs (3)

122-148: LGTM: Native archive loading correctly implemented.

The function properly loads from archive, extracts metadata, and converts to legacy format. The metadata cloning on lines 137-138 was previously reviewed and deemed acceptable.

---

150-166: WASM stub provides clearer error messages.

This WASM-specific implementation returns a more descriptive error message when file path loading is attempted in WASM. The previous discussion (lines 153) about whether conditional compilation is necessary has been addressed by the maintainers.

---

233-249: WASM stub consistent with cjar_file implementation.

This WASM-specific stub follows the same pattern as load_policy_store_from_cjar_file and provides a clear error message for WASM environments. The previous discussion (line 208) about conditional compilation applies here as well.

jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs (2)

424-428: Use expect() instead of is_ok() + unwrap() for clearer errors.

Per coding guidelines, combine the assertion and unwrap into a single expect() call.

🔎 Suggested improvement

     let result = PhysicalLoader::create_policy_set(policies, templates);
-    assert!(result.is_ok());
-
-    let policy_set = result.unwrap();
+    let policy_set = result.expect("PolicySet creation should succeed for valid policies and templates");

---

220-221: Consider using expect() instead of assert!(result.is_ok()).

Per coding guidelines, result.expect("message") provides clearer error messages when tests fail. This is a minor improvement.

🔎 Suggested improvement

-    assert!(result.is_ok());
+    result.expect("Directory structure validation should succeed for valid structure");

📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ed8d0cc and 4d6b214.

📒 Files selected for processing (16)

• docs/cedarling/tutorials/go.md
• jans-cedarling/bindings/cedarling_go/README.md
• jans-cedarling/bindings/cedarling_wasm/README.md
• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/http/mod.rs
• jans-cedarling/cedarling/src/init/policy_store.rs
• jans-cedarling/cedarling/src/jwt/mod.rs
• jans-cedarling/cedarling/src/jwt/validation/validator.rs
• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/http_utils/src/lib.rs

🧰 Additional context used

📓 Path-based instructions (3)

jans-cedarling/**/*.rs

📄 CodeRabbit inference engine (jans-cedarling/AGENTS.md)

jans-cedarling/**/*.rs: Check formatting compliance with cargo fmt --check and follow rustfmt settings in rustfmt.toml
Review clippy.toml for project-specific lint rules
Use rustfmt with project's rustfmt.toml settings for all Rust code
Enforce maximum line width of 100 characters in Rust code
Use HorizontalVertical imports layout with StdExternalCrate grouping in rustfmt.toml
Use 4-space indentation (no tabs) in all Rust code
Group imports with std/external crates first, then internal modules, using imports_granularity = "Module"
Follow existing import patterns in the codebase
Use snake_case for variables, functions, and modules in Rust
Use PascalCase for types, traits, and enums in Rust
Use SCREAMING_SNAKE_CASE for constants in Rust
Follow Rust naming conventions as established by the language
Use thiserror crate for custom error types
Prefer Result<T, E> over panics for error handling
Use derive_more crate for error derivation when needed
Include context in error messages for better debugging
Use typed-builder crate for complex struct construction
Leverage serde for serialization/deserialization in Rust
Use smol_str for string optimization where appropriate in Rust
Prefer strong typing over stringly-typed APIs in Rust
Use standard Rust docstrings without Python-style sections (avoid # Arguments, # Returns)
Document public API items with docstrings focusing on 'why' not 'what'
Include examples in docstrings for complex functionality
Keep documentation concise, focusing on explanatory content rather than obvious details
Each Rust file must contain the Apache 2.0 license header with copyright attribution to Gluu, Inc.

Files:

• jans-cedarling/http_utils/src/lib.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/init/policy_store.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/src/http/mod.rs
• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/src/jwt/validation/validator.rs
• jans-cedarling/cedarling/src/jwt/mod.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

jans-cedarling/**/*test*.rs

📄 CodeRabbit inference engine (jans-cedarling/AGENTS.md)

jans-cedarling/**/*test*.rs: Use test_utils crate for shared test helpers
Include both positive and negative test cases in test files
For error checking in tests, use assert!(matches!(...), "explicit comment") instead of assert!(result.is_err())
Use expect_err("explicit comment") instead of panic() in tests
Always include explicit comments explaining what error is expected in test assertions

Files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs

jans-cedarling/**/Cargo.toml

📄 CodeRabbit inference engine (jans-cedarling/AGENTS.md)

Build all workspace members using cargo build --workspace

Files:

• jans-cedarling/cedarling/Cargo.toml

🧠 Learnings (45)

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Keep documentation concise, focusing on explanatory content rather than obvious details

Applied to files:

• docs/cedarling/tutorials/go.md
• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/src/jwt/mod.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/bindings/cedarling_wasm/README.md
• jans-cedarling/bindings/cedarling_go/README.md
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use 4-space indentation (no tabs) in all Rust code

Applied to files:

• docs/cedarling/tutorials/go.md
• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Build main cedarling crate using `cargo build -p cedarling`

Applied to files:

• docs/cedarling/tutorials/go.md
• jans-cedarling/cedarling/Cargo.toml

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Generate and view documentation with `cargo doc -p cedarling --no-deps --open`

Applied to files:

• docs/cedarling/tutorials/go.md
• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/bindings/cedarling_wasm/README.md

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Build updated Python bindings using `cd bindings/cedarling_python && maturin develop` and consult README.md if errors occur

Applied to files:

• docs/cedarling/tutorials/go.md

📚 Learning: 2025-12-10T14:10:48.131Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12819
File: jans-cedarling/cedarling/src/common/policy_store/manager.rs:101-107
Timestamp: 2025-12-10T14:10:48.131Z
Learning: In all Rust source files under the jans-cedarling directory, avoid using println! or eprintln! because they do not work in WASM builds. Use the provided Logger API, e.g. logger.log(&System::log_msg(...)) to log messages. Ensure the logger is properly initialized in the WASM context and replace direct prints with the logger pattern in relevant code paths (especially in WASM targets).

Applied to files:

• jans-cedarling/http_utils/src/lib.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/init/policy_store.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/src/http/mod.rs
• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/src/jwt/validation/validator.rs
• jans-cedarling/cedarling/src/jwt/mod.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/src/tests/**/*.rs : Place integration tests in src/tests/ directory

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/manager.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Include both positive and negative test cases in test files

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Use test_utils crate for shared test helpers

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/src/jwt/mod.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/authorize_*.rs : Follow existing test patterns in authorize_*.rs files

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/manager.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Run specific test files using `cargo test -p cedarling --test authorize_unsigned` format

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Always include explicit comments explaining what error is expected in test assertions

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/manager.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : For error checking in tests, use `assert!(matches!(...), "explicit comment")` instead of `assert!(result.is_err())`

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Use `expect_err("explicit comment")` instead of `panic()` in tests

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Prefer Result<T, E> over panics for error handling

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Review clippy.toml for project-specific lint rules

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/bindings/cedarling_wasm/README.md
• jans-cedarling/bindings/cedarling_go/README.md
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Include context in error messages for better debugging

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/Cargo.toml

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Run main crate tests with `cargo test -p cedarling`

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/Cargo.toml

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Group imports with std/external crates first, then internal modules, using imports_granularity = "Module"

Applied to files:

• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-11-28T05:59:26.842Z

Learnt from: haileyesus2433
Repo: JanssenProject/jans PR: 12455
File: jans-cedarling/cedarling/src/jwt/mod.rs:143-145
Timestamp: 2025-11-28T05:59:26.842Z
Learning: In jans-cedarling JWT service, the local-JWKS-only configuration (no trusted issuers) loads keys but does not initialize validators. This means signed tokens will hit ValidateJwtError::MissingValidator and be skipped. This is acceptable as the intended use case is authorize_unsigned. Validator setup for JWKS-only signed authorization is planned for future implementation.

Applied to files:

• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/jwt/validation/validator.rs
• jans-cedarling/cedarling/src/jwt/mod.rs

📚 Learning: 2025-12-26T17:33:20.543Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12903
File: jans-cedarling/bindings/cedarling_wasm/src/lib.rs:83-97
Timestamp: 2025-12-26T17:33:20.543Z
Learning: In jans-cedarling WASM bindings (jans-cedarling/bindings/cedarling_wasm/**/*.rs), explicit documentation sections like `# Arguments` and `# Example` are acceptable because these bindings expose Rust to JavaScript consumers who benefit from more explicit parameter documentation and JavaScript usage examples.

Applied to files:

• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/src/jwt/mod.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/bindings/cedarling_wasm/README.md
• jans-cedarling/bindings/cedarling_go/README.md
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Follow existing import patterns in the codebase

Applied to files:

• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/init/policy_store.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-24T14:16:17.748Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12896
File: jans-cedarling/cedarling/src/entity_builder/trusted_issuer_index.rs:23-30
Timestamp: 2025-12-24T14:16:17.748Z
Learning: In jans-cedarling Rust code targeting WASM, avoid using `eprintln!` for warnings in constructors or initialization functions. Instead, accept an `Option<&Arc<LogStrategy>>` parameter and use `logger.log_any(LogEntry::new_with_data(LogType::System, None).set_message(...).set_log_level(LogLevel::WARN))` to emit warnings that work in WASM environments.

Applied to files:

• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Include examples in docstrings for complex functionality

Applied to files:

• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/bindings/cedarling_wasm/README.md
• jans-cedarling/bindings/cedarling_go/README.md

📚 Learning: 2025-12-04T12:17:12.662Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12797
File: jans-cedarling/AGENTS.md:82-88
Timestamp: 2025-12-04T12:17:12.662Z
Learning: In the jans-cedarling project, the AGENTS.md file is AI-generated and used only by AI agents, so markdown linting issues (such as MD031, MD040) for this file can be ignored during code reviews.

Applied to files:

• jans-cedarling/cedarling/src/tests/policy_store_loader.rs
• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/bindings/cedarling_go/README.md
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use derive_more crate for error derivation when needed

Applied to files:

• jans-cedarling/cedarling/src/init/policy_store.rs
• jans-cedarling/cedarling/src/jwt/validation/validator.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Leverage serde for serialization/deserialization in Rust

Applied to files:

• jans-cedarling/cedarling/src/init/policy_store.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs

📚 Learning: 2025-12-01T00:02:51.580Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12768
File: jans-cedarling/cedarling/src/common/default_entities_limits.rs:52-119
Timestamp: 2025-12-01T00:02:51.580Z
Learning: In the jans-cedarling Rust codebase, avoid Python/Java-style doc comments with explicit `# Arguments` and `# Errors` sections. The project relies on Rust's type signatures and cargo doc's automatic documentation generation.

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/src/jwt/mod.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/bindings/cedarling_wasm/README.md
• jans-cedarling/bindings/cedarling_go/README.md
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Follow Rust naming conventions as established by the language

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs
• jans-cedarling/bindings/cedarling_wasm/README.md

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Run benchmarks using `cargo bench -p cedarling`

Applied to files:

• jans-cedarling/cedarling/Cargo.toml

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Check formatting compliance with `cargo fmt --check` and follow rustfmt settings in rustfmt.toml

Applied to files:

• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use HorizontalVertical imports layout with StdExternalCrate grouping in rustfmt.toml

Applied to files:

• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/Cargo.toml : Build all workspace members using `cargo build --workspace`

Applied to files:

• jans-cedarling/cedarling/Cargo.toml

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use smol_str for string optimization where appropriate in Rust

Applied to files:

• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T14:10:52.927Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12819
File: jans-cedarling/cedarling/src/common/policy_store/manager.rs:101-107
Timestamp: 2025-12-10T14:10:52.927Z
Learning: Applies to jans-cedarling/**/*.rs: Avoid using `println!` or `eprintln!` as they don't work in WASM. Use the Logger with `logger.log(&System::log_msg(...))` pattern instead.

Applied to files:

• jans-cedarling/cedarling/Cargo.toml

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Prefer strong typing over stringly-typed APIs in Rust

Applied to files:

• jans-cedarling/cedarling/Cargo.toml
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use standard Rust docstrings without Python-style sections (avoid `# Arguments`, `# Returns`)

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/src/jwt/mod.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/bindings/cedarling_wasm/README.md
• jans-cedarling/bindings/cedarling_go/README.md
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Document public API items with docstrings focusing on 'why' not 'what'

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/src/jwt/mod.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs
• jans-cedarling/bindings/cedarling_wasm/README.md
• jans-cedarling/bindings/cedarling_go/README.md

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Enforce maximum line width of 100 characters in Rust code

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/manager.rs
• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/bindings/cedarling_go/README.md

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use thiserror crate for custom error types

Applied to files:

• jans-cedarling/cedarling/src/jwt/validation/validator.rs

📚 Learning: 2025-10-30T13:03:03.905Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12544
File: jans-cedarling/cedarling/src/tests/authorize_resource_entity.rs:65-109
Timestamp: 2025-10-30T13:03:03.905Z
Learning: In Rust, when `use tokio::test;` is present at the top of a file, the `#[test]` attribute refers to `tokio::test` (the async test macro), not the standard library's `#[test]`. This is a valid pattern for writing async tests with Tokio.

Applied to files:

• jans-cedarling/cedarling/src/jwt/mod.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use PascalCase for types, traits, and enums in Rust

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
• jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use snake_case for variables, functions, and modules in Rust

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs

📚 Learning: 2025-12-19T06:30:26.460Z

Learnt from: duttarnab
Repo: JanssenProject/jans PR: 12806
File: demos/janssen-tarp/browser-extension/src/ai/index.ts:61-72
Timestamp: 2025-12-19T06:30:26.460Z
Learning: Jans Tarp (demos/janssen-tarp) is a testing and development tool for OIDC flows and Cedarling authorization. For this project, storing access tokens and id tokens in browser storage (chrome.storage.local) is acceptable because it's designed for testing/development scenarios, not production use.

Applied to files:

• jans-cedarling/bindings/cedarling_wasm/README.md

📚 Learning: 2025-11-05T19:45:46.720Z

Learnt from: iromli
Repo: JanssenProject/jans PR: 12623
File: docker-jans-auth-server/Dockerfile:75-78
Timestamp: 2025-11-05T19:45:46.720Z
Learning: The jans-lock-cedarling artifact is available in the Janssen Maven repository at https://jenkins.jans.io/maven/io/jans/jans-lock-cedarling/0.0.0-nightly/ for the nightly version.

Applied to files:

• jans-cedarling/bindings/cedarling_wasm/README.md

🧬 Code graph analysis (5)

jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs (4)

jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs (3)

• from_buffer (167-170)
• exists (289-291)
• from_file (129-150)

jans-cedarling/cedarling/src/common/policy_store/loader.rs (2)

• load_policy_store_directory (33-69)
• load_policy_store_directory (76-80)

jans-cedarling/cedarling/src/common/policy_store/vfs_adapter.rs (3)

• exists (59-59)
• exists (134-138)
• exists (248-252)

jans-cedarling/cedarling/src/common/policy_store/issuer_parser.rs (1)

• parse_issuer (35-69)

jans-cedarling/cedarling/src/tests/policy_store_loader.rs (1)

jans-cedarling/cedarling/src/common/policy_store/loader.rs (1)

• load_policy_store_archive_bytes (128-159)

jans-cedarling/cedarling/src/init/policy_store.rs (2)

jans-cedarling/cedarling/src/common/policy_store/loader.rs (5)

• load_policy_store_archive (87-109)
• load_policy_store_archive (116-120)
• load_policy_store_archive_bytes (128-159)
• load_policy_store_directory (33-69)
• load_policy_store_directory (76-80)

jans-cedarling/cedarling/src/common/policy_store/manager.rs (1)

• convert_to_legacy (87-89)

jans-cedarling/cedarling/src/jwt/mod.rs (3)

jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs (4)

• validate_required_claims (318-325)
• validate_required_claims (345-369)
• with_logger (158-195)
• key_service (472-474)

jans-cedarling/cedarling/src/jwt/validation/validator.rs (1)

• iss (276-278)

jans-cedarling/cedarling/src/jwt/token.rs (1)

• new (24-30)

jans-cedarling/cedarling/src/common/policy_store/loader.rs (5)

jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs (3)

• from_file (129-150)
• from_buffer (167-170)
• from_reader (71-108)

jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs (3)

• new (48-55)
• new (92-94)
• load_manifest (97-129)

jans-cedarling/cedarling/src/common/policy_store/vfs_adapter.rs (2)

• new (82-85)
• new (171-174)

jans-cedarling/cedarling/src/common/policy_store/validator.rs (1)

• parse_and_validate (125-137)

jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs (2)

• parse_policy (53-86)
• parse_template (94-129)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: rust_benchmarks
• GitHub Check: rust_tests
• GitHub Check: rust_tests
• GitHub Check: rust_benchmarks

[coderabbitai]

Actionable comments posted: 1

Fix all issues with AI Agents 🤖

In @jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs:
- Around line 16-28: Reorder the use statements so standard library and external
crates come first and internal super::* modules after; specifically move
std::io::{Cursor, Write} and zip::{CompressionMethod, ZipWriter} plus
zip::write::{ExtendedFileOptions, FileOptions} above the super::... imports
(those referencing ArchiveVfs, EntityParser/ParsedEntity,
ArchiveError/PolicyStoreError/ValidationError, IssuerParser,
DefaultPolicyStoreLoader, test_utils items, VfsFileSystem), then run cargo
fmt/rustfmt to apply the project's rustfmt.toml (imports_granularity = "Module")
to ensure grouping is correct.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

jans-cedarling/cedarling/src/init/policy_store.rs (1)

62-63: Remove unnecessary clone.

policy_store is already an owned value from the map closure, so the .clone() is redundant and creates an unnecessary copy.

🔎 Suggested fix

     match policy_store_option {
-        Some(policy_store) => Ok(policy_store.clone()),
+        Some(policy_store) => Ok(policy_store),
         None => Err(PolicyStoreLoadError::InvalidStore(

♻️ Duplicate comments (2)

jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs (2)

209-221: Consider using expect() for clearer failure messages.

Line 220 uses assert!(result.is_ok()) which provides minimal context on failure. Per coding guidelines, expect() with an explicit message is preferred.

🔎 Suggested improvement

-    let result = loader.validate_directory_structure(dir.to_str().unwrap());
-
-    assert!(result.is_ok());
+    loader
+        .validate_directory_structure(dir.to_str().unwrap())
+        .expect("Directory structure validation should succeed for valid structure");

---

424-428: Same assert!(is_ok()) + unwrap() pattern.

This was flagged in a previous review. Consider combining into a single expect() call.

🔎 Suggested improvement

-    let result = PhysicalLoader::create_policy_set(policies, templates);
-    assert!(result.is_ok());
-
-    let policy_set = result.unwrap();
+    let policy_set = PhysicalLoader::create_policy_set(policies, templates)
+        .expect("PolicySet creation should succeed for valid policies and templates");

📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4d6b214 and 1b40668.

📒 Files selected for processing (5)

• jans-cedarling/bindings/cedarling_go/README.md
• jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/cedarling/src/init/policy_store.rs

🧰 Additional context used

📓 Path-based instructions (2)

jans-cedarling/**/*.rs

📄 CodeRabbit inference engine (jans-cedarling/AGENTS.md)

jans-cedarling/**/*.rs: Check formatting compliance with cargo fmt --check and follow rustfmt settings in rustfmt.toml
Review clippy.toml for project-specific lint rules
Use rustfmt with project's rustfmt.toml settings for all Rust code
Enforce maximum line width of 100 characters in Rust code
Use HorizontalVertical imports layout with StdExternalCrate grouping in rustfmt.toml
Use 4-space indentation (no tabs) in all Rust code
Group imports with std/external crates first, then internal modules, using imports_granularity = "Module"
Follow existing import patterns in the codebase
Use snake_case for variables, functions, and modules in Rust
Use PascalCase for types, traits, and enums in Rust
Use SCREAMING_SNAKE_CASE for constants in Rust
Follow Rust naming conventions as established by the language
Use thiserror crate for custom error types
Prefer Result<T, E> over panics for error handling
Use derive_more crate for error derivation when needed
Include context in error messages for better debugging
Use typed-builder crate for complex struct construction
Leverage serde for serialization/deserialization in Rust
Use smol_str for string optimization where appropriate in Rust
Prefer strong typing over stringly-typed APIs in Rust
Use standard Rust docstrings without Python-style sections (avoid # Arguments, # Returns)
Document public API items with docstrings focusing on 'why' not 'what'
Include examples in docstrings for complex functionality
Keep documentation concise, focusing on explanatory content rather than obvious details
Each Rust file must contain the Apache 2.0 license header with copyright attribution to Gluu, Inc.

Files:

• jans-cedarling/cedarling/src/init/policy_store.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs

jans-cedarling/**/*test*.rs

📄 CodeRabbit inference engine (jans-cedarling/AGENTS.md)

jans-cedarling/**/*test*.rs: Use test_utils crate for shared test helpers
Include both positive and negative test cases in test files
For error checking in tests, use assert!(matches!(...), "explicit comment") instead of assert!(result.is_err())
Use expect_err("explicit comment") instead of panic() in tests
Always include explicit comments explaining what error is expected in test assertions

Files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs

🧠 Learnings (33)

📓 Common learnings

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/authorize_*.rs : Follow existing test patterns in authorize_*.rs files

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Follow existing import patterns in the codebase

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Follow existing import patterns in the codebase

Applied to files:

• jans-cedarling/cedarling/src/init/policy_store.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs

📚 Learning: 2025-12-24T14:16:17.748Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12896
File: jans-cedarling/cedarling/src/entity_builder/trusted_issuer_index.rs:23-30
Timestamp: 2025-12-24T14:16:17.748Z
Learning: In jans-cedarling Rust code targeting WASM, avoid using `eprintln!` for warnings in constructors or initialization functions. Instead, accept an `Option<&Arc<LogStrategy>>` parameter and use `logger.log_any(LogEntry::new_with_data(LogType::System, None).set_message(...).set_log_level(LogLevel::WARN))` to emit warnings that work in WASM environments.

Applied to files:

• jans-cedarling/cedarling/src/init/policy_store.rs

📚 Learning: 2025-12-10T14:10:48.131Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12819
File: jans-cedarling/cedarling/src/common/policy_store/manager.rs:101-107
Timestamp: 2025-12-10T14:10:48.131Z
Learning: In all Rust source files under the jans-cedarling directory, avoid using println! or eprintln! because they do not work in WASM builds. Use the provided Logger API, e.g. logger.log(&System::log_msg(...)) to log messages. Ensure the logger is properly initialized in the WASM context and replace direct prints with the logger pattern in relevant code paths (especially in WASM targets).

Applied to files:

• jans-cedarling/cedarling/src/init/policy_store.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs

📚 Learning: 2025-12-26T17:33:20.543Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12903
File: jans-cedarling/bindings/cedarling_wasm/src/lib.rs:83-97
Timestamp: 2025-12-26T17:33:20.543Z
Learning: In jans-cedarling WASM bindings (jans-cedarling/bindings/cedarling_wasm/**/*.rs), explicit documentation sections like `# Arguments` and `# Example` are acceptable because these bindings expose Rust to JavaScript consumers who benefit from more explicit parameter documentation and JavaScript usage examples.

Applied to files:

• jans-cedarling/cedarling/src/init/policy_store.rs
• jans-cedarling/bindings/cedarling_go/README.md

📚 Learning: 2025-12-01T00:02:51.580Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12768
File: jans-cedarling/cedarling/src/common/default_entities_limits.rs:52-119
Timestamp: 2025-12-01T00:02:51.580Z
Learning: In the jans-cedarling Rust codebase, avoid Python/Java-style doc comments with explicit `# Arguments` and `# Errors` sections. The project relies on Rust's type signatures and cargo doc's automatic documentation generation.

Applied to files:

• jans-cedarling/cedarling/src/init/policy_store.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/bindings/cedarling_go/README.md

📚 Learning: 2025-10-30T13:03:03.905Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12544
File: jans-cedarling/cedarling/src/tests/authorize_resource_entity.rs:65-109
Timestamp: 2025-10-30T13:03:03.905Z
Learning: In Rust, when `use tokio::test;` is present at the top of a file, the `#[test]` attribute refers to `tokio::test` (the async test macro), not the standard library's `#[test]`. This is a valid pattern for writing async tests with Tokio.

Applied to files:

• jans-cedarling/cedarling/src/init/policy_store.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Follow Rust naming conventions as established by the language

Applied to files:

• jans-cedarling/cedarling/src/init/policy_store.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Keep documentation concise, focusing on explanatory content rather than obvious details

Applied to files:

• jans-cedarling/cedarling/src/init/policy_store.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/bindings/cedarling_go/README.md

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/src/tests/**/*.rs : Place integration tests in src/tests/ directory

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Include both positive and negative test cases in test files

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Use test_utils crate for shared test helpers

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/authorize_*.rs : Follow existing test patterns in authorize_*.rs files

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Run specific test files using `cargo test -p cedarling --test authorize_unsigned` format

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Always include explicit comments explaining what error is expected in test assertions

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Run main crate tests with `cargo test -p cedarling`

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : For error checking in tests, use `assert!(matches!(...), "explicit comment")` instead of `assert!(result.is_err())`

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Use `expect_err("explicit comment")` instead of `panic()` in tests

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Prefer Result<T, E> over panics for error handling

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Review clippy.toml for project-specific lint rules

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
• jans-cedarling/bindings/cedarling_go/README.md

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Include context in error messages for better debugging

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Enforce maximum line width of 100 characters in Rust code

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/bindings/cedarling_go/README.md

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use smol_str for string optimization where appropriate in Rust

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use standard Rust docstrings without Python-style sections (avoid `# Arguments`, `# Returns`)

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/bindings/cedarling_go/README.md

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use 4-space indentation (no tabs) in all Rust code

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Prefer strong typing over stringly-typed APIs in Rust

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Check formatting compliance with `cargo fmt --check` and follow rustfmt settings in rustfmt.toml

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs

📚 Learning: 2025-12-04T12:17:12.662Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12797
File: jans-cedarling/AGENTS.md:82-88
Timestamp: 2025-12-04T12:17:12.662Z
Learning: In the jans-cedarling project, the AGENTS.md file is AI-generated and used only by AI agents, so markdown linting issues (such as MD031, MD040) for this file can be ignored during code reviews.

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
• jans-cedarling/bindings/cedarling_go/README.md

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use SCREAMING_SNAKE_CASE for constants in Rust

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use HorizontalVertical imports layout with StdExternalCrate grouping in rustfmt.toml

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use thiserror crate for custom error types

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Document public API items with docstrings focusing on 'why' not 'what'

Applied to files:

• jans-cedarling/bindings/cedarling_go/README.md

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Include examples in docstrings for complex functionality

Applied to files:

• jans-cedarling/bindings/cedarling_go/README.md

🧬 Code graph analysis (1)

jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs (1)

jans-cedarling/cedarling/src/common/policy_store/vfs_adapter.rs (20)

• new (82-85)
• new (171-174)
• read_file (48-53)
• exists (59-59)
• exists (134-138)
• exists (248-252)
• is_dir (62-62)
• is_dir (140-146)
• is_dir (254-260)
• is_file (67-67)
• is_file (148-154)
• is_file (262-268)
• read_dir (56-56)
• read_dir (112-132)
• read_dir (226-246)
• open_file (42-42)
• open_file (104-110)
• open_file (218-224)
• default (97-99)
• default (211-213)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: python_tests (3.10)
• GitHub Check: wasm_tests
• GitHub Check: rust_tests
• GitHub Check: golang_tests
• GitHub Check: python_tests (3.11)
• GitHub Check: rust_benchmarks

🔇 Additional comments (19)

jans-cedarling/bindings/cedarling_go/README.md (1)

270-301: Excellent fix for the duplicate map keys issue.

The Policy Store Sources section now correctly separates each configuration example into its own config := map[string]any{ ... } block, eliminating the earlier problem where duplicate keys would overwrite each other. This ensures developers copying these examples will get the correct behavior.

The addition of the documentation link (line 272) provides helpful context for those needing more details on policy store formats. The five distinct examples—JSON file, directory, local .cjar, remote .cjar, and Lock Server—comprehensively cover the supported loading methods.

jans-cedarling/cedarling/src/init/policy_store.rs (7)

122-148: LGTM!

The native implementation correctly delegates to the loader and handles the conversion to legacy format with appropriate error mapping.

---

150-159: LGTM!

The WASM stub cleanly returns an error directing users to use CjarUrl instead.

---

161-194: LGTM!

Cross-platform implementation correctly fetches the archive via HTTP and processes it through the bytes loader. The HTTP client configuration is consistent with other loaders in this file.

---

196-224: LGTM!

The native directory loader correctly delegates to the loader module which handles both the blocking I/O and manifest validation internally.

---

244-274: LGTM!

The archive bytes loader is well-documented with clear use cases. Being synchronous is appropriate since it operates on in-memory data without filesystem I/O.

---

276-336: Tests for new source types already exist in the integration test suite.

Comprehensive integration tests covering CjarFile, CjarUrl, Directory, and ArchiveBytes sources are already present in src/tests/policy_store_loader.rs, including tests for successful loading, authorization flows, manifest validation, and error handling. While the unit test module in policy_store.rs could optionally include basic dispatch tests for these sources, the functionality is thoroughly tested at the integration level.

Likely an incorrect or invalid review comment.

---

226-242: Inconsistent WASM stub pattern.

This WASM stub calls loader::load_policy_store_directory and wraps its error, while load_policy_store_from_cjar_file (lines 153-159) directly returns an error without calling the loader. For consistency and simpler code, consider applying the same direct-return pattern:

🔎 Suggested simplification

 #[cfg(target_arch = "wasm32")]
 async fn load_policy_store_from_directory(
     _path: &Path,
 ) -> Result<PolicyStoreWithID, PolicyStoreLoadError> {
-    use crate::common::policy_store::loader;
-
-    // Call the loader stub function to ensure it's used and the error variant is constructed
-    match loader::load_policy_store_directory(_path).await {
-        Err(e) => Err(PolicyStoreLoadError::Directory(format!(
-            "Loading from directory is not supported in WASM. Original error: {}",
-            e
-        ))),
-        Ok(_) => unreachable!("WASM stub should always return an error"),
-    }
+    Err(PolicyStoreLoadError::Directory(
+        "Loading from directory is not supported in WASM. Use CjarUrl or ArchiveBytes instead.".to_string(),
+    ))
 }

⛔ Skipped due to learnings

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12896
File: jans-cedarling/cedarling/src/entity_builder/trusted_issuer_index.rs:23-30
Timestamp: 2025-12-24T14:16:17.748Z
Learning: In jans-cedarling Rust code targeting WASM, avoid using `eprintln!` for warnings in constructors or initialization functions. Instead, accept an `Option<&Arc<LogStrategy>>` parameter and use `logger.log_any(LogEntry::new_with_data(LogType::System, None).set_message(...).set_log_level(LogLevel::WARN))` to emit warnings that work in WASM environments.

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12819
File: jans-cedarling/cedarling/src/common/policy_store/manager.rs:101-107
Timestamp: 2025-12-10T14:10:52.927Z
Learning: Applies to jans-cedarling/**/*.rs: Avoid using `println!` or `eprintln!` as they don't work in WASM. Use the Logger with `logger.log(&System::log_msg(...))` pattern instead.

jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs (1)

1-725: Excellent security test coverage!

This test file provides comprehensive coverage of security scenarios for policy store archive loading:

✅ Path traversal protections: Parent directory traversal, absolute paths, double-dot sequences, Windows-style separators
✅ Malicious archive handling: Corrupted ZIPs, non-ZIP files, empty files, deeply nested paths, large filenames
✅ Input validation: Invalid JSON, Cedar syntax errors, entity/issuer validation, Unicode handling
✅ Manifest security: Checksum mismatch detection, missing manifests, invalid checksum formats
✅ Resource exhaustion: Many files, large policies, deeply nested entity hierarchies
✅ File extension validation: Proper .cjar acceptance and wrong extension rejection

The test patterns follow coding guidelines consistently:

• Uses expect_err("explicit comment") for error assertions
• Uses assert!(matches!(err, ErrorVariant { .. }), "context") for error type validation
• Includes both positive and negative test cases
• Provides clear, descriptive error messages

All previously flagged issues have been properly addressed in commit ce9d76b. Great work!

Based on learnings: Tests follow existing patterns in test files and use proper error assertion patterns.

jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs (5)

1-52: LGTM! Well-structured archive VFS implementation.

The module documentation clearly explains WASM compatibility, and the ArchiveVfs<T> design with Mutex<ZipArchive<T>> properly enables thread-safe access. The generic approach allows both file-based (std::fs::File) and in-memory (Cursor<Vec<u8>>) backends.

---

71-108: Solid path traversal protection with defense-in-depth.

The implementation correctly uses enclosed_name() (lines 88-102) as recommended in past reviews, which handles path traversal, backslashes, absolute paths, and drive letters. The additional ".." check on line 93 provides an extra safety layer.

---

128-150: LGTM! Native-only file loading with proper validation.

The .cjar extension validation provides a useful guardrail, and the implementation correctly delegates to from_reader for common validation logic.

---

266-387: VfsFileSystem implementation is correct and handles edge cases well.

The two-pass algorithm in read_dir (lines 328-378) correctly avoids deadlocks by collecting paths first, then checking directory status with is_directory_locked. Mutex poisoning is handled gracefully throughout.

Note: open_file reads the entire file into memory before returning a Cursor. This is necessary because ZipArchive doesn't provide streaming access to individual entries, but be aware this could be memory-intensive for very large files within archives.

---

389-609: Good test coverage with appropriate assertions.

The tests cover:

• Archive creation from buffer and file (positive cases)
• Invalid ZIP format and path traversal attempts (negative cases)
• File/directory operations and complex directory structures

Test assertions follow coding guidelines with expect_err() and explicit comments explaining expected errors.

jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs (5)

1-120: Well-organized test helpers and imports.

The create_test_policy_store and create_test_archive helpers provide consistent test fixtures. The type alias PhysicalLoader improves test readability.

---

431-648: Comprehensive end-to-end tests for policies, schema, and entities.

These tests effectively validate the complete loading and parsing pipeline. The coverage includes complex attributes and multiple entity types.

---

880-989: Excellent issuer validation test coverage.

The tests cover:

• Duplicate issuer ID detection with clear error messages
• Missing required fields validation
• Source file traceability in error messages

The use of MemoryVfs for these tests demonstrates the VFS abstraction working correctly.

---

1155-1351: Comprehensive archive VFS integration tests.

These tests validate:

• Loading from file path (native) and from bytes (WASM-compatible)
• Manifest validation integration with ArchiveVfs
• Multiple policies in nested directory structures

The test_archive_vfs_vs_physical_vfs_equivalence test (lines 1422-1472) is particularly valuable for ensuring the VFS abstraction maintains consistent behavior across implementations.

---

1353-1473: LGTM! Archive tests with nested structures and equivalence validation.

The final tests demonstrate that the loader correctly:

• Recursively scans subdirectories for policies (lines 1383-1403)
• Produces equivalent results from ArchiveVfs and direct content

[coderabbitai]

Actionable comments posted: 2

Fix all issues with AI Agents 🤖

In @jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs:
- Around line 286-331: The tests test_rejects_invalid_entity_json and
test_rejects_invalid_trusted_issuer rely on finding an invalid file inside the
loaded.entities / loaded.trusted_issuers loops but only call panic!() if none
are found; add an explicit assertion before each loop that the fixture produced
at least one file to validate (e.g., assert!(!loaded.entities.is_empty(), "...")
and assert!(!loaded.trusted_issuers.is_empty(), "...")), or assert the expected
count/name if the fixture should produce a specific file, so the test fails with
a clear message when fixture setup is wrong rather than reaching the loop end.

In @jans-cedarling/cedarling/src/common/policy_store/loader.rs:
- Around line 82-109: The native-only async function load_policy_store_archive
is missing a WASM stub which breaks API consistency with
load_policy_store_directory; add a #[cfg(target_arch = "wasm32")] async stub
named load_policy_store_archive with the same signature that returns
Err(super::errors::ArchiveError::WasmUnsupported.into()) and a short doc comment
explaining archive loading is unsupported on WASM (suggesting
load_policy_store_archive_bytes instead) so callers compile on both targets.

♻️ Duplicate comments (1)

jans-cedarling/cedarling/src/common/policy_store/loader.rs (1)

21-26: Import ordering is correct.

Follows the project convention: standard library first, then internal modules.

📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1b40668 and 7788ea3.

📒 Files selected for processing (2)

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

🧰 Additional context used

📓 Path-based instructions (2)

jans-cedarling/**/*.rs

📄 CodeRabbit inference engine (jans-cedarling/AGENTS.md)

jans-cedarling/**/*.rs: Check formatting compliance with cargo fmt --check and follow rustfmt settings in rustfmt.toml
Review clippy.toml for project-specific lint rules
Use rustfmt with project's rustfmt.toml settings for all Rust code
Enforce maximum line width of 100 characters in Rust code
Use HorizontalVertical imports layout with StdExternalCrate grouping in rustfmt.toml
Use 4-space indentation (no tabs) in all Rust code
Group imports with std/external crates first, then internal modules, using imports_granularity = "Module"
Follow existing import patterns in the codebase
Use snake_case for variables, functions, and modules in Rust
Use PascalCase for types, traits, and enums in Rust
Use SCREAMING_SNAKE_CASE for constants in Rust
Follow Rust naming conventions as established by the language
Use thiserror crate for custom error types
Prefer Result<T, E> over panics for error handling
Use derive_more crate for error derivation when needed
Include context in error messages for better debugging
Use typed-builder crate for complex struct construction
Leverage serde for serialization/deserialization in Rust
Use smol_str for string optimization where appropriate in Rust
Prefer strong typing over stringly-typed APIs in Rust
Use standard Rust docstrings without Python-style sections (avoid # Arguments, # Returns)
Document public API items with docstrings focusing on 'why' not 'what'
Include examples in docstrings for complex functionality
Keep documentation concise, focusing on explanatory content rather than obvious details
Each Rust file must contain the Apache 2.0 license header with copyright attribution to Gluu, Inc.

Files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

jans-cedarling/**/*test*.rs

📄 CodeRabbit inference engine (jans-cedarling/AGENTS.md)

jans-cedarling/**/*test*.rs: Use test_utils crate for shared test helpers
Include both positive and negative test cases in test files
For error checking in tests, use assert!(matches!(...), "explicit comment") instead of assert!(result.is_err())
Use expect_err("explicit comment") instead of panic() in tests
Always include explicit comments explaining what error is expected in test assertions

Files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs

🧠 Learnings (29)

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/src/tests/**/*.rs : Place integration tests in src/tests/ directory

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Include both positive and negative test cases in test files

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Use test_utils crate for shared test helpers

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/authorize_*.rs : Follow existing test patterns in authorize_*.rs files

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Run specific test files using `cargo test -p cedarling --test authorize_unsigned` format

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Always include explicit comments explaining what error is expected in test assertions

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Run main crate tests with `cargo test -p cedarling`

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : For error checking in tests, use `assert!(matches!(...), "explicit comment")` instead of `assert!(result.is_err())`

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Use `expect_err("explicit comment")` instead of `panic()` in tests

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Prefer Result<T, E> over panics for error handling

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Review clippy.toml for project-specific lint rules

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Include context in error messages for better debugging

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Enforce maximum line width of 100 characters in Rust code

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use smol_str for string optimization where appropriate in Rust

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Keep documentation concise, focusing on explanatory content rather than obvious details

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use standard Rust docstrings without Python-style sections (avoid `# Arguments`, `# Returns`)

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-01T00:02:51.580Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12768
File: jans-cedarling/cedarling/src/common/default_entities_limits.rs:52-119
Timestamp: 2025-12-01T00:02:51.580Z
Learning: In the jans-cedarling Rust codebase, avoid Python/Java-style doc comments with explicit `# Arguments` and `# Errors` sections. The project relies on Rust's type signatures and cargo doc's automatic documentation generation.

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use 4-space indentation (no tabs) in all Rust code

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Prefer strong typing over stringly-typed APIs in Rust

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Check formatting compliance with `cargo fmt --check` and follow rustfmt settings in rustfmt.toml

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-04T12:17:12.662Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12797
File: jans-cedarling/AGENTS.md:82-88
Timestamp: 2025-12-04T12:17:12.662Z
Learning: In the jans-cedarling project, the AGENTS.md file is AI-generated and used only by AI agents, so markdown linting issues (such as MD031, MD040) for this file can be ignored during code reviews.

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use SCREAMING_SNAKE_CASE for constants in Rust

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Follow Rust naming conventions as established by the language

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use HorizontalVertical imports layout with StdExternalCrate grouping in rustfmt.toml

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Group imports with std/external crates first, then internal modules, using imports_granularity = "Module"

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T08:24:27.240Z

Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Follow existing import patterns in the codebase

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-10T14:10:48.131Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12819
File: jans-cedarling/cedarling/src/common/policy_store/manager.rs:101-107
Timestamp: 2025-12-10T14:10:48.131Z
Learning: In all Rust source files under the jans-cedarling directory, avoid using println! or eprintln! because they do not work in WASM builds. Use the provided Logger API, e.g. logger.log(&System::log_msg(...)) to log messages. Ensure the logger is properly initialized in the WASM context and replace direct prints with the logger pattern in relevant code paths (especially in WASM targets).

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-24T14:16:17.748Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12896
File: jans-cedarling/cedarling/src/entity_builder/trusted_issuer_index.rs:23-30
Timestamp: 2025-12-24T14:16:17.748Z
Learning: In jans-cedarling Rust code targeting WASM, avoid using `eprintln!` for warnings in constructors or initialization functions. Instead, accept an `Option<&Arc<LogStrategy>>` parameter and use `logger.log_any(LogEntry::new_with_data(LogType::System, None).set_message(...).set_log_level(LogLevel::WARN))` to emit warnings that work in WASM environments.

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/loader.rs

📚 Learning: 2025-12-26T17:33:20.543Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12903
File: jans-cedarling/bindings/cedarling_wasm/src/lib.rs:83-97
Timestamp: 2025-12-26T17:33:20.543Z
Learning: In jans-cedarling WASM bindings (jans-cedarling/bindings/cedarling_wasm/**/*.rs), explicit documentation sections like `# Arguments` and `# Example` are acceptable because these bindings expose Rust to JavaScript consumers who benefit from more explicit parameter documentation and JavaScript usage examples.

Applied to files:

• jans-cedarling/cedarling/src/common/policy_store/loader.rs

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: python_tests (3.11)
• GitHub Check: rust_benchmarks
• GitHub Check: python_tests (3.10)
• GitHub Check: golang_tests
• GitHub Check: wasm_tests
• GitHub Check: rust_tests

🔇 Additional comments (12)

jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs (2)

1-30: Excellent test structure and organization!

The license header, module documentation, and import organization all follow the coding guidelines correctly. The imports are properly grouped: std library first, external crates (zip), then internal modules (super::*), which aligns with the rustfmt configuration requirements.

The comprehensive security-focused test suite covers:

• Path traversal protections (absolute paths, parent traversal, Windows separators, URL encoding)
• Malicious archive handling (corrupted ZIPs, non-ZIP files, empty archives, deep nesting)
• Input validation (metadata JSON, Cedar syntax, entities, trusted issuers)
• Manifest security (checksum mismatches, invalid formats)
• Resource exhaustion scenarios (many files, large content, deep hierarchies)
• File extension validation

Based on learnings and coding guidelines.

---

39-726: Test patterns consistently follow coding guidelines.

All test functions demonstrate correct usage of error handling patterns per the project's testing guidelines:

• Negative tests use expect_err("explicit message") followed by assert!(matches!(err, ExpectedVariant { .. }), "context")
• Positive tests use expect("descriptive message")
• Both patterns include explicit comments explaining expected behavior
• Comprehensive coverage of both success and failure scenarios

The fixes from commit ce9d76b successfully addressed all previous concerns about weak assertions and conditional error checking.

As per coding guidelines and retrieved learnings.

jans-cedarling/cedarling/src/common/policy_store/loader.rs (10)

1-20: LGTM! Well-documented module with proper license header.

The module documentation clearly explains the internal API boundaries and the design rationale for archive loading (WASM compatibility, efficiency, security). This follows the guideline to document "why" rather than "what."

---

32-69: Well-implemented async loading pattern.

Good use of spawn_blocking to offload blocking filesystem I/O, preventing blocking of the async executor. The manifest validation after loading ensures integrity for directory-based stores.

---

117-148: LGTM! Proper handling of archive bytes with platform-specific validation.

The function correctly provides a synchronous API suitable for WASM and URL-fetched archives. The conditional manifest validation respects platform constraints.

---

150-211: LGTM! Clean data structure design.

Well-organized structs with clear documentation. The generic DefaultPolicyStoreLoader<V: VfsFileSystem> design enables flexible backend support (physical filesystem, memory, archive).

---

244-287: LGTM! Proper logging integration with optional logger.

The if let chain at lines 276-278 correctly guards the log_any call, addressing the previous compilation error. The logger pattern follows WASM-compatible logging conventions per learnings.

---

300-352: LGTM! Comprehensive directory structure validation.

Correctly validates all required components (metadata.json, schema.cedarschema, policies/) with appropriate error types for each failure case.

---

373-395: Good use of streaming JSON parsing.

Using serde_json::from_reader at line 389 is more memory-efficient than reading the entire file to a string first, especially for large manifests.

---

505-559: LGTM! Recursive cedar file loading with proper extension validation.

The recursive scanning supports nested policy organization. Case-insensitive extension checking (to_lowercase() at line 525) handles both .cedar and .CEDAR variants correctly.

---

615-646: LGTM! Clean orchestration with clear documentation.

The documentation clearly explains the validation responsibilities, following the Interface Segregation Principle. Callers are properly directed to higher-level helpers for manifest validation.

---

648-697: LGTM! Well-organized test infrastructure.

Test-only helpers are properly scoped with #[cfg(test)], and the Default implementation provides ergonomic construction for native platforms.

[olehbozhok]

The main comments have been corrected.