Address porting feedback from claude

[lukaszgryglicki]

No description provided.

[coderabbitai]

Walkthrough

Aligns Go datetime serialization/parsing with Python pynamodb formats, makes GitHub organization SSRF validation opt-in via a new parity flag, refactors GitHub validation wiring, updates multiple API handlers (signature creation response, manager ACL flow, GitHub-not-found responses), and adds CLAUDE.md to .gitignore.

Changes

PynamoDB DateTime Serialization / Parsing

Layer / File(s)	Summary
Canonical Format Definition cla-backend-legacy/internal/store/user_permissions.go, cla-backend-legacy/internal/api/handlers.go	formatPynamoDateTimeUTC rewritten to emit 2006-01-02T15:04:05.000000-0700 (UTC, six fixed microseconds, numeric +0000 timezone) matching Python pynamodb UTCDateTimeAttribute.
DynamoDB Reverse Conversion cla-backend-legacy/internal/store/dynamo_conv_reverse.go	interfaceToAV now serializes time.Time values using the pynamodb-compatible layout instead of time.RFC3339Nano.
Legacy Format Parsing cla-backend-legacy/internal/store/projects.go, cla-backend-legacy/internal/api/handlers.go	parsePynamoDateTimeString / parsePynamoDateTimeStringLocal added no-colon timezone layouts (e.g. -0700) and reordered to try them before colon-based variants.
Handler Call Sites / Wiring cla-backend-legacy/internal/api/handlers.go	Multiple handlers updated to use formatPynamoDateTimeUTC for template/document creation and signature date_created/date_modified fields.

GitHub Validation, Parity Flag, and API Handler Behavior Changes

Layer / File(s)	Summary
Parity Flag cla-backend-legacy/internal/parity/flags.go	Added exported flag EnableGithubValidateSSRFGuard (EASYCLA_ENABLE_GITHUB_VALIDATE_SSRF_GUARD) to toggle SSRF guard for GitHub validation.
Validation Logic Refactor cla-backend-legacy/internal/legacy/github/service.go	ValidateOrganization returns (nil, 200, nil) for empty endpoints, conditionally performs scheme/IP/host SSRF checks only when the new flag is enabled, always issues a GET with a 10s context timeout, preserves existing 1MB body cap and response→status mapping, and introduces unexported validateOrganizationEndpointSafe(endpoint) for safety checks.
API Handler Behavior Changes cla-backend-legacy/internal/api/handlers.go	PostSignatureV1 now emits CreateSignature audit event with EventSummary == EventData and returns the full persisted signature object (all stored fields) instead of only signature_id. AddClaManagerV1 removed an early short-circuit when lfid existed and proceeds to update/deduplicate ACL, audit, and notifications. Several GitHub-org endpoints (GetGithubOrganizationV1, GetGithubOrganizationReposV1, GetGithubOrganizationBySfidV1, ... ) now return HTTP 200 with an errors payload when orgs are not found instead of HTTP 404.
Misc Wiring .gitignore	Appended CLAUDE.md to .gitignore.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 3

❌ Failed checks (1 warning, 2 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 37.50% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'Address porting feedback from claude' is vague and does not clearly convey what the actual changes are; it refers to feedback source rather than describing the substantive modifications made.	Use a more descriptive title that summarizes the primary changes, such as 'Fix datetime formatting and GitHub validation for PynamoDB parity' or 'Align timestamp serialization and normalize GitHub organization validation'.
Description check	❓ Inconclusive	No pull request description was provided by the author, making it impossible to assess whether a description exists that relates to the changeset.	Add a pull request description that explains the motivation for changes, particularly the datetime formatting updates and GitHub validation logic modifications.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch unicron-fix-porting

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.1)

level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain main module or its selected dependencies"

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR captures and applies porting/parity fixes identified during an EasyCLA Python→Go audit, focusing on aligning legacy Go (cla-backend-legacy) behavior and DynamoDB serialization with the legacy Python backend, and documenting the audit results.

Changes:

• Updated legacy Go datetime formatting/parsing to match pynamodb’s canonical ...%f%z shape (.ffffff+0000) across writers and parsers.
• Adjusted several legacy v1 endpoints for closer Python parity (e.g., POST /v1/signature response shape, GitHub org “not found” status handling, CLA manager add side effects).
• Relaxed /v1/github/validate URL validation to mirror Python behavior and added an audit/report markdown documenting findings and fixes.

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
unicron-fix-porting-report.md	Adds a detailed audit report documenting parity findings, fixes applied, and open questions.
cla-backend-legacy/internal/store/user_permissions.go	Updates pynamodb-style datetime formatter used for user-permissions records.
cla-backend-legacy/internal/store/projects.go	Extends pynamodb datetime parsing layouts to accept +0000 (no-colon) offsets.
cla-backend-legacy/internal/store/dynamo_conv_reverse.go	Aligns time.Time → DynamoDB string fallback formatting with pynamodb canonical format.
cla-backend-legacy/internal/legacy/github/service.go	Changes ValidateOrganization to be permissive like Python and keeps response-size limiting.
cla-backend-legacy/internal/api/handlers.go	Applies multiple parity fixes: datetime formatting usage, POST /v1/signature response/event_summary, CLA manager add behavior, GitHub org not-found status behavior.
.gitignore	Ignores CLAUDE.md.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

cla-backend-legacy/internal/api/handlers.go (1)

4306-4359: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Deduplicate the ACL before reusing it downstream.

Now that duplicate adds intentionally continue, sigACL can contain the same lfid twice. The stored item is deduped, but the email payload and response are still built from the duplicated slice, so repeated adds can return duplicate managers and duplicate entries in the “existing managers” email list.

Suggested fix

-	sigACL = append(sigACL, lfid)
-	sig["signature_acl"] = &types.AttributeValueMemberSS{Value: uniqueStringsPreserveOrder(sigACL)}
+	sigACL = uniqueStringsPreserveOrder(append(sigACL, lfid))
+	sig["signature_acl"] = &types.AttributeValueMemberSS{Value: sigACL}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cla-backend-legacy/internal/api/handlers.go` around lines 4306 - 4359, The
sigACL slice can contain duplicates because we allow repeated adds; before using
sigACL to send emails or build the response, dedupe it (e.g., call the existing
uniqueStringsPreserveOrder helper on sigACL) and assign the result back to
sigACL so the values passed to sendCLAManagerEmailBestEffort(ctx, "added", lfid,
companyID, claGroupID, sigACL) and buildClaManagersResponse(ctx, sigACL) are
de-duplicated; ensure this happens after appending lfid and before those two
calls so stored signature_acl remains correct and downstream consumers receive a
unique list.

🧹 Nitpick comments (1)

unicron-fix-porting-report.md (1)

10-10: ⚡ Quick win

Remove machine-specific absolute path from the report.

Line 10 hardcodes a local path that won’t resolve for other contributors and unnecessarily exposes local environment details. Prefer a repo-relative reference or plain filename.

✏️ Suggested doc tweak

-- Plan: `/home/morgi/.claude/plans/use-the-most-advanced-nifty-jellyfish.md`
+- Plan: `use-the-most-advanced-nifty-jellyfish.md` (local absolute path removed)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@unicron-fix-porting-report.md` at line 10, Replace the machine-specific
absolute path
`/home/morgi/.claude/plans/use-the-most-advanced-nifty-jellyfish.md` in
unicron-fix-porting-report.md (line with "Plan: ...") with a repo-relative path
or just the filename `use-the-most-advanced-nifty-jellyfish.md` (or a relative
path like `docs/plans/use-the-most-advanced-nifty-jellyfish.md`) so the
reference is portable and does not expose local environment details.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cla-backend-legacy/internal/api/handlers.go`:
- Around line 3402-3425: The create handler is building a manual resp map that
diverges from the canonical serializer (causing type mismatches like ints vs
serialized items); replace the manual resp construction in handlers.go with the
same serializer used elsewhere (call store.ItemToInterfaceMap or the existing
canonical signature serialization helper on the created signature item) and then
add/override the fields that must be set (signature_id, signature_project_id,
signature_reference_id/type, signature_type,
signature_signed/approved/embargo_acked, signature_return_url/sign_url,
date_created/date_modified using formatPynamoDateTimeUTC(now), version="v1"),
and include signature_user_ccla_company_id only when userCclaCompanyID != "" so
the create response matches the read/persisted shape.

In `@cla-backend-legacy/internal/legacy/github/service.go`:
- Around line 36-48: Restore SSRF protections for the endpoint before calling
http.NewRequestWithContext: validate and parse the URL string (endpoint) to
require the https scheme, reject localhost and private/reserved IP ranges (IPv4
and IPv6), and only allow either a defined allowlist (github.com,
api.github.com, raw.githubusercontent.com) or explicitly reject non-allowed
hosts; perform this check in the same function where http.NewRequestWithContext
is called (referencing endpoint and http.NewRequestWithContext) and return a
400/403 on invalid URLs. Also stop creating a new local http.Client (client :=
&http.Client{...}) and use the existing s.httpClient (as used by CheckNamespace
and GetNamespace), ensuring the shared client has an appropriate timeout set.

---

Outside diff comments:
In `@cla-backend-legacy/internal/api/handlers.go`:
- Around line 4306-4359: The sigACL slice can contain duplicates because we
allow repeated adds; before using sigACL to send emails or build the response,
dedupe it (e.g., call the existing uniqueStringsPreserveOrder helper on sigACL)
and assign the result back to sigACL so the values passed to
sendCLAManagerEmailBestEffort(ctx, "added", lfid, companyID, claGroupID, sigACL)
and buildClaManagersResponse(ctx, sigACL) are de-duplicated; ensure this happens
after appending lfid and before those two calls so stored signature_acl remains
correct and downstream consumers receive a unique list.

---

Nitpick comments:
In `@unicron-fix-porting-report.md`:
- Line 10: Replace the machine-specific absolute path
`/home/morgi/.claude/plans/use-the-most-advanced-nifty-jellyfish.md` in
unicron-fix-porting-report.md (line with "Plan: ...") with a repo-relative path
or just the filename `use-the-most-advanced-nifty-jellyfish.md` (or a relative
path like `docs/plans/use-the-most-advanced-nifty-jellyfish.md`) so the
reference is portable and does not expose local environment details.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ef504bac-15a1-4810-8196-c9c28bfcad7d

📥 Commits

Reviewing files that changed from the base of the PR and between 0e4d988 and 4b09eba.

📒 Files selected for processing (7)

• .gitignore
• cla-backend-legacy/internal/api/handlers.go
• cla-backend-legacy/internal/legacy/github/service.go
• cla-backend-legacy/internal/store/dynamo_conv_reverse.go
• cla-backend-legacy/internal/store/projects.go
• cla-backend-legacy/internal/store/user_permissions.go
• unicron-fix-porting-report.md

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cla-backend-legacy/internal/api/handlers.go`:
- Around line 4310-4313: The in-memory sigACL can contain duplicates after you
removed the early return (because you append(lfid) even when already present),
so deduplicate sigACL before it is reused: after you perform append(sigACL,
lfid) update sigACL to a unique list (e.g., with a temporary map/set) and then
pass that deduped slice into sendCLAManagerEmailBestEffort(...) and
buildClaManagersResponse(ctx, sigACL); ensure the same deduped variable is used
for any subsequent storage or response logic to avoid returning the same manager
twice.
- Around line 191-200: RequestEmployeeSignatureV2 is still serializing
date_created/date_modified (and any other signature timestamps written in that
handler) using time.RFC3339Nano, causing mixed timestamp formats; update
RequestEmployeeSignatureV2 to use the existing formatPynamoDateTimeUTC(t
time.Time) helper for all timestamp fields it writes (replace calls that use
t.Format(time.RFC3339Nano) with formatPynamoDateTimeUTC(t) for date_created,
date_modified, event_time/document_creation_date equivalents) so signatures use
the same six-microsecond +0000 format as pynamodb.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: dc15c477-98a2-4346-9524-996d6e9138f2

📥 Commits

Reviewing files that changed from the base of the PR and between 4b09eba and f7756b4.

📒 Files selected for processing (3)

• cla-backend-legacy/internal/api/handlers.go
• cla-backend-legacy/internal/legacy/github/service.go
• cla-backend-legacy/internal/parity/flags.go

[Copilot]

Pull request overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated 3 comments.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

cla-backend-legacy/internal/api/handlers.go (1)

295-300: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Lowercase the validation error string to unblock staticcheck.

Line 299 still uses a capitalized error message, and staticcheck is already failing with ST1005.

Suggested fix

-		return "", fmt.Errorf("Invalid URL specified")
+		return "", fmt.Errorf("invalid URL specified")

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cla-backend-legacy/internal/api/handlers.go` around lines 295 - 300, In
validateURL change the returned error message to be lowercase to satisfy
staticcheck ST1005: update the fmt.Errorf call in function validateURL so the
error string starts with a lowercase letter (e.g., "invalid URL specified")
while keeping the same semantics and function signature.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@cla-backend-legacy/internal/api/handlers.go`:
- Around line 295-300: In validateURL change the returned error message to be
lowercase to satisfy staticcheck ST1005: update the fmt.Errorf call in function
validateURL so the error string starts with a lowercase letter (e.g., "invalid
URL specified") while keeping the same semantics and function signature.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 374a8503-f560-4497-92f5-91ec704db092

📥 Commits

Reviewing files that changed from the base of the PR and between c34f2b3 and e0da34c.

📒 Files selected for processing (1)

• cla-backend-legacy/internal/api/handlers.go