Skip to content

feat(core): add policyDir option to createServer for consumer policy overrides#899

Merged
taymoor89 merged 8 commits into
mainfrom
690-consumer-policy-dir-support
Jun 11, 2026
Merged

feat(core): add policyDir option to createServer for consumer policy overrides#899
taymoor89 merged 8 commits into
mainfrom
690-consumer-policy-dir-support

Conversation

@taymoor89

@taymoor89 taymoor89 commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Summary

Allows consumers of the @cobaltcore-dev/aurora package to supply their own OpenStack policy files via a policyDir option in createServer. The built-in policy files are removed from the aurora package — each consumer app now owns and ships its own policies.

Changes Made

packages/aurora

  • Added policyDir?: string to AuroraServerConfig
  • loadPolicyEngine now resolves: policyDirpermission_custom_policies/ (legacy) — throws a clear error if no file is found
  • buildPermissionRouter(policyDir?) factory threads the dir through to loadPolicyEngine; getPolicy and checkSinglePermission remain module-level with an explicit engines parameter
  • Removed permission_policies/ directory and from package.json files
  • Removed wasteful module-level appRouter export; AuroraRouter now uses ReturnType<typeof buildAppRouter>

apps/dashboard

  • Added src/policies/compute.yaml and src/policies/image.yaml (moved from the aurora package)
  • vite.config.mjs uses vite-plugin-static-copy to copy src/policies → dist/policies at build time

Related Issues

Testing Instructions

  1. pnpm i
  2. pnpm run test
  3. pnpm --filter @cobaltcore-dev/dashboard run build — verify dist/policies/ contains compute.yaml and image.yaml

Checklist

  • I have performed a self-review of my code.
  • I have commented my code, particularly in hard-to-understand areas.
  • I have added tests that prove my fix is effective or that my feature works.
  • New and existing unit tests pass locally with my changes.
  • I have made corresponding changes to the documentation (if applicable).
  • My changes generate no new warnings or errors.

Summary by CodeRabbit

  • Breaking Changes

    • Bundled OpenStack policy files are no longer included in the package distribution.
  • New Features

    • Server now requires a policyDir option so consumers provide their own policy files; these take precedence.
    • Dashboard build now bundles policy files into the client output.
  • Configuration

    • policyDir must be an absolute path; policy resolution prefers files in that directory.
  • Tests

    • Policy-loading and permission-checking tests reorganized and updated to cover new resolution behavior.

@taymoor89 taymoor89 requested a review from a team as a code owner June 10, 2026 14:31
@taymoor89 taymoor89 self-assigned this Jun 10, 2026
@taymoor89 taymoor89 force-pushed the 690-consumer-policy-dir-support branch from 205fb17 to b270a09 Compare June 10, 2026 14:31
@coderabbitai

coderabbitai Bot commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

Adds a required absolute policyDir to server config, changes policy engine resolution to prefer consumer-supplied policies, converts permission/compute/app routers into factories that accept policyDir, updates server wiring to build routers at startup, and adjusts dashboard build/packaging to supply policy assets.

Changes

Consumer Policy Directory Override

Layer / File(s) Summary
Configuration & Type Contract
packages/aurora/src/types/index.ts
Adds policyDir: string to AuroraServerConfig to accept an absolute consumer policy directory.
Policy Engine Loader & Tests
packages/aurora/src/server/policyEngineLoader.ts, packages/aurora/src/server/policyEngineLoader.test.ts
loadPolicyEngine(fileName, consumerDir) requires absolute consumerDir, searches consumerDir then permission_custom_policies, throws listing candidates when none found; tests updated for existence, fallback, ordering, and error propagation.
Permission Router Factory
packages/aurora/src/server/Compute/routers/permissionRouter.ts, packages/aurora/src/server/Compute/routers/permissionRouter.test.ts
Replace module-level policy engine singletons with a PolicyEngines container; getPolicy/checkSinglePermission take engines; export buildPermissionRouter(policyDir) that loads engines and exposes canUser.
Compute Router Factory
packages/aurora/src/server/Compute/routers/index.ts
Export buildComputeRouters(policyDir) and inject buildPermissionRouter(policyDir) into auroraRouter-constructed compute router.
App Router & Server Integration
packages/aurora/src/server/routers.ts, packages/aurora/src/server/server.ts
Replace static appRouter with buildAppRouter(policyDir); update AuroraRouter type; createServer(config) now requires config and constructs appRouter via buildAppRouter(config.policyDir) for tRPC wiring.
Dashboard build & server usage
apps/dashboard/package.json, apps/dashboard/vite.config.mjs, apps/dashboard/src/server/server.ts
Add vite-plugin-static-copy devDependency and copy src/policies into build output; server resolves policyDir from NODE_ENV (prod dist/policies, dev ../policies) and passes it to createServer.
Release & Packaging
.changeset/remove-bundled-policy-files.md, packages/aurora/package.json
Remove permission_policies from published files list and add changeset documenting removal of bundled policies and consumer requirement to supply policyDir.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

Suggested labels

enhancement

Suggested reviewers

  • andypf
  • mark-karnaukh-extern-sap

Poem

A rabbit hops through policy files with cheer, 🐇
Pointing the server to policies near,
Routers now built when your server starts,
Engines load rules from your chosen parts,
Hooray — your policies, held dear. ✨

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Linked Issues check ❓ Inconclusive This PR partially addresses #690 by enabling consumer policy directories and removing bundled policies, but the core requirements—extracting shared permission logic into a permissionHelper, refactoring routers to use it, and adding Network scope support—are not implemented in this changeset. Clarify whether this PR is intended as a prerequisite foundation for #690 or if those objectives should be included; the current changes do not fulfill the stated #690 requirements for generalized permission logic and Network scope.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main change: adding a policyDir option to createServer to support consumer policy overrides, which is the core objective of this PR.
Description check ✅ Passed The description comprehensively covers all template sections: summary, detailed changes, related issues, testing instructions, and a completed checklist with evidence of self-review and testing.
Out of Scope Changes check ✅ Passed All code changes directly support the stated objectives: parameterizing policy loading, moving policies to consumer apps, and removing bundled policy files. No unrelated changes detected.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch 690-consumer-policy-dir-support

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@andypf andypf left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great Job, please address my comment

Comment thread packages/aurora/src/server/policyEngineLoader.ts Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/aurora/src/server/policyEngineLoader.ts`:
- Around line 17-22: The function loadPolicyEngine accepts consumerDir without
verifying it's absolute, which can cause inconsistent resolution; update
loadPolicyEngine to validate consumerDir using path.isAbsolute (or equivalent)
and reject/throw a clear error (or return early) if it's not absolute,
referencing the consumerDir parameter and documenting the requirement consistent
with AuroraServerConfig; ensure the validation occurs before building candidates
(i.e., before path.join) so only absolute paths are used.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 75b03ffa-a60b-4353-b63c-4f424ac5b6b5

📥 Commits

Reviewing files that changed from the base of the PR and between 296e2ff and b270a09.

📒 Files selected for processing (8)
  • .changeset/add-consumer-policy-dir.md
  • packages/aurora/src/server/Compute/routers/index.ts
  • packages/aurora/src/server/Compute/routers/permissionRouter.ts
  • packages/aurora/src/server/policyEngineLoader.test.ts
  • packages/aurora/src/server/policyEngineLoader.ts
  • packages/aurora/src/server/routers.ts
  • packages/aurora/src/server/server.ts
  • packages/aurora/src/types/index.ts

Comment thread packages/aurora/src/server/policyEngineLoader.ts Outdated

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a policyDir option to createServer so consumers of @cobaltcore-dev/aurora can provide their own OpenStack policy files that override the built-in bundled policies, threading that configuration through router construction and policy engine loading.

Changes:

  • Added policyDir?: string to AuroraServerConfig and threaded it through createServerbuildAppRouterbuildComputeRoutersbuildPermissionRouter.
  • Updated loadPolicyEngine to resolve policies in precedence order: consumer directory → permission_custom_policies/permission_policies/.
  • Extended unit tests for policyEngineLoader to cover the consumer policy directory override behavior.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
packages/aurora/src/types/index.ts Adds the policyDir configuration surface to the public server config type.
packages/aurora/src/server/server.ts Builds the tRPC router per server instance and passes policyDir through.
packages/aurora/src/server/routers.ts Switches from a module-level router export to a buildAppRouter(policyDir?) factory.
packages/aurora/src/server/policyEngineLoader.ts Adds consumer-dir-first resolution for policy file loading.
packages/aurora/src/server/policyEngineLoader.test.ts Adds tests for consumer directory precedence and fallthrough behavior.
packages/aurora/src/server/Compute/routers/permissionRouter.ts Refactors permission router into a factory that accepts policyDir.
packages/aurora/src/server/Compute/routers/index.ts Converts compute routers export into a factory to thread policyDir.
.changeset/add-consumer-policy-dir.md Publishes a minor changeset documenting the new option.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread packages/aurora/src/server/Compute/routers/permissionRouter.ts Outdated
Comment thread packages/aurora/src/server/policyEngineLoader.ts Outdated
@taymoor89 taymoor89 closed this Jun 11, 2026
@taymoor89 taymoor89 reopened this Jun 11, 2026
@taymoor89 taymoor89 force-pushed the 690-consumer-policy-dir-support branch from 1757b50 to 093ea49 Compare June 11, 2026 09:00

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/aurora/src/server/policyEngineLoader.ts`:
- Around line 8-14: Update the JSDoc for the function in policyEngineLoader.ts
to reflect that consumerDir is optional: change the wording that currently calls
`consumerDir` "required" to state it is optional and that resolution falls back
to `permission_custom_policies/<fileName>` (legacy) when `consumerDir` is not
provided; specifically update the param description for `consumerDir` and the
resolution order comments to match the actual function signature (the
`consumerDir` parameter) and behavior used in the policy engine loading code.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 55e2e1dd-9fab-4932-a8e9-ffa685405747

📥 Commits

Reviewing files that changed from the base of the PR and between b270a09 and 093ea49.

⛔ Files ignored due to path filters (2)
  • apps/dashboard/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (15)
  • .changeset/remove-bundled-policy-files.md
  • apps/dashboard/package.json
  • apps/dashboard/src/policies/compute.yaml
  • apps/dashboard/src/policies/image.yaml
  • apps/dashboard/src/server/server.ts
  • apps/dashboard/vite.config.mjs
  • packages/aurora/package.json
  • packages/aurora/src/server/Compute/routers/index.ts
  • packages/aurora/src/server/Compute/routers/permissionRouter.test.ts
  • packages/aurora/src/server/Compute/routers/permissionRouter.ts
  • packages/aurora/src/server/policyEngineLoader.test.ts
  • packages/aurora/src/server/policyEngineLoader.ts
  • packages/aurora/src/server/routers.ts
  • packages/aurora/src/server/server.ts
  • packages/aurora/src/types/index.ts
✅ Files skipped from review due to trivial changes (3)
  • apps/dashboard/package.json
  • .changeset/remove-bundled-policy-files.md
  • packages/aurora/package.json
🚧 Files skipped from review as they are similar to previous changes (4)
  • packages/aurora/src/server/server.ts
  • packages/aurora/src/server/Compute/routers/index.ts
  • packages/aurora/src/server/routers.ts
  • packages/aurora/src/types/index.ts

Comment thread packages/aurora/src/server/policyEngineLoader.ts
@taymoor89 taymoor89 force-pushed the 690-consumer-policy-dir-support branch 2 times, most recently from d1f1340 to 7d8b213 Compare June 11, 2026 11:20
@taymoor89 taymoor89 force-pushed the 690-consumer-policy-dir-support branch from 7d8b213 to a20721a Compare June 11, 2026 11:59

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
packages/aurora/src/server/policyEngineLoader.test.ts (1)

80-88: ⚡ Quick win

Consider guarding against -1 indices before comparison.

The test assumes both consumerIdx and customIdx are found (>= 0) before comparing them. If the implementation changes and one path isn't constructed, findIndex returns -1, which could lead to confusing test results. Adding explicit assertions would make the test more robust.

🛡️ Suggested improvement
     const calls = mockPath.join.mock.calls.map((c) => c.join("/"))
     const consumerIdx = calls.findIndex((c) => c.includes("/consumer/dir"))
     const customIdx = calls.findIndex((c) => c.includes("permission_custom_policies"))
+    expect(consumerIdx).toBeGreaterThanOrEqual(0)
+    expect(customIdx).toBeGreaterThanOrEqual(0)
     expect(consumerIdx).toBeLessThan(customIdx)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/aurora/src/server/policyEngineLoader.test.ts` around lines 80 - 88,
The test "should check consumerDir before permission_custom_policies" currently
compares consumerIdx and customIdx but doesn't ensure they were found; update
the test around loadPolicyEngine(...) to assert that both consumerIdx and
customIdx are >= 0 before the toBeLessThan assertion (i.e., add explicit expects
that consumerIdx !== -1 and customIdx !== -1 or
expect(consumerIdx).toBeGreaterThanOrEqual(0) and likewise for customIdx) so the
comparison of the indices (computed from mockPath.join.mock.calls) is only
performed when both paths were actually constructed.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@packages/aurora/src/server/policyEngineLoader.test.ts`:
- Around line 80-88: The test "should check consumerDir before
permission_custom_policies" currently compares consumerIdx and customIdx but
doesn't ensure they were found; update the test around loadPolicyEngine(...) to
assert that both consumerIdx and customIdx are >= 0 before the toBeLessThan
assertion (i.e., add explicit expects that consumerIdx !== -1 and customIdx !==
-1 or expect(consumerIdx).toBeGreaterThanOrEqual(0) and likewise for customIdx)
so the comparison of the indices (computed from mockPath.join.mock.calls) is
only performed when both paths were actually constructed.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1501d87b-27d7-4840-aae8-d04d9ac9ab92

📥 Commits

Reviewing files that changed from the base of the PR and between 7d8b213 and c84fb0a.

⛔ Files ignored due to path filters (2)
  • apps/dashboard/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (15)
  • .changeset/remove-bundled-policy-files.md
  • apps/dashboard/package.json
  • apps/dashboard/src/policies/compute.yaml
  • apps/dashboard/src/policies/image.yaml
  • apps/dashboard/src/server/server.ts
  • apps/dashboard/vite.config.mjs
  • packages/aurora/package.json
  • packages/aurora/src/server/Compute/routers/index.ts
  • packages/aurora/src/server/Compute/routers/permissionRouter.test.ts
  • packages/aurora/src/server/Compute/routers/permissionRouter.ts
  • packages/aurora/src/server/policyEngineLoader.test.ts
  • packages/aurora/src/server/policyEngineLoader.ts
  • packages/aurora/src/server/routers.ts
  • packages/aurora/src/server/server.ts
  • packages/aurora/src/types/index.ts
✅ Files skipped from review due to trivial changes (1)
  • .changeset/remove-bundled-policy-files.md
🚧 Files skipped from review as they are similar to previous changes (11)
  • apps/dashboard/package.json
  • packages/aurora/src/server/Compute/routers/permissionRouter.test.ts
  • packages/aurora/src/types/index.ts
  • packages/aurora/src/server/Compute/routers/index.ts
  • packages/aurora/src/server/routers.ts
  • apps/dashboard/vite.config.mjs
  • apps/dashboard/src/server/server.ts
  • packages/aurora/package.json
  • packages/aurora/src/server/server.ts
  • packages/aurora/src/server/policyEngineLoader.ts
  • packages/aurora/src/server/Compute/routers/permissionRouter.ts

@taymoor89 taymoor89 enabled auto-merge (squash) June 11, 2026 13:39
@taymoor89 taymoor89 merged commit 5ab571f into main Jun 11, 2026
21 checks passed
@taymoor89 taymoor89 deleted the 690-consumer-policy-dir-support branch June 11, 2026 13:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[EPIC](core): generalize permission system across all scopes

4 participants