fix(cli): make verdict policy rules fire (license + changed-paths wiring)#195
Merged
Conversation
…policy context buildPolicyContext previously hardcoded licenseViolations: [], touchedPaths: [], and ownersByPath: new Map(), so an authored opencodehub.policy.yaml with license_allowlist or ownership_required rules schema-validated but never blocked a PR (false green on exit codes). - touchedPaths: surface the changed-file list computeVerdict already derives from detect_changes as VerdictResponse.changedFiles, and thread it into touchedPaths so path-scoped rules (ownership_required) evaluate against the real diff. - licenseViolations: classify the indexed Dependency nodes via classifyDependencies and project flagged deps (copyleft/proprietary/unknown) into LicenseViolationInput so license_allowlist fires. Declared license surfaced verbatim; missing/UNKNOWN normalised to "UNKNOWN" so a strict policy can deny those too. Scan only runs when a policy file is actually loaded. - ownership: require_approval_from now works against real touched paths. Per-path graph-owner mapping (ownersByPath) stays empty pending a contributor-email->team reconciliation source (separate design item). Tests prove a license_allowlist rule flips the verdict to block (exit 3) when a violating dep is present, license_allowlist passes for permissive deps, UNKNOWN-deny works, ownership_required blocks on an unapproved changed path and passes when no path matches. Existing exit-code ladder tests stay green.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Make the
codehub verdictpolicy engine actually enforcelicense_allowlistandownership_requiredrules. PreviouslybuildPolicyContexthardcodedlicenseViolations: [],touchedPaths: [], andownersByPath: new Map(), so an authoredopencodehub.policy.yamlwith those rules schema-validated but never blocked a PR — a false green on the exit-code ladder, worse than no feature.Changes
VerdictResponse.changedFiles, populated from thedetect_changesfile list thatcomputeVerdictalready derives (main path +finaliseEmpty). The CLI threadsverdict.changedFilesintoPolicyContext.touchedPaths, soownership_required/ path-scoped rules evaluate against the real diff. No extra git call.collectLicenseViolationsruns the existingclassifyDependenciesoverstore.graph.listDependencies()and projects flagged deps (copyleft / proprietary / unknown) intoLicenseViolationInput[]. Declared license surfaced verbatim; missing/empty normalised to"UNKNOWN"so a strict policy can deny those. Scan only runs when a policy file is loaded; defensive whenlistDependenciesis absent.require_approval_fromnow works because touched paths are real; per-path graph-owner mapping (ownersByPath) is left empty pending an email→team reconciliation source (see Follow-up).LicenseViolationInputfrom@opencodehub/policy.How verified
license_allowlistblocks (exit 3) on a denied GPL-3.0 dep; passes for permissive MIT; can denyUNKNOWN;ownership_requiredblocks (exit 3) on an unapproved changed path and passes when no path matches.Follow-up
Per-path owner→approval mapping (
ownersByPath) needs a contributor-email→team source: OWNED_BY edges resolve to email-hash Contributor nodes, not the team/user handlesapprovalsuse.verdictcan now return exit 3 where it previously passed. Confirm no existing CI runningcodehub verdictstarts failing on a now-enforced rule.🤖 Surfaced by an automated roadmap-survey workflow; implemented + verified in an isolated worktree.