|
| 1 | +# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json |
| 2 | +language: "en-US" |
| 3 | +tone_instructions: "Be concise and direct. Focus on correctness, security, and API contract adherence. This is an Auth0 SDK — any deviation from expected authentication/token behaviors is high severity." |
| 4 | +early_access: false |
| 5 | + |
| 6 | +reviews: |
| 7 | + profile: "assertive" |
| 8 | + request_changes_workflow: false |
| 9 | + high_level_summary: true |
| 10 | + high_level_summary_placeholder: "@coderabbitai summary" |
| 11 | + auto_title_placeholder: "@coderabbitai" |
| 12 | + review_status: true |
| 13 | + commit_status: true |
| 14 | + collapse_walkthrough: false |
| 15 | + sequence_diagrams: true |
| 16 | + |
| 17 | + auto_review: |
| 18 | + enabled: true |
| 19 | + drafts: false |
| 20 | + base_branches: |
| 21 | + - main |
| 22 | + - "beta-release/**" |
| 23 | + - "release/**" |
| 24 | + |
| 25 | + # Ignore generated, example, and lock files |
| 26 | + path_filters: |
| 27 | + # Example app — not part of the published SDK |
| 28 | + - "!**/example/**" |
| 29 | + # Appium/E2E test infra |
| 30 | + - "!appium-test/**" |
| 31 | + # Dart generated files |
| 32 | + - "!**/*.g.dart" |
| 33 | + - "!**/*.mocks.dart" |
| 34 | + - "!**/doc/api/**" |
| 35 | + - "!**/.dart_tool/**" |
| 36 | + - "!**/.flutter-plugins" |
| 37 | + - "!**/.flutter-plugins-dependencies" |
| 38 | + # Build outputs |
| 39 | + - "!**/build/**" |
| 40 | + - "!**/coverage/**" |
| 41 | + - "!**/DerivedData/**" |
| 42 | + # iOS/macOS symlinks — real source is auth0_flutter/darwin/Classes/ |
| 43 | + # Reviewing these would duplicate every darwin/ review 2x |
| 44 | + - "!auth0_flutter/ios/Classes/**" |
| 45 | + - "!auth0_flutter/macos/Classes/**" |
| 46 | + # iOS/macOS generated |
| 47 | + - "!**/Pods/**" |
| 48 | + - "!**/Flutter/ephemeral/**" |
| 49 | + - "!**/Flutter/Generated.xcconfig" |
| 50 | + - "!**/Flutter/flutter_export_environment.sh" |
| 51 | + - "!**/GeneratedPluginRegistrant.*" |
| 52 | + # Android generated |
| 53 | + - "!**/.gradle/**" |
| 54 | + - "!**/local.properties" |
| 55 | + - "!**/GeneratedPluginRegistrant.java" |
| 56 | + - "!**/*.class" |
| 57 | + # Windows generated |
| 58 | + - "!**/flutter/ephemeral/**" |
| 59 | + # Lock files and package caches |
| 60 | + - "!**/*.lock" |
| 61 | + - "!**/node_modules/**" |
| 62 | + # Windows native deps |
| 63 | + - "!**/vcpkg/**" |
| 64 | + - "!**/vcpkg-binary-cache/**" |
| 65 | + |
| 66 | + path_instructions: |
| 67 | + # Dart/Flutter — both packages |
| 68 | + - path: "**/*.dart" |
| 69 | + instructions: | |
| 70 | + - Enforce strict Dart analysis: strict-casts, strict-inference, strict-raw-types are all enabled. |
| 71 | + - Flag any missing null checks and unsafe casts (use `is` checks/pattern matching before casting; use `as` only after guards). |
| 72 | + - Prefer `final` for local variables and parameters. |
| 73 | + - Public APIs must have type annotations. |
| 74 | + - `unawaited_futures` is an error — every async call must be awaited or explicitly `unawaited(...)`. |
| 75 | + - Lines must not exceed 80 characters. |
| 76 | + - Check that new public symbols are covered by tests. |
| 77 | +
|
| 78 | + # Platform interface — contract stability is critical |
| 79 | + - path: "auth0_flutter_platform_interface/**/*.dart" |
| 80 | + instructions: | |
| 81 | + - Platform interface changes are breaking API changes. Flag any removal or signature change of public methods. |
| 82 | + - New methods added to the platform interface must have a default implementation or be abstract with a clear migration path. |
| 83 | + - Ensure method channel argument names and types stay consistent with native implementations. |
| 84 | +
|
| 85 | + # Android/Kotlin |
| 86 | + - path: "auth0_flutter/android/**/*.kt" |
| 87 | + instructions: | |
| 88 | + - Avoid force-casts (`as Type`) — use safe casts (`as? Type`) and handle null/failure cases explicitly. |
| 89 | + - ClassCastException from unsafe casts in MethodChannel handlers has caused crashes in the past — treat any unchecked cast as a bug. |
| 90 | + - Ensure all MethodChannel result callbacks (`result.success`, `result.error`, `result.notImplemented`) are called exactly once per invocation. |
| 91 | + - Auth errors must be surfaced through `result.error`, never swallowed silently. |
| 92 | + - minSdk is 21; avoid APIs above that level without version guards. |
| 93 | +
|
| 94 | + # iOS/macOS Swift — real source is darwin/; ios/ and macos/ are symlinks excluded above |
| 95 | + - path: "auth0_flutter/darwin/**/*.swift" |
| 96 | + instructions: | |
| 97 | + - This is shared iOS/macOS code — changes apply to both platforms (iOS 14.0+, macOS 11.0+). |
| 98 | + - Force-unwraps (`!`) are not acceptable in MethodChannel handlers — use guard/if-let. |
| 99 | + - All FlutterResult callbacks must be invoked exactly once. |
| 100 | + - Auth errors must propagate to Flutter as `FlutterError`, never silently dropped. |
| 101 | + - Flag any API usage above iOS 14.0 or macOS 11.0 without availability guards. |
| 102 | +
|
| 103 | + # Windows C++ |
| 104 | + - path: "auth0_flutter/windows/**/*.cpp" |
| 105 | + instructions: | |
| 106 | + - All MethodChannel result callbacks must be called exactly once. |
| 107 | + - Auth errors must surface to Flutter, not be silently ignored. |
| 108 | + - Flag any raw pointer usage that could leak or dangle — prefer smart pointers. |
| 109 | +
|
| 110 | + # Web Dart |
| 111 | + - path: "auth0_flutter/lib/src/web/**" |
| 112 | + instructions: | |
| 113 | + - Web implementation wraps auth0-spa-js — verify any token/session behavior matches the JS SDK contract. |
| 114 | + - Browser security: check for XSS risks in any HTML/JS interop. |
| 115 | +
|
| 116 | + # CI/CD |
| 117 | + - path: ".github/workflows/**" |
| 118 | + instructions: | |
| 119 | + - All actions must be pinned to a full commit SHA, not a mutable tag. |
| 120 | + - Secrets must use `${{ secrets.NAME }}` syntax, never hardcoded. |
| 121 | + - Permissions block should follow least-privilege — flag any `write-all` or unnecessary write permissions. |
| 122 | + - Check that new jobs are added to the `upload-coverage.needs` list if they produce coverage. |
| 123 | +
|
| 124 | + # Pubspec files |
| 125 | + - path: "**/pubspec.yaml" |
| 126 | + instructions: | |
| 127 | + - Dependency version bumps that cross a major version are breaking changes — flag them prominently. |
| 128 | + - `secure_pubspec_urls` lint is enabled — all URLs must use HTTPS. |
| 129 | + - Check that `version` fields in auth0_flutter and auth0_flutter_platform_interface are bumped consistently when the interface changes. |
| 130 | +
|
| 131 | + # Changelogs |
| 132 | + - path: "**/CHANGELOG.md" |
| 133 | + instructions: | |
| 134 | + - Entries must follow Keep a Changelog format. |
| 135 | + - PR title prefixes are `af:` (auth0_flutter) and `afpi:` (auth0_flutter_platform_interface) — verify the correct changelog is updated. |
| 136 | +
|
| 137 | +chat: |
| 138 | + auto_reply: true |
| 139 | + |
| 140 | +knowledge_base: |
| 141 | + opt_out: false |
| 142 | + web_search: true |
| 143 | + learnings: |
| 144 | + scope: auto |
0 commit comments