Skip to content

chore: add CodeRabbit configuration#3

Open
frederikprijck wants to merge 1 commit into
mainfrom
worktree-coderabbit
Open

chore: add CodeRabbit configuration#3
frederikprijck wants to merge 1 commit into
mainfrom
worktree-coderabbit

Conversation

@frederikprijck

Copy link
Copy Markdown
Member

Summary

  • Add .coderabbit.yaml with review guidance tailored to a modern TypeScript-based Express authentication SDK.
  • The config is organized into two parts so it can be shared across our sibling TS auth SDKs:
    • [BASELINE] — generic to any TS auth SDK: review behavior, path filters, TS/ESM rules, an auth security review block (secrets/token leakage, cookie flags, state/nonce/PKCE, open redirects, token validation, timing-safe comparison, prototype pollution, fail-closed auth), test/example/CI guidance, and tools.
    • [EXPRESS] — repo-specific: cookie maxAge ms/seconds conversion, next(err) middleware handling, OAuth/OIDC handler lifecycle, and AsyncLocalStorage store null-safety.
  • Enables eslint, gitleaks, semgrep, actionlint, markdownlint, languagetool; excludes dist/, coverage/, *.d.ts, and the lockfile; skips release PRs.

Reuse

Sibling SDKs can copy the [BASELINE] entries verbatim (or lift them into org-level CodeRabbit config) and replace the [EXPRESS] block. Globs referencing packages/**/src may need adjusting to the target repo's layout.

Test plan

  • Confirm CodeRabbit picks up .coderabbit.yaml on this PR and posts a review.
  • Verify no schema-validation warnings on the tools / knowledge_base keys.

Add .coderabbit.yaml with review guidance tailored to a TypeScript auth
SDK. The config is split into a reusable [BASELINE] section (generic auth
SDK + TS/ESM rules, security checks, tools) and an [EXPRESS] section for
repo-specific middleware, handler, and AsyncLocalStorage store guidance.
Comment thread .coderabbit.yaml
# ════════════════════════════════════════════════════════════════════
# [EXPRESS] repo-specific guidance — replace this block in sibling SDKs
# ════════════════════════════════════════════════════════════════════
- path: "packages/**/src/**/*.ts"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This packages/**/src/**/*.ts path is the same glob already used at line 62 for the security block. path_instructions is an array so it's valid, but do we know if CodeRabbit merges instructions when two entries share a glob, or is it last one wins ? If it's last wins, the big security block loses its glob and all package source only gets this one maxAge line. Safer to fold this line into the security block, or give it a more specific glob.

Comment thread .coderabbit.yaml
reviews:
# ── [BASELINE] review behavior ──────────────────────────────────────────
profile: assertive
request_changes_workflow: false

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just flagging the combo is intended: profile: assertive means more comments, and request_changes_workflow: false means it never blocks. Fine for an advisory bot, just confirming that's the goal.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants