From ef171aad77a7ac95397747b8639ff981dfe2e335 Mon Sep 17 00:00:00 2001 From: Ray Walker Date: Sat, 30 May 2026 10:49:32 +1000 Subject: [PATCH 1/2] chore: add org-canonical .coderabbit.yaml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CodeRabbit reads .coderabbit.yaml only from a repo's own root — the file at cachekit-io/.github/.coderabbit.yaml is not honored. Adding this file makes the org-canonical review configuration take effect for this repo (assertive profile, path-specific instructions, tools enabled, request_changes_workflow enabled). Source of truth: cachekit-io/.github/.coderabbit.yaml. Keep this file in sync via the workspace tooling when the canonical version is updated. --- .coderabbit.yaml | 68 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 .coderabbit.yaml diff --git a/.coderabbit.yaml b/.coderabbit.yaml new file mode 100644 index 0000000..58d5e3f --- /dev/null +++ b/.coderabbit.yaml @@ -0,0 +1,68 @@ +# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json +language: "en-AU" +early_access: false + +reviews: + profile: "assertive" + request_changes_workflow: true + high_level_summary: true + poem: false + review_status: true + collapse_walkthrough: false + + auto_review: + enabled: true + drafts: false + + path_instructions: + - path: "**/*.rs" + instructions: | + Rust code. Check for unsafe blocks, unwrap abuse, missing error propagation, + and clippy-level issues. Prefer Result over panic. Pay special attention to + FFI boundaries (NAPI, PyO3) — verify buffer lengths, null checks, and that + keys/secrets are zeroized on drop. + - path: "**/*.py" + instructions: | + Python code. Enforce ruff compatibility, type hints on public APIs, + guard clauses over nesting. No bare except clauses. Secrets must use + pydantic SecretStr. Config via pydantic-settings only. + - path: "**/*.ts" + instructions: | + TypeScript code. Strict mode, no `any` types on public APIs. + Verify async error handling — no unhandled promise rejections. + Check that NAPI bindings match Rust function signatures exactly. + - path: "**/encryption/**" + instructions: | + Security-critical encryption code. Verify AAD v0x03 format compliance, + key length validation (exactly 32 bytes), nonce uniqueness, and that + keys never leak into error messages or logs. Cross-reference with + protocol spec at https://github.com/cachekit-io/protocol. + - path: ".github/workflows/**" + instructions: | + GitHub Actions workflows. All actions MUST be pinned to full 40-char SHA + with a version comment (e.g., @abc123 # v6). Never use tag refs. + - path: "**/Dockerfile*" + instructions: | + Dockerfiles. Check for missing cleanup (rm -rf /var/lib/apt/lists/*), + unnecessary layers, running as root, and unpinned base images. + + tools: + shellcheck: + enabled: true + actionlint: + enabled: true + gitleaks: + enabled: true + ruff: + enabled: true + yamllint: + enabled: true + hadolint: + enabled: true + biome: + enabled: true + eslint: + enabled: true + +chat: + auto_reply: true From c5ccfa72b52131c65e5d42aefb29a89f3e1d844d Mon Sep 17 00:00:00 2001 From: Ray Walker Date: Sat, 30 May 2026 19:23:20 +1000 Subject: [PATCH 2/2] =?UTF-8?q?chore:=20address=20coderabbit=20review=20?= =?UTF-8?q?=E2=80=94=20full=2040-char=20SHA=20example=20+=20canonical-sour?= =?UTF-8?q?ce=20header?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The .github/workflows/** instruction example used a 6-char placeholder (@abc123) contradicting its own 'full 40-char SHA' rule. Added a header documenting the org-canonical source and sync requirement. CodeRabbit-Resolved: .coderabbit.yaml:44:SHA pinning example --- .coderabbit.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.coderabbit.yaml b/.coderabbit.yaml index 58d5e3f..58805cb 100644 --- a/.coderabbit.yaml +++ b/.coderabbit.yaml @@ -1,3 +1,7 @@ +# This configuration is a copy of the organization-canonical CodeRabbit config. +# Source of truth: cachekit-io/.github/.coderabbit.yaml +# Keep this file in sync when the canonical version updates. +# # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json language: "en-AU" early_access: false @@ -40,7 +44,7 @@ reviews: - path: ".github/workflows/**" instructions: | GitHub Actions workflows. All actions MUST be pinned to full 40-char SHA - with a version comment (e.g., @abc123 # v6). Never use tag refs. + with a version comment (e.g., `@a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0` # v6). Never use tag refs. - path: "**/Dockerfile*" instructions: | Dockerfiles. Check for missing cleanup (rm -rf /var/lib/apt/lists/*),