Skip to content

fix(cloud-tests): only fire GCP broad fallback when folder list was forbidden#2918

Merged
tofikwest merged 1 commit into
mainfrom
tofik/gcp-fallback-only-on-forbidden
May 22, 2026
Merged

fix(cloud-tests): only fire GCP broad fallback when folder list was forbidden#2918
tofikwest merged 1 commit into
mainfrom
tofik/gcp-fallback-only-on-forbidden

Conversation

@tofikwest
Copy link
Copy Markdown
Contributor

@tofikwest tofikwest commented May 22, 2026
edited by cubic-dev-ai Bot
Loading

Summary

Addresses cubic's P2 on the already-merged PR #2916: the broad-query fallback I added was firing any time folder enumeration returned an empty list, including the perfectly normal case where an org legitimately has no folders. For multi-org tenants that meant the picker for an empty-folder org could surface folder-nested projects from OTHER orgs the OAuth user had IAM access to (since the broad query is not org-scoped).

What changed

Folder enumeration helpers now return { folderIds, forbidden }, where forbidden = true only when GCP responded with HTTP 403 on the v3/folders call. The caller fires the broad-query fallback only when enumeration returned zero AND forbidden is true — exactly Greg's production failure mode.

Case Before (PR #2916) After (this PR)
v3/folders 200 + empty list (no folders exist) Fallback fires (wrong) No fallback
v3/folders 403 PERMISSION_DENIED (Greg) Fallback fires Fallback fires ✓
v3/folders returns folder ids No fallback No fallback ✓

Impact on customers

  • Greg (Propper) — unaffected. His failure mode is 403 PERMISSION_DENIED so the fallback still fires and surfaces propperai-prod / propperai-demo.
  • Single-org tenants with no folders — unaffected (their picker showed all their projects from the direct arm, the folder arm correctly returns empty either way).
  • Multi-org tenants whose selected org has no folders — fixed. They no longer see folder-nested projects from other orgs they happen to have IAM access to.
  • Multi-org tenants whose selected org's v3/folders is forbidden — same tradeoff as PR fix(cloud-tests): unblock GCP picker when folder enumeration returns 403 #2916 acknowledged: broad fallback may include cross-org folder projects. Acceptable because picker is selection-based and the alternative is an empty picker.

Tests

  • New: "does NOT fall back to the broad query when the org simply has no folders" — locks in cubic's P2 fix.
  • Updated: customer-Propper regression test now returns a real 403 response (matching production behavior) so it exercises the actual forbidden branch.
  • 16/16 GCP detection tests pass. Full cloud-security suite: 270/270 (one pre-existing TLS env failure unrelated).

Manual test plan

  • After deploy, confirm Greg's picker still shows propperai-prod / propperai-demo (his 403 case is preserved).
  • Pull /ecs/comp-production-api logs filtered for GCP folder enumeration was forbidden — should still appear for Greg's connection.
  • On any single-org tenant with no folders, confirm the picker only shows their direct-org projects (no fallback firing — GCP folder fallback for org log should NOT appear for them).

🤖 Generated with Claude Code

Summary by cubic

Fix GCP project detection so the broad parent.type:folder query only runs when folder enumeration is actually forbidden (HTTP 403). This prevents cross-org projects from appearing when an org simply has no folders.

  • Bug Fixes
    • Trigger the broad fallback only when v3/folders returns 403; do not fall back on 200 + empty.
    • listFoldersUnderOrg and listChildFolders now return { folderIds, forbidden }; caller checks folderIds.length === 0 && forbidden.
    • Tests updated: added “no folders” case; Propper regression test now simulates a real 403.
    • Impact: fixes the P2 regression from PR fix(cloud-tests): unblock GCP picker when folder enumeration returns 403 #2916 for multi‑org tenants; Greg (Propper) remains covered.

Written for commit 173b031. Summary will update on new commits. Review in cubic

@tofikwest @claude
fix(cloud-tests): only fire GCP broad fallback when folder list was f…
173b031 
…orbidden

Cubic flagged PR #2916 (merged into main) with a P2 regression: the
broad `parent.type:folder` fallback fired any time folder enumeration
returned zero folders, including the case where an org legitimately
has no folders at all. For multi-org tenants that meant the picker
for an empty-folder org could surface folder-nested projects from
OTHER orgs the OAuth user happened to have IAM access to (because
the broad query is not org-scoped).

Concrete cases:

  Case                                          | Before (PR #2916) | After (this PR)
  ----------------------------------------------+-------------------+----------------
  v3/folders returns 200 + empty (no folders)   | Fallback fires    | No fallback ✓
  v3/folders returns 403 PERMISSION_DENIED      | Fallback fires    | Fallback fires ✓
  v3/folders returns folder ids                 | No fallback       | No fallback ✓

To distinguish the two cases, the folder-enumeration helpers now
return `{ folderIds, forbidden }` where `forbidden` is true only when
GCP responded with HTTP 403. The caller fires the broad query only
when `folderIds.length === 0 && forbidden`.

Customer Propper (Greg's case) is unaffected — their failure mode is
"403 PERMISSION_DENIED" so the fallback still fires.

New regression test locks in cubic's concern: when an org legitimately
has no folders (200 OK + empty list), the broad fallback must NOT
fire. The customer-Propper test was updated to return a real 403
response so it exercises the fallback path the way production does.

Full cloud-security suite: 270/270 pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@vercel
Copy link
Copy Markdown

vercel Bot commented May 22, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
comp-framework-editor Ready Ready Preview, Comment May 22, 2026 6:37pm
2 Skipped Deployments
Project Deployment Actions Updated (UTC)
app Skipped Skipped May 22, 2026 6:37pm
portal Skipped Skipped May 22, 2026 6:37pm

Request Review

cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed May 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.

Re-trigger cubic

@tofikwest tofikwest merged commit 0f2c990 into main May 22, 2026
11 checks passed
@tofikwest tofikwest deleted the tofik/gcp-fallback-only-on-forbidden branch May 22, 2026 18:43
@claudfuen
Copy link
Copy Markdown
Contributor

claudfuen commented May 22, 2026

🎉 This PR is included in version 3.63.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tofikwest @claudfuen