Skip to content

feat (jans-cedarling): Support new Policy Store ZIP format #12932

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
haileyesus2433 wants to merge 38 commits into
base: main
Choose a base branch
from
Open

feat (jans-cedarling): Support new Policy Store ZIP format #12932

haileyesus2433 wants to merge 38 commits into from
+14,195 −558

Conversation

@haileyesus2433
Copy link
Contributor

@haileyesus2433 haileyesus2433 commented Jan 1, 2026
edited by coderabbitai bot
Loading

Prepare

Description

Target issue

closes #12253

Test and Document the changes

  • Static code analysis has been run locally and issues have been fixed
  • Relevant unit and integration tests have been added/updated
  • Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

  • I confirm that there is no impact on the docs due to the code changes in this PR.

Summary by CodeRabbit

  • New Features

    • Support for Cedar Archive (.cjar), directory-based policy stores, and automatic format detection by path/URL/extension
    • Load policy stores from archive bytes (including WASM), plus remote URL and raw-bytes fetch
    • Trusted‑issuer validation enforcing token‑metadata required‑claims
    • Policy store metadata exposed via factory/initialization and logged at startup

  • Documentation

    • Expanded "Policy Store Formats" and "Policy Store Sources" with examples, packaging, manifests, and language-specific guidance

  • Tests

    • Extensive new tests and benchmarks covering archives, directories, manifests, security, and large stores

✏️ Tip: You can customize this high-level summary in your review settings.

haileyesus2433 and others added 17 commits October 8, 2025 04:20
@haileyesus2433
feat(jans-cedarling): policy store implement core data models and err…
d02d8b0 
…or types (#12321)

* feat(jans-cedarling): policy store implement core data models and error types

- Add PolicyStoreMetadata and PolicyStoreManifest with serialization
- Implement PolicyStoreSource enum for directory/archive/legacy inputs
- Create comprehensive error types with contextual messages
- Add PolicyStoreFormat enum for format detection

* refactor(jans-cedarling): update policy store metadata serialization

- Simplified serialization by removing unnecessary deserializer and adding default values for optional fields.
- Updated tests to use fixed timestamps for deterministic comparisons during serialization and deserialization.
@haileyesus2433
feat(jans-cedarling): add policy store loader module for loading poli…
9002539 
…cy stores with format detection and directory support

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>
@haileyesus2433
feat(jans-cedarling): Implement Metadata Parsing and Validation (#12350)
2ee97fb 
* feat(jans-cedarling): add policy store loader module for loading policy stores with format detection and directory support.

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(jans-cedarling): add metadata validation and parsing for policy store

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* fix(jans-cedarling): address comments from review

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(jans-cedarling): implement virtual file system (VFS) adapter for policy store loading

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(jans-cedarling): enhance error handling in policy store with new error types and improve validation tests

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(jans-cedarling): improve error handling in PolicyStoreError by adding source fields for JSON, YAML, Cedar, Directory, File, and InvalidFileName errors

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(jans-cedarling): enhance error handling in DefaultPolicyStoreLoader by using source fields for error reporting

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(jans-cedarling): enhance VFS trait by adding open_file method for improved file reading

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

---------

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>
Signed-off-by: Haileyesus Ayanaw <85413826+haileyesus2433@users.noreply.github.com>
@haileyesus2433
feat(jans-cedarling): add policy parser module for Cedar policy and t…
e8db783 
…emplate parsing (#12413)

* feat(jans-cedarling): add policy parser module for Cedar policy and template parsing

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(jans-cedarling): fix comments

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(policy_parser): remove redundant notes on template ID generation and policy parsing

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(loader): simplify method signatures by removing unnecessary self parameter

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(tests): simplify usage of DefaultPolicyStoreLoader by introducing PhysicalLoader type alias

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

---------

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>
@haileyesus2433
feat(jans-cedarling): Implement Schema Loading and Validation (#12432)
527dc65 
* feat(jans-cedarling): add CedarSchemaError to PolicyStoreError for improved error handling

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(jans-cedarling): implement Cedar schema parser for validation and extraction

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(jans-cedarling): add schema parsing and validation methods to policy store loader

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(jans-cedarling): streamline schema parsing and validation in policy store

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(jans-cedarling): enhance Cedar schema error handling with specific error types

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

---------

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>
@haileyesus2433
feat(jans-cedarling): Implement Entity Loading and Validation System (#…
29b25ac 
…12464)

* feat(jans-cedarling): add CedarSchemaError to PolicyStoreError for improved error handling

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(jans-cedarling): implement Cedar schema parser for validation and extraction

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(jans-cedarling): add schema parsing and validation methods to policy store loader

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(jans-cedarling): streamline schema parsing and validation in policy store

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(jans-cedarling): enhance Cedar schema error handling with specific error types

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(jans-cedarling): introduce CedarEntityErrorType for enhanced entity error handling

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(jans-cedarling): add entity parser for Cedar entity files

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(jans-cedarling): update policy store to include entity parser and enhance error exports

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(jans-cedarling): add end-to-end tests for loading and parsing entities in policy store

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(entity_parser): enhance entity parsing with optional schema validation

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(entity_parser): fix comments

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

---------

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>
Signed-off-by: Haileyesus Ayanaw <85413826+haileyesus2433@users.noreply.github.com>
@haileyesus2433
feat(jans-cedarling): add issuer parser module for trusted issuer con…
9972462 
…figuration (#12533)

* feat(jans-cedarling): add issuer parser module for trusted issuer configuration

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* fix(policy_store): pass optional schema to entity parser for improved parsing accuracy

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(policy_store): introduce TrustedIssuerErrorType for enhanced error handling in issuer parsing

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

---------

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>
@haileyesus2433
feat(jans-cedarling): add TrustedIssuerValidator for JWT validation a…
99b5ce2 
…gainst trusted issuers (#12584)

* feat(jans-cedarling): add TrustedIssuerValidator for JWT validation against trusted issuers

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(jans-cedarling): fix comments by enhancing TrustedIssuerValidator with JWKS caching and validation improvements

- Introduced caching for JWKS keys with configurable durations to optimize performance.
- Added reverse lookup for OIDC base URLs to streamline issuer matching.
- Updated token validation method to preload JWKS and validate expiration claims.
- Improved logging for JWKS key loading and cache duration monitoring.

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

---------

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>
@olehbozhok
Merge commit '1a9cd23f296f147ec0a7aa6753077d88e621efbb' into jans-ced…
b49806d 
…arling-12253

Signed-off-by: Oleh Bozhok <6554798+olehbozhok@users.noreply.github.com>
@haileyesus2433 @olehbozhok
feat(jans-cedarling): Implement .cjar Archive Support and Extraction (#…
c773681 
…12682)

* feat(jans-cedarling): add ManifestErrorType for manifest validation errors

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(jans-cedarling): add manifest validator for policy store integrity validation

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(jans-cedarling): implement manifest validation for PhysicalVfs in policy store loader

- Added a method to validate the manifest file against the policy store contents specifically for PhysicalVfs.
- Introduced logging for unlisted files found in the policy store but not listed in the manifest.
- Updated the policy store loader to call the manifest validation during the loading process if a manifest is present.

This enhancement improves the integrity checks of the policy store by ensuring that the manifest accurately reflects the contents of the store.

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* fix(jans-cedarling):  comments by streamlining manifest validation in policy store loader

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* chore(jans-cedarling): add dependencies in cargo

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(jans-cedarling): enhance manifest validation in policy store loader

- Introduced a new method `validate_manifest` for validating the manifest file against the policy store contents, specifically for the PhysicalVfs implementation.
- Updated the `load_directory` method to conditionally call `validate_manifest` based on the VFS type, ensuring that manifest validation is only performed for PhysicalVfs.

This change adheres to the Interface Segregation Principle by limiting manifest validation to appropriate VFS types.

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(jans-cedarling): add archive handling utilities for .cjar policy store

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(jans-cedarling): expose archive_handler module and re-export ArchiveHandler

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(jans-cedarling): implement archive loading support for .cjar files

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(jans-cedarling): enhance ArchiveError enum with detailed error variants for better error handling

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(jans-cedarling): refactor archive handling to use ArchiveVfs for improved VFS implementation and security

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(jans-cedarling): enhance policy store loader with ArchiveVfs support and recursive loading of .cedar files

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(policy_store): enhance ArchiveVfs and PolicyStoreSource for improved WASM support

- Refactor ArchiveVfs to support both file paths and in-memory buffers.
- Update PolicyStoreSource to use ArchiveSource enum for better handling of local and remote archives.
- Modify error handling for WASM compatibility, ensuring proper usage of ArchiveVfs in both native and WASM environments.
- Update documentation and examples to reflect changes in archive loading methods.

This update improves the flexibility and security of the policy store loading mechanism.

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(policy_store): simplify format detection in PolicyStoreLoader

- Removed the internal `detect_format_internal` function and integrated its logic directly into the `detect_format` method for clarity.
- Updated tests to use pattern matching for better readability and maintainability.

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

---------

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>
Co-authored-by: Oleh Bozhok <6554798+olehbozhok@users.noreply.github.com>
@haileyesus2433
feat(jans-cedarling): Implement Manifest-Based Integrity Validation (#…
cc3defe 
…12649)

* feat(jans-cedarling): add ManifestErrorType for manifest validation errors

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(jans-cedarling): add manifest validator for policy store integrity validation

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(jans-cedarling): implement manifest validation for PhysicalVfs in policy store loader

- Added a method to validate the manifest file against the policy store contents specifically for PhysicalVfs.
- Introduced logging for unlisted files found in the policy store but not listed in the manifest.
- Updated the policy store loader to call the manifest validation during the loading process if a manifest is present.

This enhancement improves the integrity checks of the policy store by ensuring that the manifest accurately reflects the contents of the store.

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* fix(jans-cedarling):  comments by streamlining manifest validation in policy store loader

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* chore(jans-cedarling): add dependencies in cargo

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(jans-cedarling): enhance manifest validation in policy store loader

- Introduced a new method `validate_manifest` for validating the manifest file against the policy store contents, specifically for the PhysicalVfs implementation.
- Updated the `load_directory` method to conditionally call `validate_manifest` based on the VFS type, ensuring that manifest validation is only performed for PhysicalVfs.

This change adheres to the Interface Segregation Principle by limiting manifest validation to appropriate VFS types.

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

---------

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>
Signed-off-by: Haileyesus Ayanaw <85413826+haileyesus2433@users.noreply.github.com>
@haileyesus2433
Merge branch 'main' into jans-cedarling-12253
656b0de
@haileyesus2433
Merge branch 'main' into jans-cedarling-12253
58f29d4
@haileyesus2433
refactor(policy_store): remove default entity limits and validation l…
b6a1ff4 
…ogic
@haileyesus2433 @olehbozhok
feat(jans-cedarling): Integrate Policy Store Loading with Existing Ce…
222da01 
…darling Architecture (#12819)

* feat(policy_store): Introduce PolicyStoreManager for converting between new and legacy formats

- Added a new module `manager.rs` that implements `PolicyStoreManager`, responsible for converting `LoadedPolicyStore` (new format) to `PolicyStore` (legacy format).
- Implemented methods for converting schemas, policies, trusted issuers, and entities, along with error handling for conversion failures.
- Enhanced `PoliciesContainer` with new constructors for creating instances from policy sets and descriptions.

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(policy_store): Add support for Cedar Archive (.cjar) files and directory structures in PolicyStoreSource

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(policy_store): Implement loading policy stores from Cedar Archive (.cjar) files and directories

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(policy_store): Refactor loading functions to use VFS-agnostic approach and include metadata

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(logging): Enhance logging of policy store metadata and compatibility checks

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(policy_store): Add UnsupportedFormat error type for policy store operations

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(policy_store): Simplify error handling and improve documentation for loading policy stores

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(policy_store): Enhance PolicyStoreManager and ManifestValidator with improved error handling, logging, and new utility functions for better policy and template processing

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(policy_store): Simplify validation logic and error handling in MetadataValidator and VfsFileSystem

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(service_factory): Add method to retrieve policy store metadata for enhanced policy management

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(jwt): Integrate TrustedIssuerValidator for enhanced JWT validation and re-export validation functions

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(manifest_validator): Remove unused test helper for creating virtual file system

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(test_utils): Add PolicyStoreTestBuilder and fixtures for policy store testing

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(security_tests): Add comprehensive security tests for policy store validation and loading

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(mock_jwks_server): Implement mock JWKS server for trusted issuer validation testing

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(benchmarks): Add policy store benchmark for loading and validation performance

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(policy_store_benchmark): Reorder import statements for clarity

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* fix: Update CURRENT_CEDAR_VERSION to 4.3.2 for compatibility check

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* fix(policy_store_config): Set default paths for cjar_file, cjar_url, and directory sources

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* fix(policy_store_manager): Update policy description format to include filename

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* fix(mock_jwks_server): Use unwrap_or_default for safer time duration handling

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* fix(security_tests): Improve error handling and assertions in path traversal and malicious archive tests

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(test_utils): Adjust file handling order and remove unused memory measurement function

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(HttpClient): Simplify GET request logic by extracting retry handling into a private method

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(policy_store): Remove unused LoaderSource instantiation in load_policy_store functions

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(validation): Add error handling for invalid token metadata configuration and trusted issuer validation

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(jwt): Change trusted issuer validator to use Arc<RwLock> for improved concurrency

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(validator): Improve validation logic and update compatibility check to use semver::Version

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(benchmarks): Optimize file size calculation in archive parsing benchmarks

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(policy_store): Simplify error handling in issuer validation by returning joined error messages

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(manager): document why we clone parsed entities

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(log_entry): add PolicyStoreLogEntry for logging policy store operations

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(policy_store): Enhance logging and error handling in entity parsing and policy store conversion

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(policy_store): Remove unused imports in load_policy_store functions

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(policy_store): Update loading functions to improve clarity and support for directory and archive sources

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(log_entry): remove unused debug-level log entry creation method

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(mock_jwks_server): replace SystemTime with chrono for better WASM compatibility

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(test_utils): replace SystemTime with chrono for improved time handling
refactor(trusted_issuer_validator): switch from SystemTime to chrono for timestamp management

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(http): update retry logic to handle errors silently in HttpClient and Sender

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(test): clarify retry logic behavior in get_bytes tests

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(policy_store): Enhance error handling and validation messages in policy store components

- Updated `PolicyStoreError` and `ValidationError` enums to improve clarity and specificity of error messages.
- Introduced `CedarParseErrorDetail` for detailed Cedar parsing errors.
- Refactored error handling in `PolicyParser`, `MetadataValidator`, and `PolicyStoreLoader` to utilize new error structures.
- Adjusted tests to reflect changes in error handling and validation logic.

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(policy_store): Introduce constant for maximum description length and enhance validation error reporting

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(policy_store): Move tests from loader.rs to a dedicated loader_tests.rs file

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(tests): Simplify entity parsing tests by using expect for error handling

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(policy_store): Clean up and optimize policy store components

- Removed dead code and unnecessary comments across various modules.
- Enhanced error handling in tests to use `expect_err` for clarity.
- Simplified the structure of `MockJwksServer` and related test utilities.
- Updated JWT-related modules to remove unused functions and improve readability.

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(log): Change visibility of logging-related structs to public to fix clippy warnings

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(tests): Simplify test code by removing unnecessary conversions and improving assertions

- Removed unnecessary `.into()` calls in test cases for cleaner code.
- Updated assertions to use more direct checks for empty collections.

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* fix(policy_store): Update example code in documentation for clarity and fix failing doc tests

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(tests): Enhance error handling in policy store tests

- Updated test assertions to use `expect_err` for clearer error reporting.
- Improved error messages to provide more context on expected failures.

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(jwt_config): Updated comments to clarify the use of eprintln! for logging in the absence of a logger and add a TODO

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(policy_store): Remove unused error variants and clean up error handling

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(tests): Ensured that the loader gracefully handles both successful and failed policy loads, verifying expected error types.

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(policy_store): Update internal documentation to clarify usage and examples

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(tests): Improve error assertions in policy store tests for clarity and specificity

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(tests): Standardize error handling in policy store tests with clearer expectations using .expect

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(tests): Simplify and clarify error handling in policy store tests

- Replaced match statements with .expect for clearer expectations in tests for deeply nested paths and long filenames.
- Updated assertions to ensure successful loading of policies with special-character @id.
- Enhanced comments for better understanding of expected behavior during manifest validation.

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(security_test): rename file to archive_security_test

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(app_types): Remove default implementation for PdpID struct

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(policy_store): Remove unused namespace extraction logic from SchemaParser

- Eliminated the extract_namespaces function and its associated tests to streamline the schema parsing process.
- Updated error handling in schema parsing to remove unnecessary namespace reporting.

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(jwt_validation): Remove unused error variants from ValidateJwtError enum

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(policy_store): Clean up policy store structure and tests

- Removed the unused `source.rs` file and its associated logic.
- Updated tests to use `load_directory` instead of the deprecated `load` method for better clarity and consistency.
- Renamed and reorganized test cases to improve readability and maintainability.

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(policy_store): Remove unused mock JWKS server module

- Deleted the `mock_jwks_server.rs` file as it was no longer needed.
- Updated `policy_store.rs` to remove references to the deleted module.

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(policy_parser): Remove unnecessary whitespace in ParsedPolicy struct

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(policy_store): Add TODO for potential removal of RawPolicy struct

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(logging): Extract policy store metadata logging into a separate function

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(jwt_validation): remove notes from trusted issuer validator documentation

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(jwt_validation): remove return documentation from validate_required_claims function

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(jwt_service): replace Arc<RwLock<TrustedIssuerValidator>> with TrustedIssuerValidator for improved performance and simplicity

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(http_utils): add TODO for debug-level logging in retry mechanism

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(clippy): temporarily allow std::eprintln/std::eprint for bootstrap process

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(policy_store): Simplify policy and template parsing by using direct imports from policy_parser

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(policy_store): fix wasm errors by pdating error handling in load_policy_store_archive function

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(policy_store): remove internal examples and documentation from policy store modules

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(logging): change logger structs to crate visibility

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(jwt_service): enhance comments for clarity on required claims validation process

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(policy_store): improve error handling in manifest validation for invalid checksum format

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* test(policy_store): check that the data parsed correctly nested files in archive

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(policy_store): add WASM-specific error handling for unsupported archive operations

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* chore(policy_store): remove empty lines

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* chore(jans-cedarling): fix needless borrow

Signed-off-by: Oleh Bozhok <6554798+olehbozhok@users.noreply.github.com>

* chore(jans-cedarling): fix clippy issues related to `pub(crate)`

Signed-off-by: Oleh Bozhok <6554798+olehbozhok@users.noreply.github.com>

* refactor(policy_store): enhance directory loading with manifest validation for PhysicalVfs (#12860)

* refactor(policy_store): enhance directory loading with manifest validation for PhysicalVfs

Updated the policy store directory loading function to utilize a PhysicalVfs-specific loader and added manifest validation when a manifest is present. This change improves the clarity of the loading process and ensures that manifest validation is only performed where appropriate.

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(policy_store): offload blocking I/O operations in policy store loading

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* test(policy_store): improve test for handling invalid checksum format in manifest

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

---------

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

---------

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>
Signed-off-by: Oleh Bozhok <6554798+olehbozhok@users.noreply.github.com>
Co-authored-by: Oleh Bozhok <6554798+olehbozhok@users.noreply.github.com>
@haileyesus2433
feat(tests): Add integration tests for policy store loader (#12884)
341f736 
* feat(tests): Add integration tests for policy store loader

- Introduced a new test module `policy_store_loader.rs` to validate the functionality of the policy store loader.
- Implemented tests for loading policy stores from both directory structures and Cedar Archive (.cjar) files, ensuring correct authorization behavior.
- Added manifest validation tests to check for checksum mismatches and policy store ID mismatches.
- Enhanced existing test utilities to support the new loader functionality.

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* chore(test): remove allow(dead_code) in policy store loader test

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(tests): add JWT authorization tests with directory-based policy store

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* refactor(tests):  replace manual configuration setup with a utility function get_config

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(tests): enhance JWT authorization tests with tampered token validation

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

---------

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>
@haileyesus2433
feat (jans-cedarling): add documentation to support new Policy Store …
19d33b4 
…format (#12903)

* feat(cedarling_wasm): Add init_from_archive_bytes function for loading Cedar Archive (.cjar) files

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* docs: Enhance policy store documentation with new directory-based format details

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* docs: update tutorials to include policy store source types and examples for Go, Java, JavaScript, Python, and Rust bindings

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* docs: enhance README files with detailed policy store sources and formats for Java, Go, Python, Uniffi, and WASM bindings

- Added sections on policy store sources, including legacy single-file formats, new directory-based formats, and Cedar Archive (.cjar) formats.
- Updated examples for loading policy stores in various programming languages.
- Clarified the limitations and supported options for WASM environments.

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* chore(schema): update policy store schema to include new directory-based format details

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* docs(jans-cedarling): add language identifier to fenced code blocks

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* docs(jans-cedarling): convert bold text to proper heading and add aditional line

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* docs(jans-cedarling): Removed unnecessary whitespace and improved formatting for clarity.

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* docs(jans-cedarling): Clarify local policy store file path description in documentation

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* docs(jans-cedarling): Update WASM environment notes for policy store sources

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* docs(jans-cedarling): Updated policy store sources sections to reference Cedarling Properties for configuration options.

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* docs(jans-cedarling): Added a reference link to the Cedarling policy store documentation for clarity.

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* chore(jans-cedarling): remove comment in `policy_store_schema.json`

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* docs: remove trailing asteriks

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* chore(jans-cedarling): simplify policy store schema description and remove directory-based format definitions

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* docs(jans-cedarling): Update documentation to clarify loading from Cedar archives and improve consistency across tutorials

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* feat(jans-cedarling): Updated logic to detect and handle .cjar files when loading policy stores from URIs.

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

* docs(jans-cedarling): updated documentation on policy store formats and automatic detection for local and remote sources.

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

---------

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>
@haileyesus2433 haileyesus2433 self-assigned this Jan 1, 2026
@mo-auto
Copy link
Member

mo-auto commented Jan 1, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 1, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Adds first-class support for a directory-based and ZIP-backed (.cjar) Cedar policy store: new VFS and archive handling, directory/archive/bytes loaders (including WASM entrypoint), metadata/manifest/schema/policy/entity/issuer parsing and validation, conversion to legacy format, JWT trusted‑issuer validation, docs, tests, and benchmarks.

Changes

Cohort / File(s) Summary
Docs & Bindings
docs/cedarling/reference/cedarling-policy-store.md, docs/cedarling/reference/cedarling-properties.md, docs/cedarling/tutorials/*, jans-cedarling/bindings/*/README.md, jans-cedarling/bindings/cedarling_wasm/README.md, jans-cedarling/bindings/cedarling_wasm/example_data.js		 Add Policy Store Formats doc and “Policy Store Sources” examples (legacy single-file, directory, .cjar), WASM notes and init_from_archive_bytes usage; update language/examples across Go/Java/JS/Python/Rust and multiple binding READMEs.
Bootstrap / Config
jans-cedarling/cedarling/src/bootstrap_config/*, docs/cedarling/reference/cedarling-properties.md		 Extend PolicyStoreSource/Raw with Directory, CjarFile, CjarUrl, ArchiveBytes; change raw→try conversion with validation and MissingCjarUrl; add JwtConfigRaw and algorithm filtering; auto-detect formats by URI/path.
VFS & Archive handling
jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs, .../vfs_adapter.rs		 New ArchiveVfs (ZIP-backed VFS) with safe path handling and in-memory/native constructors; VfsFileSystem trait, PhysicalVfs and MemoryVfs implementations for cross-platform access.
Loader & Integration
jans-cedarling/cedarling/src/common/policy_store/loader.rs, .../manifest_validator.rs, .../manager.rs		 New DefaultPolicyStoreLoader supporting directory, .cjar, and archive-bytes sources; manifest validation against checksums; PolicyStoreManager to convert new format into legacy PolicyStore; discovers metadata/schema/policies/templates/entities/trusted-issuers.
Parsers & Validators
jans-cedarling/cedarling/src/common/policy_store/{policy_parser,schema_parser,entity_parser,issuer_parser,metadata,validator}.rs		 Add schema/policy/entity/issuer parsers, PolicyStoreMetadata/Manifest/FileInfo types, metadata validator with semantics and accessors, and validation logic for IDs, cedar versions, timestamps, descriptions.
Errors & Logging
jans-cedarling/cedarling/src/common/policy_store/errors.rs, .../log_entry.rs, lib.rs		 Add comprehensive PolicyStore error hierarchy, PolicyStoreLogEntry, and log_policy_store_metadata helper; re-export JWT/trusted-issuer types from crate root.
JWT / Trusted Issuer
jans-cedarling/cedarling/src/jwt/*, .../validation/trusted_issuer_validator.rs		 Implement TrustedIssuerValidator (OIDC/JWKS fetching & caching, claim validation), integrate trusted-issuer validation into JwtService, add related error variants and re-exports.
Init & Service wiring
jans-cedarling/cedarling/src/init/*, service_factory.rs		 Wire new PolicyStoreSource variants into load flow (CjarFile/CjarUrl/Directory/ArchiveBytes), convert to legacy via PolicyStoreManager, expose policy_store_metadata() accessor, and log metadata during init.
Tests, Fixtures & Benchmarks
jans-cedarling/cedarling/src/tests/*, .../policy_store/*_tests.rs, benches/policy_store_benchmark.rs, test_utils.rs		 Large new unit/integration/security tests for loader/parser/manifest/archives, PolicyStoreTestBuilder fixtures, and Criterion benchmarks for archive creation/parsing and large-store scenarios.
WASM bindings
jans-cedarling/bindings/cedarling_wasm/src/lib.rs, .../example_data.js		 Add wasm-exported async init_from_archive_bytes(config, archive_bytes) and example bootstrap config demonstrating policy store URI and archive-bytes usage.
HTTP & Networking
jans-cedarling/cedarling/src/http/mod.rs, jans-cedarling/http_utils/src/lib.rs		 Add HttpClient::get_bytes, silent retry/backoff behavior, new DecodeResponseBody error variant, and adjust http_utils to silent retries.
Cargo & Tooling
jans-cedarling/cedarling/Cargo.toml, clippy.toml, jans-cedarling/schema/policy_store_schema.json		 Add dependencies (vfs, zip, sha2, hex; tempfile dev), add benchmark config, and add clippy rule disallowing SystemTime::now; minor JSON formatting changes.
Minor API/Visibility
.../common/app_types.rs, .../lock/mod.rs, log/*, jwt/*		 Adjust visibilities (PdpID, LockService, LogStrategy), small test refactors and expectation tweaks, and add ValidateJwtError::TrustedIssuerValidation variant.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related issues

  • #12887 — Both concern adding/supporting the .cjar (ZIP) policy-store format; this PR implements .cjar handling and docs.
  • #12881 — Adds end‑to‑end tests for the new policy-store loader; this PR supplies comprehensive loader integration/security tests.
  • #12769 — Requests format detection, loader routing, and legacy conversion; this PR introduces PolicyStoreManager, detection, and conversion paths.

Possibly related PRs

  • #12819 — Overlapping work on directory/.cjar loading, ArchiveVfs, loader/manager, and manifest handling.
  • #12903 — Adds WASM archive-bytes API and related docs; strongly connected to init_from_archive_bytes changes here.
  • #12455 — Changes to JWT/trusted-issuer initialization and validation that overlap the TrustedIssuerValidator and JwtService adjustments.

Suggested reviewers

  • dagregi
  • duttarnab

Pre-merge checks

✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The PR title 'feat (jans-cedarling): Support new Policy Store ZIP format' is clear, concise, and directly summarizes the main change—adding support for a new Policy Store ZIP (.cjar) format. It accurately reflects the primary objective of the changeset.
Description check ✅ Passed The PR description addresses the template sections: confirms reading guidelines, links to the target issue (#12253), confirms testing and documentation were completed, and declares no doc impact from code changes. However, it lacks implementation details explaining the approach or technical design decisions.
Linked Issues check ✅ Passed The PR implements all core requirements from #12253: directory and .cjar archive loading, metadata/schema/policy/template/entity/trusted-issuer parsing and validation, manifest integrity checks, secure archive extraction, path-traversal protections, detailed error reporting, backward compatibility, and comprehensive tests. Public APIs for PolicyStoreLoader, PolicyStoreManager, and metadata handling are introduced with extensive test coverage.
Out of Scope Changes check ✅ Passed All changes align with the stated objectives: new policy store loading infrastructure, manifest validation, entity/issuer parsing, trusted issuer validation via JWT, documentation updates, and security tests. Minor scope expansions (e.g., new LogStrategy parameter, LockService visibility) support the primary feature without deviating from core objectives.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@haileyesus2433 haileyesus2433 changed the title Jans cedarling 12253 feat (jans-cedarling): Support new Policy Store ZIP format Jan 1, 2026
@haileyesus2433
Merge branch 'main' into jans-cedarling-12253
ad8bbde 
Signed-off-by: Haileyesus Ayanaw <85413826+haileyesus2433@users.noreply.github.com>
coderabbitai[bot]
coderabbitai bot requested changes Jan 1, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 49

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (6)
jans-cedarling/http_utils/src/lib.rs (1)

86-109: Preserve error context for debugging.

While silent retries avoid WASM console issues, completely discarding error information (_err) makes debugging production failures nearly impossible. When all retries are exhausted, callers receive only MaxRetriesExceeded with no indication of what actually failed (network timeout, 404, 503, etc.).

Per coding guidelines: "Include context in error messages for better debugging."

🔎 Proposed fix: Enhance error to preserve last failure

Modify the error enum to capture the underlying cause:

 #[derive(Debug, Error)]
 pub enum HttpRequestError {
-    #[error("max retries exceeded")]
-    MaxRetriesExceeded,
+    #[error("max retries exceeded, last error: {0}")]
+    MaxRetriesExceeded(String),
     #[error("failed to deserialize response to JSON: {0}")]
     DeserializeToJson(#[source] reqwest::Error),
     #[error("failed to initialize HTTP client: {0}")]
     InitializeHttpClient(#[source] reqwest::Error),
 }

Then track the last error in the retry loop:

     let backoff = &mut self.backoff;
     backoff.reset();
+    let mut last_error: Option<String> = None;

     loop {
         let response = match request().send().await {
             Ok(resp) => resp,
-            Err(_err) => {
+            Err(err) => {
+                last_error = Some(err.to_string());
                 // Retry silently - callers receive the final error if all retries fail.
                 // TODO: add optional debug-level logging hook here once a logger can be
                 //       passed in without pulling logging into this low-level crate.
                 backoff
                     .snooze()
                     .await
-                    .map_err(|_| HttpRequestError::MaxRetriesExceeded)?;
+                    .map_err(|_| HttpRequestError::MaxRetriesExceeded(
+                        last_error.clone().unwrap_or_else(|| "unknown error".to_string())
+                    ))?;
                 continue;
             },
         };

         let response = match response.error_for_status() {
             Ok(resp) => resp,
-            Err(_err) => {
+            Err(err) => {
+                last_error = Some(format!("HTTP {}: {}", 
+                    err.status().map(|s| s.as_str()).unwrap_or("unknown"),
+                    err));
                 // Retry silently - callers receive the final error if all retries fail.
                 // TODO: add optional debug-level logging hook here once a logger can be
                 //       passed in without pulling logging into this low-level crate.
                 backoff
                     .snooze()
                     .await
-                    .map_err(|_| HttpRequestError::MaxRetriesExceeded)?;
+                    .map_err(|_| HttpRequestError::MaxRetriesExceeded(
+                        last_error.clone().unwrap_or_else(|| "unknown error".to_string())
+                    ))?;
                 continue;
             },
         };
jans-cedarling/cedarling/src/lock/mod.rs (1)

95-110: Reorder imports to comply with coding guidelines.

The imports should be grouped with std/external crates first, then internal modules. Currently, internal and external imports are mixed.

🔎 Proposed fix to reorder imports 
-use crate::app_types::PdpID;
-use crate::common::issuer_utils::normalize_issuer;
-use crate::log::LoggerWeak;
-use crate::log::interface::Loggable;
-use crate::{LockServiceConfig, LogWriter};
 use futures::channel::mpsc;
-use lock_config::*;
-use log_entry::LockLogEntry;
-use log_worker::*;
-use register_client::{ClientRegistrationError, register_client};
 use reqwest::Client;
 use reqwest::header::{HeaderMap, HeaderValue};
-use ssa_validation::validate_ssa_jwt;
 use std::sync::{Arc, RwLock};
 use std::time::Duration;
 use tokio_util::sync::CancellationToken;
+
+use crate::app_types::PdpID;
+use crate::common::issuer_utils::normalize_issuer;
+use crate::log::interface::Loggable;
+use crate::log::LoggerWeak;
+use crate::{LockServiceConfig, LogWriter};
+use lock_config::*;
+use log_entry::LockLogEntry;
+use log_worker::*;
+use register_client::{ClientRegistrationError, register_client};
+use ssa_validation::validate_ssa_jwt;

Based on coding guidelines: "Group imports with std/external crates first, then internal modules, using imports_granularity = "Module"".

jans-cedarling/cedarling/src/log/log_strategy.rs (2)

37-60: Consider documenting the visibility restriction rationale.

The new constructor's visibility was changed to pub(crate), restricting direct construction to within the crate. While this aligns with the controlled API pattern (public type, private constructors), adding a doc comment explaining that LogStrategy instances should be obtained via log::init_logger would improve API clarity for maintainers.

📝 Suggested documentation addition 
 impl LogStrategy {
-    /// Creates a new `LogStrategy` based on the provided configuration.
-    /// Initializes the corresponding logger accordingly.
+    /// Creates a new `LogStrategy` based on the provided configuration.
+    /// Initializes the corresponding logger accordingly.
+    /// 
+    /// Note: This constructor is crate-private. External users should obtain
+    /// `LogStrategy` instances via `log::init_logger`.
     pub(crate) fn new(

62-74: Add documentation for the new lock_service parameter.

The new_with_logger constructor gained a lock_service: Option<LockService> parameter but lacks documentation explaining its purpose. Add a doc comment describing when to provide a LockService during initialization versus setting it later via set_lock_service.

📝 Suggested documentation addition 
+    /// Creates a new `LogStrategy` with a pre-configured logger.
+    /// 
+    /// # Parameters
+    /// - `logger`: The logger implementation to use
+    /// - `pdp_id`: Policy Decision Point identifier
+    /// - `app_name`: Optional application name
+    /// - `lock_service`: Optional lock service for distributed logging coordination
     pub(crate) fn new_with_logger(
         logger: LogStrategyLogger,
         pdp_id: PdpID,
         app_name: Option<ApplicationName>,
         lock_service: Option<LockService>,
     ) -> Self {
jans-cedarling/bindings/cedarling_wasm/README.md (1)

332-334: Remove empty code blocks at the end of the file.

The file ends with empty fenced code blocks that serve no purpose and trigger linting warnings.

🔎 Proposed fix 
-For complete configuration documentation, see [cedarling-properties.md](../../../docs/cedarling/cedarling-properties.md) or on [our page](https://docs.jans.io/stable/cedarling/cedarling-properties/) .
-
-```
-
-```
+For complete configuration documentation, see [cedarling-properties.md](../../../docs/cedarling/cedarling-properties.md) or on [our page](https://docs.jans.io/stable/cedarling/cedarling-properties/).
docs/cedarling/tutorials/java.md (1)

203-222: JavaScript syntax in Java documentation.

The principals definition contains JavaScript syntax (const principals = [...]) instead of valid Java:

🔎 Proposed fix 
     String principals = """
-        const principals = [
+        [
           {
             "cedar_entity_mapping": {
               "entity_type": "Jans::Workload",
               "id": "some_workload_id"
             },
-            "client_id": "some_client_id",
+            "client_id": "some_client_id"
           },
           {
             "cedar_entity_mapping": {
               "entity_type": "Jans::User",
               "id": "random_user_id"
             },
             "roles": ["admin", "manager"]
-          },
-        ];
+          }
+        ]
         """;
📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6d80354 and 19d33b4.

📒 Files selected for processing (59)
  • docs/cedarling/reference/cedarling-policy-store.md
  • docs/cedarling/reference/cedarling-properties.md
  • docs/cedarling/tutorials/go.md
  • docs/cedarling/tutorials/java.md
  • docs/cedarling/tutorials/javascript.md
  • docs/cedarling/tutorials/python.md
  • docs/cedarling/tutorials/rust.md
  • jans-cedarling/bindings/cedarling-java/README.md
  • jans-cedarling/bindings/cedarling_go/README.md
  • jans-cedarling/bindings/cedarling_python/PYTHON_TYPES.md
  • jans-cedarling/bindings/cedarling_python/README.md
  • jans-cedarling/bindings/cedarling_uniffi/README.md
  • jans-cedarling/bindings/cedarling_wasm/README.md
  • jans-cedarling/bindings/cedarling_wasm/example_data.js
  • jans-cedarling/bindings/cedarling_wasm/src/lib.rs
  • jans-cedarling/cedarling/Cargo.toml
  • jans-cedarling/cedarling/benches/policy_store_benchmark.rs
  • jans-cedarling/cedarling/src/authz/trust_mode.rs
  • jans-cedarling/cedarling/src/bootstrap_config/decode.rs
  • jans-cedarling/cedarling/src/bootstrap_config/jwt_config.rs
  • jans-cedarling/cedarling/src/bootstrap_config/policy_store_config.rs
  • jans-cedarling/cedarling/src/common/app_types.rs
  • jans-cedarling/cedarling/src/common/policy_store.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
  • jans-cedarling/cedarling/src/common/policy_store/claim_mapping.rs
  • jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/errors.rs
  • jans-cedarling/cedarling/src/common/policy_store/issuer_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
  • jans-cedarling/cedarling/src/common/policy_store/log_entry.rs
  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
  • jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs
  • jans-cedarling/cedarling/src/common/policy_store/metadata.rs
  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/test.rs
  • jans-cedarling/cedarling/src/common/policy_store/test_utils.rs
  • jans-cedarling/cedarling/src/common/policy_store/validator.rs
  • jans-cedarling/cedarling/src/common/policy_store/vfs_adapter.rs
  • jans-cedarling/cedarling/src/http/mod.rs
  • jans-cedarling/cedarling/src/init/policy_store.rs
  • jans-cedarling/cedarling/src/init/service_factory.rs
  • jans-cedarling/cedarling/src/jwt/mod.rs
  • jans-cedarling/cedarling/src/jwt/test_utils.rs
  • jans-cedarling/cedarling/src/jwt/validation.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
  • jans-cedarling/cedarling/src/jwt/validation/validator.rs
  • jans-cedarling/cedarling/src/lib.rs
  • jans-cedarling/cedarling/src/lock/mod.rs
  • jans-cedarling/cedarling/src/log/log_strategy.rs
  • jans-cedarling/cedarling/src/log/mod.rs
  • jans-cedarling/cedarling/src/log/stdout_logger/native_logger.rs
  • jans-cedarling/cedarling/src/tests/mod.rs
  • jans-cedarling/cedarling/src/tests/policy_store_loader.rs
  • jans-cedarling/clippy.toml
  • jans-cedarling/http_utils/src/lib.rs
  • jans-cedarling/schema/policy_store_schema.json
🧰 Additional context used
📓 Path-based instructions (3)
jans-cedarling/**/*.rs

📄 CodeRabbit inference engine (jans-cedarling/AGENTS.md)

jans-cedarling/**/*.rs: Check formatting compliance with cargo fmt --check and follow rustfmt settings in rustfmt.toml
Review clippy.toml for project-specific lint rules
Use rustfmt with project's rustfmt.toml settings for all Rust code
Enforce maximum line width of 100 characters in Rust code
Use HorizontalVertical imports layout with StdExternalCrate grouping in rustfmt.toml
Use 4-space indentation (no tabs) in all Rust code
Group imports with std/external crates first, then internal modules, using imports_granularity = "Module"
Follow existing import patterns in the codebase
Use snake_case for variables, functions, and modules in Rust
Use PascalCase for types, traits, and enums in Rust
Use SCREAMING_SNAKE_CASE for constants in Rust
Follow Rust naming conventions as established by the language
Use thiserror crate for custom error types
Prefer Result<T, E> over panics for error handling
Use derive_more crate for error derivation when needed
Include context in error messages for better debugging
Use typed-builder crate for complex struct construction
Leverage serde for serialization/deserialization in Rust
Use smol_str for string optimization where appropriate in Rust
Prefer strong typing over stringly-typed APIs in Rust
Use standard Rust docstrings without Python-style sections (avoid # Arguments, # Returns)
Document public API items with docstrings focusing on 'why' not 'what'
Include examples in docstrings for complex functionality
Keep documentation concise, focusing on explanatory content rather than obvious details
Each Rust file must contain the Apache 2.0 license header with copyright attribution to Gluu, Inc.

Files:

  • jans-cedarling/cedarling/src/lock/mod.rs
  • jans-cedarling/cedarling/src/jwt/validation/validator.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
  • jans-cedarling/cedarling/src/init/service_factory.rs
  • jans-cedarling/cedarling/src/tests/policy_store_loader.rs
  • jans-cedarling/cedarling/src/common/policy_store/errors.rs
  • jans-cedarling/cedarling/src/common/policy_store/log_entry.rs
  • jans-cedarling/bindings/cedarling_wasm/src/lib.rs
  • jans-cedarling/cedarling/src/log/log_strategy.rs
  • jans-cedarling/cedarling/src/bootstrap_config/jwt_config.rs
  • jans-cedarling/cedarling/src/init/policy_store.rs
  • jans-cedarling/cedarling/src/jwt/test_utils.rs
  • jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/validator.rs
  • jans-cedarling/cedarling/src/log/mod.rs
  • jans-cedarling/cedarling/src/bootstrap_config/policy_store_config.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/lib.rs
  • jans-cedarling/cedarling/src/http/mod.rs
  • jans-cedarling/cedarling/src/jwt/validation.rs
  • jans-cedarling/cedarling/src/common/policy_store/issuer_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/http_utils/src/lib.rs
  • jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs
  • jans-cedarling/cedarling/benches/policy_store_benchmark.rs
  • jans-cedarling/cedarling/src/common/app_types.rs
  • jans-cedarling/cedarling/src/common/policy_store/test.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
  • jans-cedarling/cedarling/src/jwt/mod.rs
  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
  • jans-cedarling/cedarling/src/common/policy_store/vfs_adapter.rs
  • jans-cedarling/cedarling/src/common/policy_store/claim_mapping.rs
  • jans-cedarling/cedarling/src/bootstrap_config/decode.rs
  • jans-cedarling/cedarling/src/common/policy_store.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
  • jans-cedarling/cedarling/src/log/stdout_logger/native_logger.rs
  • jans-cedarling/cedarling/src/common/policy_store/metadata.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
  • jans-cedarling/cedarling/src/authz/trust_mode.rs
  • jans-cedarling/cedarling/src/common/policy_store/test_utils.rs
  • jans-cedarling/cedarling/src/tests/mod.rs
  • jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs
jans-cedarling/**/*test*.rs

📄 CodeRabbit inference engine (jans-cedarling/AGENTS.md)

jans-cedarling/**/*test*.rs: Use test_utils crate for shared test helpers
Include both positive and negative test cases in test files
For error checking in tests, use assert!(matches!(...), "explicit comment") instead of assert!(result.is_err())
Use expect_err("explicit comment") instead of panic() in tests
Always include explicit comments explaining what error is expected in test assertions

Files:

  • jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
  • jans-cedarling/cedarling/src/jwt/test_utils.rs
  • jans-cedarling/cedarling/src/common/policy_store/test.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
  • jans-cedarling/cedarling/src/common/policy_store/test_utils.rs
jans-cedarling/**/Cargo.toml

📄 CodeRabbit inference engine (jans-cedarling/AGENTS.md)

Build all workspace members using cargo build --workspace

Files:

  • jans-cedarling/cedarling/Cargo.toml
🧠 Learnings (47)
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use PascalCase for types, traits, and enums in Rust

Applied to files:

  • jans-cedarling/cedarling/src/lock/mod.rs
  • jans-cedarling/cedarling/src/common/policy_store/errors.rs
  • jans-cedarling/cedarling/src/bootstrap_config/jwt_config.rs
  • jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
  • jans-cedarling/cedarling/src/bootstrap_config/policy_store_config.rs
  • jans-cedarling/cedarling/src/lib.rs
  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/cedarling/src/common/app_types.rs
  • jans-cedarling/cedarling/src/authz/trust_mode.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Group imports with std/external crates first, then internal modules, using imports_granularity = "Module"

Applied to files:

  • jans-cedarling/cedarling/src/lock/mod.rs
  • jans-cedarling/cedarling/src/init/policy_store.rs
  • jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
  • jans-cedarling/cedarling/src/bootstrap_config/policy_store_config.rs
  • jans-cedarling/cedarling/src/lib.rs
  • jans-cedarling/cedarling/src/jwt/validation.rs
  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/cedarling/Cargo.toml
  • jans-cedarling/cedarling/src/common/app_types.rs
  • jans-cedarling/cedarling/src/common/policy_store/vfs_adapter.rs
  • jans-cedarling/cedarling/src/common/policy_store.rs
  • jans-cedarling/cedarling/src/log/stdout_logger/native_logger.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
  • jans-cedarling/cedarling/src/tests/mod.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Prefer strong typing over stringly-typed APIs in Rust

Applied to files:

  • jans-cedarling/cedarling/src/lock/mod.rs
  • jans-cedarling/cedarling/src/common/policy_store/errors.rs
  • jans-cedarling/cedarling/src/bootstrap_config/jwt_config.rs
  • jans-cedarling/cedarling/src/common/policy_store/metadata.rs
  • jans-cedarling/cedarling/src/authz/trust_mode.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Follow Rust naming conventions as established by the language

Applied to files:

  • jans-cedarling/cedarling/src/lock/mod.rs
  • jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
  • jans-cedarling/cedarling/src/bootstrap_config/policy_store_config.rs
  • jans-cedarling/cedarling/src/lib.rs
  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • docs/cedarling/tutorials/javascript.md
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use snake_case for variables, functions, and modules in Rust

Applied to files:

  • jans-cedarling/cedarling/src/lock/mod.rs
  • jans-cedarling/cedarling/src/lib.rs
  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/cedarling/src/tests/mod.rs
📚 Learning: 2025-12-10T14:10:48.131Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12819
File: jans-cedarling/cedarling/src/common/policy_store/manager.rs:101-107
Timestamp: 2025-12-10T14:10:48.131Z
Learning: In all Rust source files under the jans-cedarling directory, avoid using println! or eprintln! because they do not work in WASM builds. Use the provided Logger API, e.g. logger.log(&System::log_msg(...)) to log messages. Ensure the logger is properly initialized in the WASM context and replace direct prints with the logger pattern in relevant code paths (especially in WASM targets).

Applied to files:

  • jans-cedarling/cedarling/src/lock/mod.rs
  • jans-cedarling/cedarling/src/jwt/validation/validator.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
  • jans-cedarling/cedarling/src/init/service_factory.rs
  • jans-cedarling/cedarling/src/tests/policy_store_loader.rs
  • jans-cedarling/cedarling/src/common/policy_store/errors.rs
  • jans-cedarling/cedarling/src/common/policy_store/log_entry.rs
  • jans-cedarling/bindings/cedarling_wasm/src/lib.rs
  • jans-cedarling/cedarling/src/log/log_strategy.rs
  • jans-cedarling/cedarling/src/bootstrap_config/jwt_config.rs
  • jans-cedarling/cedarling/src/init/policy_store.rs
  • jans-cedarling/cedarling/src/jwt/test_utils.rs
  • jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/validator.rs
  • jans-cedarling/cedarling/src/log/mod.rs
  • jans-cedarling/cedarling/src/bootstrap_config/policy_store_config.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/lib.rs
  • jans-cedarling/cedarling/src/http/mod.rs
  • jans-cedarling/cedarling/src/jwt/validation.rs
  • jans-cedarling/cedarling/src/common/policy_store/issuer_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/http_utils/src/lib.rs
  • jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs
  • jans-cedarling/cedarling/benches/policy_store_benchmark.rs
  • jans-cedarling/cedarling/src/common/app_types.rs
  • jans-cedarling/cedarling/src/common/policy_store/test.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
  • jans-cedarling/cedarling/src/jwt/mod.rs
  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
  • jans-cedarling/cedarling/src/common/policy_store/vfs_adapter.rs
  • jans-cedarling/cedarling/src/common/policy_store/claim_mapping.rs
  • jans-cedarling/cedarling/src/bootstrap_config/decode.rs
  • jans-cedarling/cedarling/src/common/policy_store.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
  • jans-cedarling/cedarling/src/log/stdout_logger/native_logger.rs
  • jans-cedarling/cedarling/src/common/policy_store/metadata.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
  • jans-cedarling/cedarling/src/authz/trust_mode.rs
  • jans-cedarling/cedarling/src/common/policy_store/test_utils.rs
  • jans-cedarling/cedarling/src/tests/mod.rs
  • jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/bindings/cedarling_python/**/*.py : Validate Python type annotations using `mypy cedarling_python` in the bindings directory

Applied to files:

  • jans-cedarling/bindings/cedarling_python/PYTHON_TYPES.md
  • jans-cedarling/bindings/cedarling_python/README.md
📚 Learning: 2025-11-28T05:59:26.842Z 
Learnt from: haileyesus2433
Repo: JanssenProject/jans PR: 12455
File: jans-cedarling/cedarling/src/jwt/mod.rs:143-145
Timestamp: 2025-11-28T05:59:26.842Z
Learning: In jans-cedarling JWT service, the local-JWKS-only configuration (no trusted issuers) loads keys but does not initialize validators. This means signed tokens will hit ValidateJwtError::MissingValidator and be skipped. This is acceptable as the intended use case is authorize_unsigned. Validator setup for JWKS-only signed authorization is planned for future implementation.

Applied to files:

  • jans-cedarling/cedarling/src/jwt/validation/validator.rs
  • jans-cedarling/cedarling/src/tests/policy_store_loader.rs
  • jans-cedarling/cedarling/src/bootstrap_config/jwt_config.rs
  • jans-cedarling/cedarling/src/jwt/validation.rs
  • jans-cedarling/cedarling/src/jwt/mod.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use thiserror crate for custom error types

Applied to files:

  • jans-cedarling/cedarling/src/jwt/validation/validator.rs
  • jans-cedarling/cedarling/src/common/policy_store/errors.rs
  • jans-cedarling/cedarling/src/lib.rs
  • jans-cedarling/http_utils/src/lib.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Include context in error messages for better debugging

Applied to files:

  • jans-cedarling/cedarling/src/jwt/validation/validator.rs
  • jans-cedarling/cedarling/src/common/policy_store/errors.rs
  • jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/src/tests/**/*.rs : Place integration tests in src/tests/ directory

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
  • jans-cedarling/cedarling/src/tests/policy_store_loader.rs
  • jans-cedarling/cedarling/src/bootstrap_config/policy_store_config.rs
  • jans-cedarling/cedarling/src/common/policy_store/test.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
  • jans-cedarling/cedarling/src/log/stdout_logger/native_logger.rs
  • jans-cedarling/cedarling/src/authz/trust_mode.rs
  • jans-cedarling/cedarling/src/common/policy_store/test_utils.rs
  • jans-cedarling/cedarling/src/tests/mod.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Include both positive and negative test cases in test files

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
  • jans-cedarling/cedarling/src/tests/policy_store_loader.rs
  • jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/test.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
  • jans-cedarling/cedarling/src/log/stdout_logger/native_logger.rs
  • jans-cedarling/cedarling/src/common/policy_store/test_utils.rs
  • jans-cedarling/cedarling/src/tests/mod.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Use test_utils crate for shared test helpers

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
  • jans-cedarling/cedarling/src/tests/policy_store_loader.rs
  • docs/cedarling/tutorials/go.md
  • jans-cedarling/cedarling/src/common/policy_store/test.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
  • jans-cedarling/cedarling/src/jwt/mod.rs
  • jans-cedarling/cedarling/src/common/policy_store.rs
  • jans-cedarling/cedarling/src/log/stdout_logger/native_logger.rs
  • jans-cedarling/cedarling/src/authz/trust_mode.rs
  • jans-cedarling/cedarling/src/common/policy_store/test_utils.rs
  • jans-cedarling/cedarling/src/tests/mod.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/authorize_*.rs : Follow existing test patterns in authorize_*.rs files

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
  • jans-cedarling/cedarling/src/tests/policy_store_loader.rs
  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/test.rs
  • jans-cedarling/cedarling/src/common/policy_store/claim_mapping.rs
  • jans-cedarling/cedarling/src/authz/trust_mode.rs
  • jans-cedarling/cedarling/src/tests/mod.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Always include explicit comments explaining what error is expected in test assertions

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
  • jans-cedarling/cedarling/src/common/policy_store/test.rs
  • jans-cedarling/cedarling/src/common/policy_store/claim_mapping.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Run specific test files using `cargo test -p cedarling --test authorize_unsigned` format

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
  • docs/cedarling/tutorials/java.md
  • jans-cedarling/cedarling/src/tests/policy_store_loader.rs
  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/test.rs
  • jans-cedarling/cedarling/src/tests/mod.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Use `expect_err("explicit comment")` instead of `panic()` in tests

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
  • jans-cedarling/cedarling/src/common/policy_store/test.rs
  • jans-cedarling/cedarling/src/common/policy_store/claim_mapping.rs
  • jans-cedarling/cedarling/src/log/stdout_logger/native_logger.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Run main crate tests with `cargo test -p cedarling`

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
  • jans-cedarling/cedarling/src/tests/policy_store_loader.rs
  • docs/cedarling/tutorials/go.md
  • jans-cedarling/cedarling/Cargo.toml
  • jans-cedarling/cedarling/src/common/policy_store/test.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
  • docs/cedarling/tutorials/javascript.md
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : For error checking in tests, use `assert!(matches!(...), "explicit comment")` instead of `assert!(result.is_err())`

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
  • jans-cedarling/cedarling/src/jwt/test_utils.rs
  • jans-cedarling/cedarling/src/common/policy_store/test.rs
  • jans-cedarling/cedarling/src/common/policy_store/claim_mapping.rs
  • jans-cedarling/cedarling/src/authz/trust_mode.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use standard Rust docstrings without Python-style sections (avoid `# Arguments`, `# Returns`)

Applied to files:

  • docs/cedarling/tutorials/rust.md
  • jans-cedarling/bindings/cedarling_python/README.md
  • jans-cedarling/cedarling/src/lib.rs
  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/bindings/cedarling_go/README.md
  • jans-cedarling/cedarling/src/common/policy_store/claim_mapping.rs
  • jans-cedarling/bindings/cedarling_uniffi/README.md
📚 Learning: 2025-12-26T17:33:14.632Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12903
File: jans-cedarling/bindings/cedarling_wasm/src/lib.rs:83-97
Timestamp: 2025-12-26T17:33:14.632Z
Learning: In jans-cedarling WASM bindings (jans-cedarling/bindings/cedarling_wasm/**/*.rs), explicit documentation sections like `# Arguments` and `# Example` are acceptable because these bindings expose Rust to JavaScript consumers who benefit from more explicit parameter documentation and JavaScript usage examples.

Applied to files:

  • docs/cedarling/tutorials/rust.md
  • jans-cedarling/bindings/cedarling_wasm/README.md
  • docs/cedarling/reference/cedarling-properties.md
  • jans-cedarling/bindings/cedarling-java/README.md
  • jans-cedarling/bindings/cedarling_wasm/example_data.js
  • jans-cedarling/bindings/cedarling_python/README.md
  • jans-cedarling/cedarling/src/lib.rs
  • docs/cedarling/tutorials/go.md
  • jans-cedarling/bindings/cedarling_go/README.md
  • jans-cedarling/bindings/cedarling_uniffi/README.md
  • jans-cedarling/clippy.toml
  • docs/cedarling/tutorials/javascript.md
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Keep documentation concise, focusing on explanatory content rather than obvious details

Applied to files:

  • docs/cedarling/tutorials/rust.md
  • docs/cedarling/reference/cedarling-properties.md
  • jans-cedarling/bindings/cedarling-java/README.md
  • docs/cedarling/tutorials/go.md
  • jans-cedarling/bindings/cedarling_go/README.md
  • jans-cedarling/cedarling/src/common/policy_store/claim_mapping.rs
  • jans-cedarling/bindings/cedarling_uniffi/README.md
  • docs/cedarling/tutorials/javascript.md
📚 Learning: 2025-12-19T06:30:26.460Z 
Learnt from: duttarnab
Repo: JanssenProject/jans PR: 12806
File: demos/janssen-tarp/browser-extension/src/ai/index.ts:61-72
Timestamp: 2025-12-19T06:30:26.460Z
Learning: Jans Tarp (demos/janssen-tarp) is a testing and development tool for OIDC flows and Cedarling authorization. For this project, storing access tokens and id tokens in browser storage (chrome.storage.local) is acceptable because it's designed for testing/development scenarios, not production use.

Applied to files:

  • jans-cedarling/bindings/cedarling_wasm/README.md
  • jans-cedarling/bindings/cedarling_wasm/example_data.js
  • jans-cedarling/bindings/cedarling_uniffi/README.md
  • docs/cedarling/tutorials/javascript.md
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use derive_more crate for error derivation when needed

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/errors.rs
  • jans-cedarling/cedarling/src/init/policy_store.rs
  • jans-cedarling/cedarling/src/http/mod.rs
  • jans-cedarling/http_utils/src/lib.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Prefer Result<T, E> over panics for error handling

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/errors.rs
  • jans-cedarling/http_utils/src/lib.rs
  • jans-cedarling/cedarling/src/common/policy_store/test.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Follow existing import patterns in the codebase

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/errors.rs
  • jans-cedarling/bindings/cedarling_wasm/src/lib.rs
  • jans-cedarling/cedarling/src/init/policy_store.rs
  • jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
  • jans-cedarling/cedarling/src/bootstrap_config/policy_store_config.rs
  • jans-cedarling/cedarling/src/lib.rs
  • jans-cedarling/cedarling/src/jwt/validation.rs
  • docs/cedarling/tutorials/go.md
  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/cedarling/Cargo.toml
  • jans-cedarling/cedarling/src/common/policy_store/test.rs
  • jans-cedarling/cedarling/src/common/policy_store/vfs_adapter.rs
  • jans-cedarling/cedarling/src/common/policy_store/claim_mapping.rs
  • jans-cedarling/cedarling/src/bootstrap_config/decode.rs
  • jans-cedarling/cedarling/src/common/policy_store.rs
  • jans-cedarling/cedarling/src/log/stdout_logger/native_logger.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
  • jans-cedarling/cedarling/src/tests/mod.rs
📚 Learning: 2025-12-01T00:02:51.580Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12768
File: jans-cedarling/cedarling/src/common/default_entities_limits.rs:52-119
Timestamp: 2025-12-01T00:02:51.580Z
Learning: In the jans-cedarling Rust codebase, avoid Python/Java-style doc comments with explicit `# Arguments` and `# Errors` sections. The project relies on Rust's type signatures and cargo doc's automatic documentation generation.

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/errors.rs
  • jans-cedarling/cedarling/src/common/policy_store/claim_mapping.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Review clippy.toml for project-specific lint rules

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/errors.rs
  • jans-cedarling/cedarling/src/bootstrap_config/policy_store_config.rs
  • jans-cedarling/cedarling/src/lib.rs
  • docs/cedarling/tutorials/go.md
  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/cedarling/Cargo.toml
  • jans-cedarling/cedarling/src/common/policy_store/test.rs
  • jans-cedarling/cedarling/src/common/policy_store/claim_mapping.rs
  • jans-cedarling/cedarling/src/log/stdout_logger/native_logger.rs
  • jans-cedarling/clippy.toml
  • docs/cedarling/tutorials/javascript.md
📚 Learning: 2025-12-24T14:16:17.748Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12896
File: jans-cedarling/cedarling/src/entity_builder/trusted_issuer_index.rs:23-30
Timestamp: 2025-12-24T14:16:17.748Z
Learning: In jans-cedarling Rust code targeting WASM, avoid using `eprintln!` for warnings in constructors or initialization functions. Instead, accept an `Option<&Arc<LogStrategy>>` parameter and use `logger.log_any(LogEntry::new_with_data(LogType::System, None).set_message(...).set_log_level(LogLevel::WARN))` to emit warnings that work in WASM environments.

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/log_entry.rs
  • jans-cedarling/bindings/cedarling_wasm/src/lib.rs
  • jans-cedarling/cedarling/src/log/log_strategy.rs
  • jans-cedarling/cedarling/src/log/mod.rs
  • jans-cedarling/cedarling/src/log/stdout_logger/native_logger.rs
  • jans-cedarling/clippy.toml
📚 Learning: 2025-11-07T07:42:08.807Z 
Learnt from: duttarnab
Repo: JanssenProject/jans PR: 12652
File: jans-auth-server/model/src/main/java/io/jans/as/model/config/adminui/UIConfiguration.java:9-9
Timestamp: 2025-11-07T07:42:08.807Z
Learning: In the UIConfiguration class (jans-auth-server/model/src/main/java/io/jans/as/model/config/adminui/UIConfiguration.java), the cedarlingPolicyStoreRetrievalPoint field is intentionally kept as a String type for database persistence, rather than using the CedarlingPolicyStrRetrievalPoint enum. The enum type is used in the API/service layer classes, with conversion happening at the boundaries.

Applied to files:

  • docs/cedarling/reference/cedarling-properties.md
  • jans-cedarling/bindings/cedarling-java/README.md
  • jans-cedarling/bindings/cedarling_uniffi/README.md
📚 Learning: 2025-12-26T17:33:14.632Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12903
File: jans-cedarling/bindings/cedarling_wasm/src/lib.rs:83-97
Timestamp: 2025-12-26T17:33:14.632Z
Learning: In Rust WASM bindings under bindings/cedarling_wasm (e.g., jans-cedarling/bindings/cedarling_wasm/src/lib.rs), require explicit documentation sections such as # Arguments and # Example for functions exported to JavaScript. This helps JS consumers understand parameter usage and provide usage examples. Ensure documentation is included in the relevant Rust doc comments where bindings are exposed.

Applied to files:

  • jans-cedarling/bindings/cedarling_wasm/src/lib.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Leverage serde for serialization/deserialization in Rust

Applied to files:

  • jans-cedarling/bindings/cedarling_wasm/src/lib.rs
  • jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs
  • jans-cedarling/cedarling/src/bootstrap_config/policy_store_config.rs
  • jans-cedarling/cedarling/src/lib.rs
  • docs/cedarling/tutorials/go.md
  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/test.rs
  • jans-cedarling/cedarling/src/common/policy_store/metadata.rs
  • docs/cedarling/tutorials/javascript.md
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/bindings/cedarling_python/cedarling_python/**/*.pyi : Check if type hints in `.pyi` files need adjustment to match Rust interface changes

Applied to files:

  • jans-cedarling/bindings/cedarling_python/README.md
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Document public API items with docstrings focusing on 'why' not 'what'

Applied to files:

  • jans-cedarling/cedarling/src/lib.rs
  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/bindings/cedarling_go/README.md
  • jans-cedarling/bindings/cedarling_uniffi/README.md
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Build main cedarling crate using `cargo build -p cedarling`

Applied to files:

  • docs/cedarling/tutorials/go.md
  • jans-cedarling/cedarling/Cargo.toml
  • docs/cedarling/tutorials/javascript.md
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Generate and view documentation with `cargo doc -p cedarling --no-deps --open`

Applied to files:

  • docs/cedarling/tutorials/go.md
  • jans-cedarling/cedarling/Cargo.toml
  • jans-cedarling/bindings/cedarling_go/README.md
  • docs/cedarling/tutorials/javascript.md
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Build updated Python bindings using `cd bindings/cedarling_python && maturin develop` and consult README.md if errors occur

Applied to files:

  • docs/cedarling/tutorials/go.md
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Run benchmarks using `cargo bench -p cedarling`

Applied to files:

  • docs/cedarling/tutorials/go.md
  • jans-cedarling/cedarling/Cargo.toml
  • jans-cedarling/cedarling/benches/policy_store_benchmark.rs
  • jans-cedarling/cedarling/src/common/policy_store/test.rs
  • docs/cedarling/tutorials/javascript.md
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use rustfmt with project's rustfmt.toml settings for all Rust code

Applied to files:

  • docs/cedarling/tutorials/go.md
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Check formatting compliance with `cargo fmt --check` and follow rustfmt settings in rustfmt.toml

Applied to files:

  • jans-cedarling/cedarling/Cargo.toml
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/Cargo.toml : Build all workspace members using `cargo build --workspace`

Applied to files:

  • jans-cedarling/cedarling/Cargo.toml
  • docs/cedarling/tutorials/javascript.md
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use HorizontalVertical imports layout with StdExternalCrate grouping in rustfmt.toml

Applied to files:

  • jans-cedarling/cedarling/Cargo.toml
  • jans-cedarling/cedarling/src/common/policy_store/vfs_adapter.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Include examples in docstrings for complex functionality

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/claim_mapping.rs
📚 Learning: 2025-10-30T13:03:03.905Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12544
File: jans-cedarling/cedarling/src/tests/authorize_resource_entity.rs:65-109
Timestamp: 2025-10-30T13:03:03.905Z
Learning: In Rust, when `use tokio::test;` is present at the top of a file, the `#[test]` attribute refers to `tokio::test` (the async test macro), not the standard library's `#[test]`. This is a valid pattern for writing async tests with Tokio.

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store.rs
  • jans-cedarling/cedarling/src/log/stdout_logger/native_logger.rs
📚 Learning: 2025-12-10T14:10:52.927Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12819
File: jans-cedarling/cedarling/src/common/policy_store/manager.rs:101-107
Timestamp: 2025-12-10T14:10:52.927Z
Learning: Applies to jans-cedarling/**/*.rs: Avoid using `println!` or `eprintln!` as they don't work in WASM. Use the Logger with `logger.log(&System::log_msg(...))` pattern instead.

Applied to files:

  • jans-cedarling/clippy.toml
📚 Learning: 2025-12-17T13:08:11.604Z 
Learnt from: dagregi
Repo: JanssenProject/jans PR: 12833
File: jans-cedarling/schema/minimal_policy_store.json:13-21
Timestamp: 2025-12-17T13:08:11.604Z
Learning: In jans-cedarling/schema/cedarling_core.cedarschema, the Access_token entity intentionally includes both a `scope?: Set<String>` attribute and `tags Set<String>` declaration. This dual approach is by design, allowing scope to be accessed either as an attribute or dynamically as a tag depending on the use case.

Applied to files:

  • jans-cedarling/schema/policy_store_schema.json
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use typed-builder crate for complex struct construction

Applied to files:

  • docs/cedarling/tutorials/javascript.md
  • jans-cedarling/cedarling/src/common/policy_store/test_utils.rs
🧬 Code graph analysis (10)
jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs (2)
jans-cedarling/cedarling/src/common/policy_store/test_utils.rs (8)
  • create_corrupted_archive (419-424)
  • create_deep_nested_archive (427-440)
  • create_path_traversal_archive (405-416)
  • new (60-75)
  • default (53-55)
  • invalid_metadata_json (354-360)
  • invalid_policy_syntax (363-366)
  • minimal_valid (294-300)
jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs (1)
  • from_buffer (155-158)
jans-cedarling/cedarling/src/tests/policy_store_loader.rs (3)
jans-cedarling/cedarling/src/tests/utils/cedarling_util.rs (1)
  • get_cedarling_with_callback (51-61)
jans-cedarling/cedarling/src/common/policy_store/test_utils.rs (3)
  • new (60-75)
  • minimal_valid (294-300)
  • default (53-55)
jans-cedarling/cedarling/src/common/policy_store/loader.rs (1)
  • load_policy_store_archive_bytes (128-135)
jans-cedarling/cedarling/src/common/policy_store/log_entry.rs (3)
jans-cedarling/cedarling/src/log/memory_logger/mod.rs (1)
  • log (106-121)
jans-cedarling/cedarling/src/log/log_strategy.rs (1)
  • new (37-60)
jans-cedarling/cedarling/src/log/log_entry.rs (1)
  • new_opt_request_id (424-440)
jans-cedarling/bindings/cedarling_wasm/src/lib.rs (1)
jans-cedarling/cedarling/src/bootstrap_config/decode.rs (1)
  • from_raw_config (42-158)
jans-cedarling/cedarling/src/log/log_strategy.rs (3)
jans-cedarling/cedarling/src/common/app_types.rs (1)
  • new (19-22)
jans-cedarling/cedarling/src/lib.rs (1)
  • new (114-156)
jans-cedarling/cedarling/src/log/stdout_logger/native_logger.rs (2)
  • new (23-28)
  • new (90-94)
jans-cedarling/cedarling/src/lib.rs (4)
jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs (2)
  • validate_required_claims (324-331)
  • validate_required_claims (351-375)
jans-cedarling/cedarling/src/init/service_factory.rs (1)
  • policy_store (55-62)
jans-cedarling/cedarling/src/common/policy_store/validator.rs (4)
  • name (153-155)
  • id (148-150)
  • version (163-165)
  • cedar_version (143-145)
jans-cedarling/cedarling/src/log/log_entry.rs (1)
  • new_with_data (51-60)
jans-cedarling/cedarling/src/common/app_types.rs (2)
jans-cedarling/cedarling/src/lib.rs (1)
  • new (114-156)
jans-cedarling/cedarling/src/log/log_strategy.rs (1)
  • new (37-60)
jans-cedarling/cedarling/src/jwt/mod.rs (1)
jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs (4)
  • validate_required_claims (324-331)
  • validate_required_claims (351-375)
  • with_logger (161-198)
  • key_service (478-480)
jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs (2)
jans-cedarling/cedarling/src/jwt/token_cache.rs (1)
  • cache_duration (131-158)
jans-cedarling/cedarling/src/jwt/key_service.rs (1)
  • has_keys (157-159)
jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs (2)
jans-cedarling/cedarling/src/common/policy_store/loader.rs (2)
  • new (195-197)
  • load_manifest (353-374)
jans-cedarling/cedarling/src/common/policy_store/vfs_adapter.rs (2)
  • new (81-84)
  • new (164-167)
🪛 markdownlint-cli2 (0.18.1)
jans-cedarling/bindings/cedarling_wasm/README.md

73-73: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

75-75: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

81-81: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

271-271: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

284-284: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

296-296: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

docs/cedarling/tutorials/python.md

104-104: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

115-115: Ordered list item prefix
Expected: 1; Actual: 5; Style: 1/1/1

(MD029, ol-prefix)

117-117: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

122-122: Ordered list item prefix
Expected: 1; Actual: 6; Style: 1/1/1

(MD029, ol-prefix)

jans-cedarling/bindings/cedarling_go/README.md

289-289: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

coderabbitai[bot]
coderabbitai bot requested changes Jan 1, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review continued from previous batch...

@mo-auto mo-auto added area-documentation Documentation needs to change as part of issue or PR comp-docs Touching folder /docs comp-jans-cedarling Touching folder /jans-cedarling kind-feature Issue or PR is a new feature request labels Jan 1, 2026
coderabbitai[bot]
coderabbitai bot requested changes Jan 1, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

♻️ Duplicate comments (3)
jans-cedarling/cedarling/src/jwt/mod.rs (2)

163-165: Clone is acceptable for initialization code.

The clone here was previously discussed and accepted for initialization code. If performance becomes a concern in hot paths, this could be revisited to iterate once and build both data structures.

354-378: Debug logging for fallback path has been addressed.

The debug logging when falling back to legacy issuer lookup was added in commit 5d901e6 per previous review feedback. This improves observability when the new trusted issuer validator doesn't match as expected.

jans-cedarling/cedarling/src/common/policy_store/loader.rs (1)

94-99: Consider manifest validation for archive-based loading.

Both load_policy_store_archive (lines 94-99) and load_policy_store_archive_bytes (lines 128-135) load archives without validating the manifest, while load_policy_store_directory (lines 46-56) does validate manifests when present. This inconsistency could allow corrupted or tampered archives to be loaded without integrity checks.

🔎 Proposed fix

Add manifest validation similar to directory loading:

     tokio::task::spawn_blocking(move || {
         use super::archive_handler::ArchiveVfs;
         let archive_vfs = ArchiveVfs::from_file(&path)?;
         let loader = DefaultPolicyStoreLoader::new(archive_vfs);
-        loader.load_directory(".")
+        let loaded = loader.load_directory(".")?;
+        
+        // Note: For archive-based stores, manifest validation may need
+        // a different approach than PhysicalVfs, or document why it's skipped
+        // For now, we defer to the caller or document the limitation
+        
+        Ok(loaded)
     })

And similarly for load_policy_store_archive_bytes:

 pub fn load_policy_store_archive_bytes(
     bytes: Vec<u8>,
 ) -> Result<LoadedPolicyStore, PolicyStoreError> {
     use super::archive_handler::ArchiveVfs;
     let archive_vfs = ArchiveVfs::from_buffer(bytes)?;
     let loader = DefaultPolicyStoreLoader::new(archive_vfs);
-    loader.load_directory(".")
+    let loaded = loader.load_directory(".")?;
+    
+    // Note: Manifest validation for archive-based stores may require
+    // VFS-specific implementation or be intentionally skipped
+    
+    Ok(loaded)
 }

Note: If manifest validation is intentionally skipped for archives (e.g., because the ZIP format itself provides integrity), this should be documented in the function docs or as a comment to clarify the design decision.

Also applies to: 128-135

📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5d901e6 and e6710f2.

📒 Files selected for processing (5)
  • jans-cedarling/cedarling/src/common/policy_store/issuer_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
  • jans-cedarling/cedarling/src/common/policy_store/log_entry.rs
  • jans-cedarling/cedarling/src/common/policy_store/test_utils.rs
  • jans-cedarling/cedarling/src/jwt/mod.rs
🧰 Additional context used
📓 Path-based instructions (2)
jans-cedarling/**/*.rs

📄 CodeRabbit inference engine (jans-cedarling/AGENTS.md)

jans-cedarling/**/*.rs: Check formatting compliance with cargo fmt --check and follow rustfmt settings in rustfmt.toml
Review clippy.toml for project-specific lint rules
Use rustfmt with project's rustfmt.toml settings for all Rust code
Enforce maximum line width of 100 characters in Rust code
Use HorizontalVertical imports layout with StdExternalCrate grouping in rustfmt.toml
Use 4-space indentation (no tabs) in all Rust code
Group imports with std/external crates first, then internal modules, using imports_granularity = "Module"
Follow existing import patterns in the codebase
Use snake_case for variables, functions, and modules in Rust
Use PascalCase for types, traits, and enums in Rust
Use SCREAMING_SNAKE_CASE for constants in Rust
Follow Rust naming conventions as established by the language
Use thiserror crate for custom error types
Prefer Result<T, E> over panics for error handling
Use derive_more crate for error derivation when needed
Include context in error messages for better debugging
Use typed-builder crate for complex struct construction
Leverage serde for serialization/deserialization in Rust
Use smol_str for string optimization where appropriate in Rust
Prefer strong typing over stringly-typed APIs in Rust
Use standard Rust docstrings without Python-style sections (avoid # Arguments, # Returns)
Document public API items with docstrings focusing on 'why' not 'what'
Include examples in docstrings for complex functionality
Keep documentation concise, focusing on explanatory content rather than obvious details
Each Rust file must contain the Apache 2.0 license header with copyright attribution to Gluu, Inc.

Files:

  • jans-cedarling/cedarling/src/common/policy_store/issuer_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/log_entry.rs
  • jans-cedarling/cedarling/src/common/policy_store/test_utils.rs
  • jans-cedarling/cedarling/src/jwt/mod.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
jans-cedarling/**/*test*.rs

📄 CodeRabbit inference engine (jans-cedarling/AGENTS.md)

jans-cedarling/**/*test*.rs: Use test_utils crate for shared test helpers
Include both positive and negative test cases in test files
For error checking in tests, use assert!(matches!(...), "explicit comment") instead of assert!(result.is_err())
Use expect_err("explicit comment") instead of panic() in tests
Always include explicit comments explaining what error is expected in test assertions

Files:

  • jans-cedarling/cedarling/src/common/policy_store/test_utils.rs
🧠 Learnings (28)
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Review clippy.toml for project-specific lint rules

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/issuer_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/log_entry.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-11-28T05:59:26.842Z 
Learnt from: haileyesus2433
Repo: JanssenProject/jans PR: 12455
File: jans-cedarling/cedarling/src/jwt/mod.rs:143-145
Timestamp: 2025-11-28T05:59:26.842Z
Learning: In jans-cedarling JWT service, the local-JWKS-only configuration (no trusted issuers) loads keys but does not initialize validators. This means signed tokens will hit ValidateJwtError::MissingValidator and be skipped. This is acceptable as the intended use case is authorize_unsigned. Validator setup for JWKS-only signed authorization is planned for future implementation.

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/issuer_parser.rs
  • jans-cedarling/cedarling/src/jwt/mod.rs
📚 Learning: 2025-12-17T13:07:08.750Z 
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12847
File: jans-config-api/docs/jans-config-api-swagger.yaml:15497-15498
Timestamp: 2025-12-17T13:07:08.750Z
Learning: When reviewing components like `jans-auth`, `jans-fido2`, `jans-lock` in the JanssenProject/jans repository, raise issues about missing property descriptions in API model classes, as these descriptions will be reflected in the auto-generated Swagger specifications.

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/issuer_parser.rs
📚 Learning: 2025-12-04T12:17:12.662Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12797
File: jans-cedarling/AGENTS.md:82-88
Timestamp: 2025-12-04T12:17:12.662Z
Learning: In the jans-cedarling project, the AGENTS.md file is AI-generated and used only by AI agents, so markdown linting issues (such as MD031, MD040) for this file can be ignored during code reviews.

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/issuer_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-10T14:10:48.131Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12819
File: jans-cedarling/cedarling/src/common/policy_store/manager.rs:101-107
Timestamp: 2025-12-10T14:10:48.131Z
Learning: In all Rust source files under the jans-cedarling directory, avoid using println! or eprintln! because they do not work in WASM builds. Use the provided Logger API, e.g. logger.log(&System::log_msg(...)) to log messages. Ensure the logger is properly initialized in the WASM context and replace direct prints with the logger pattern in relevant code paths (especially in WASM targets).

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/issuer_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/log_entry.rs
  • jans-cedarling/cedarling/src/common/policy_store/test_utils.rs
  • jans-cedarling/cedarling/src/jwt/mod.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-24T14:16:17.748Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12896
File: jans-cedarling/cedarling/src/entity_builder/trusted_issuer_index.rs:23-30
Timestamp: 2025-12-24T14:16:17.748Z
Learning: In jans-cedarling Rust code targeting WASM, avoid using `eprintln!` for warnings in constructors or initialization functions. Instead, accept an `Option<&Arc<LogStrategy>>` parameter and use `logger.log_any(LogEntry::new_with_data(LogType::System, None).set_message(...).set_log_level(LogLevel::WARN))` to emit warnings that work in WASM environments.

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/log_entry.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Document public API items with docstrings focusing on 'why' not 'what'

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/log_entry.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Keep documentation concise, focusing on explanatory content rather than obvious details

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/log_entry.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-01T00:02:51.580Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12768
File: jans-cedarling/cedarling/src/common/default_entities_limits.rs:52-119
Timestamp: 2025-12-01T00:02:51.580Z
Learning: In the jans-cedarling Rust codebase, avoid Python/Java-style doc comments with explicit `# Arguments` and `# Errors` sections. The project relies on Rust's type signatures and cargo doc's automatic documentation generation.

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/log_entry.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use standard Rust docstrings without Python-style sections (avoid `# Arguments`, `# Returns`)

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/log_entry.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Group imports with std/external crates first, then internal modules, using imports_granularity = "Module"

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/log_entry.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Follow existing import patterns in the codebase

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/log_entry.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use HorizontalVertical imports layout with StdExternalCrate grouping in rustfmt.toml

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/log_entry.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Leverage serde for serialization/deserialization in Rust

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/log_entry.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Follow Rust naming conventions as established by the language

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/log_entry.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-26T17:33:14.632Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12903
File: jans-cedarling/bindings/cedarling_wasm/src/lib.rs:83-97
Timestamp: 2025-12-26T17:33:14.632Z
Learning: In jans-cedarling WASM bindings (jans-cedarling/bindings/cedarling_wasm/**/*.rs), explicit documentation sections like `# Arguments` and `# Example` are acceptable because these bindings expose Rust to JavaScript consumers who benefit from more explicit parameter documentation and JavaScript usage examples.

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/log_entry.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : For error checking in tests, use `assert!(matches!(...), "explicit comment")` instead of `assert!(result.is_err())`

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/log_entry.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/authorize_*.rs : Follow existing test patterns in authorize_*.rs files

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/log_entry.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Use `expect_err("explicit comment")` instead of `panic()` in tests

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/log_entry.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Always include explicit comments explaining what error is expected in test assertions

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/log_entry.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Use test_utils crate for shared test helpers

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/test_utils.rs
  • jans-cedarling/cedarling/src/jwt/mod.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/src/tests/**/*.rs : Place integration tests in src/tests/ directory

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/test_utils.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Include both positive and negative test cases in test files

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/test_utils.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use typed-builder crate for complex struct construction

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/test_utils.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use PascalCase for types, traits, and enums in Rust

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use snake_case for variables, functions, and modules in Rust

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use smol_str for string optimization where appropriate in Rust

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Prefer strong typing over stringly-typed APIs in Rust

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
🧬 Code graph analysis (2)
jans-cedarling/cedarling/src/common/policy_store/log_entry.rs (3)
jans-cedarling/cedarling/src/lib.rs (1)
  • new (115-161)
jans-cedarling/cedarling/src/log/log_strategy.rs (1)
  • new (40-67)
jans-cedarling/cedarling/src/log/log_entry.rs (1)
  • new_system_opt_request_id (420-422)
jans-cedarling/cedarling/src/common/policy_store/loader.rs (4)
jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs (2)
  • from_file (118-139)
  • from_reader (70-97)
jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs (2)
  • new (48-55)
  • new (92-94)
jans-cedarling/cedarling/src/common/policy_store/validator.rs (1)
  • parse_and_validate (125-137)
jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs (3)
  • parse_policies (134-149)
  • parse_policy (52-85)
  • parse_template (93-128)
🔇 Additional comments (9)
jans-cedarling/cedarling/src/common/policy_store/log_entry.rs (5)

1-11: LGTM! License header and import ordering are correct.

The Apache 2.0 license header is properly formatted with Gluu, Inc. copyright attribution, and the imports are correctly grouped with external crates (serde) first, followed by a blank line, then internal modules.

13-19: LGTM! Clean struct design with appropriate derives.

The struct properly embeds BaseLogEntry with serde(flatten) for seamless serialization, and derives Serialize and Clone for logging infrastructure integration.

21-56: LGTM! Well-documented constructors with clear use cases.

The constructors properly integrate with the logging framework:

  • new() provides flexible log level control with a sensible TRACE default
  • info() and warn() convenience helpers reduce boilerplate for common scenarios
  • Documentation effectively explains "why" each constructor exists and when to use them
  • Constructor correctly calls BaseLogEntry::new_system_opt_request_id with unwrapped level

Based on learnings: The documentation follows Rust conventions by focusing on "why" rather than "what" and avoids Python-style doc sections.

58-76: LGTM! Trait implementations correctly delegate to base.

The Loggable and Indexed trait implementations appropriately delegate to the embedded BaseLogEntry, maintaining the logging framework's interface contracts.

78-102: LGTM! Test coverage is appropriate for the public API.

The tests verify all three public constructors (new, info, warn) and confirm both message content and log level behavior. Coverage is adequate for this delegation-based struct.

jans-cedarling/cedarling/src/jwt/mod.rs (4)

79-86: LGTM: Public API expansion aligns with PR objectives.

The visibility change for test_utils to pub(crate) follows the test utilities pattern. The new public re-exports of TrustedIssuerValidator, TrustedIssuerError, and validate_required_claims appropriately expose the trusted issuer validation subsystem as part of the PR's goal to support the new Policy Store format with trusted issuer validation.

Based on learnings, using test_utils crate for shared test helpers is the established pattern.

114-115: LGTM: Field addition is well-documented.

The new trusted_issuer_validator field is properly documented and integrates cleanly into the JwtService structure.

219-222: LGTM: Validator initialization is correct.

The TrustedIssuerValidator is properly initialized with the cloned trusted issuers map and logger reference.

383-427: LGTM: Required claims validation is correctly implemented.

The required claims validation logic is well-structured and correctly implements the policy-driven validation requirements:

  • Properly skips validation for StatusList tokens
  • Retrieves token metadata from the trusted issuer configuration based on token type
  • The comment at lines 397-402 helpfully clarifies that this is the single point where policy-driven required claims validation occurs (distinct from standard JWT validation)
  • Error handling appropriately converts TrustedIssuerError to ValidateJwtError
  • Uses the logger API correctly for WASM compatibility

Based on learnings, the logger API is used correctly (avoiding println!/eprintln! which don't work in WASM builds).

@haileyesus2433
refactor(policy_store): enhance error handling and improve path checking
06d8cb6 
- Updated methods in `archive_handler` to return `Result` types for better error handling, including mutex lock errors.
- Added a new error type `FileReadError` to provide more context when file reading fails.
- Improved test assertions for clarity and added error messages for better debugging.
- Enhanced comments in the policy parser for better understanding of ID extraction logic.

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>
coderabbitai[bot]
coderabbitai bot requested changes Jan 1, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

♻️ Duplicate comments (3)
jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs (2)

93-93: Fix incomplete documentation sentence.

Similar to the issue in parse_policy, line 93 contains the incomplete sentence "the ID to `Template::parse()` based on annotation or filename."

🔎 Proposed fix 
 /// Parse a single template from Cedar policy text.
 ///
 /// Templates support slots (e.g., ?principal) and are parsed similarly to policies.
 /// The template ID is extracted from @id() annotation or derived from filename.
 ///
-/// the ID to `Template::parse()` based on annotation or filename.
+/// The method passes the derived ID to `Template::parse()` for Cedar engine validation.

51-52: Fix incomplete documentation sentence.

The sentence "Pass the ID to `Policy::parse()` using the annotation or the filename (without the .cedar extension)." is grammatically incomplete—it lacks a subject.

🔎 Proposed fix 
 /// Parse a single policy from Cedar policy text.
 ///
 /// The policy ID is determined by:
 /// 1. Extracting from @id() annotation in the policy text, OR
 /// 2. Deriving from the filename (without .cedar extension)
 ///
-/// Pass the ID to `Policy::parse()` using the annotation or the filename (without
-/// the .cedar extension).
+/// The method passes the derived ID to `Policy::parse()` for Cedar engine validation.
jans-cedarling/cedarling/src/common/policy_store/loader.rs (1)

82-109: Add manifest validation for archive loading.

This function loads a .cjar archive but does not validate the manifest when present (lines 94-99). In contrast, load_policy_store_directory validates the manifest (lines 54-56), and load_policy_store_archive_bytes validates it as well (lines 139-155). This inconsistency means archives loaded from files bypass integrity checks that directory-based stores receive, creating a security gap for archives from untrusted sources.

🔎 Proposed fix 
     tokio::task::spawn_blocking(move || {
         use super::archive_handler::ArchiveVfs;
         let archive_vfs = ArchiveVfs::from_file(&path)?;
         let loader = DefaultPolicyStoreLoader::new(archive_vfs);
-        loader.load_directory(".")
+        let loaded = loader.load_directory(".")?;
+
+        // Validate manifest if present (same pattern as load_policy_store_archive_bytes)
+        if let Some(ref _manifest) = loaded.manifest {
+            use super::manifest_validator::ManifestValidator;
+            let validator_vfs = super::archive_handler::ArchiveVfs::from_file(&path)?;
+            let validator = ManifestValidator::new(validator_vfs, std::path::PathBuf::from("."));
+            let result = validator.validate(Some(&loaded.metadata.policy_store.id));
+
+            if !result.is_valid {
+                if let Some(error) = result.errors.first() {
+                    return Err(PolicyStoreError::ManifestError {
+                        err: error.error_type.clone(),
+                    });
+                }
+            }
+        }
+
+        Ok(loaded)
     })
📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e6710f2 and 06d8cb6.

📒 Files selected for processing (7)
  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/common/policy_store/errors.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
  • jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs
  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
🧰 Additional context used
📓 Path-based instructions (2)
jans-cedarling/**/*.rs

📄 CodeRabbit inference engine (jans-cedarling/AGENTS.md)

jans-cedarling/**/*.rs: Check formatting compliance with cargo fmt --check and follow rustfmt settings in rustfmt.toml
Review clippy.toml for project-specific lint rules
Use rustfmt with project's rustfmt.toml settings for all Rust code
Enforce maximum line width of 100 characters in Rust code
Use HorizontalVertical imports layout with StdExternalCrate grouping in rustfmt.toml
Use 4-space indentation (no tabs) in all Rust code
Group imports with std/external crates first, then internal modules, using imports_granularity = "Module"
Follow existing import patterns in the codebase
Use snake_case for variables, functions, and modules in Rust
Use PascalCase for types, traits, and enums in Rust
Use SCREAMING_SNAKE_CASE for constants in Rust
Follow Rust naming conventions as established by the language
Use thiserror crate for custom error types
Prefer Result<T, E> over panics for error handling
Use derive_more crate for error derivation when needed
Include context in error messages for better debugging
Use typed-builder crate for complex struct construction
Leverage serde for serialization/deserialization in Rust
Use smol_str for string optimization where appropriate in Rust
Prefer strong typing over stringly-typed APIs in Rust
Use standard Rust docstrings without Python-style sections (avoid # Arguments, # Returns)
Document public API items with docstrings focusing on 'why' not 'what'
Include examples in docstrings for complex functionality
Keep documentation concise, focusing on explanatory content rather than obvious details
Each Rust file must contain the Apache 2.0 license header with copyright attribution to Gluu, Inc.

Files:

  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/errors.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
  • jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
jans-cedarling/**/*test*.rs

📄 CodeRabbit inference engine (jans-cedarling/AGENTS.md)

jans-cedarling/**/*test*.rs: Use test_utils crate for shared test helpers
Include both positive and negative test cases in test files
For error checking in tests, use assert!(matches!(...), "explicit comment") instead of assert!(result.is_err())
Use expect_err("explicit comment") instead of panic() in tests
Always include explicit comments explaining what error is expected in test assertions

Files:

  • jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
🧠 Learnings (35)
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Review clippy.toml for project-specific lint rules

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/errors.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
  • jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Prefer Result<T, E> over panics for error handling

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/common/policy_store/errors.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
  • jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Use `expect_err("explicit comment")` instead of `panic()` in tests

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
  • jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : For error checking in tests, use `assert!(matches!(...), "explicit comment")` instead of `assert!(result.is_err())`

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/common/policy_store/errors.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
  • jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/authorize_*.rs : Follow existing test patterns in authorize_*.rs files

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
  • jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Follow existing import patterns in the codebase

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/errors.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
  • jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Always include explicit comments explaining what error is expected in test assertions

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
  • jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Include both positive and negative test cases in test files

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
  • jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-12-10T14:10:48.131Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12819
File: jans-cedarling/cedarling/src/common/policy_store/manager.rs:101-107
Timestamp: 2025-12-10T14:10:48.131Z
Learning: In all Rust source files under the jans-cedarling directory, avoid using println! or eprintln! because they do not work in WASM builds. Use the provided Logger API, e.g. logger.log(&System::log_msg(...)) to log messages. Ensure the logger is properly initialized in the WASM context and replace direct prints with the logger pattern in relevant code paths (especially in WASM targets).

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/errors.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
  • jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Follow Rust naming conventions as established by the language

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
  • jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Leverage serde for serialization/deserialization in Rust

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/errors.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Document public API items with docstrings focusing on 'why' not 'what'

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use standard Rust docstrings without Python-style sections (avoid `# Arguments`, `# Returns`)

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use PascalCase for types, traits, and enums in Rust

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/errors.rs
  • jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use snake_case for variables, functions, and modules in Rust

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Prefer strong typing over stringly-typed APIs in Rust

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/errors.rs
  • jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Include context in error messages for better debugging

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/errors.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
  • jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Group imports with std/external crates first, then internal modules, using imports_granularity = "Module"

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use HorizontalVertical imports layout with StdExternalCrate grouping in rustfmt.toml

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Check formatting compliance with `cargo fmt --check` and follow rustfmt settings in rustfmt.toml

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use 4-space indentation (no tabs) in all Rust code

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Keep documentation concise, focusing on explanatory content rather than obvious details

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
  • jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use thiserror crate for custom error types

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/errors.rs
  • jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs
📚 Learning: 2025-12-04T12:17:12.662Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12797
File: jans-cedarling/AGENTS.md:82-88
Timestamp: 2025-12-04T12:17:12.662Z
Learning: In the jans-cedarling project, the AGENTS.md file is AI-generated and used only by AI agents, so markdown linting issues (such as MD031, MD040) for this file can be ignored during code reviews.

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-01T00:02:51.580Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12768
File: jans-cedarling/cedarling/src/common/default_entities_limits.rs:52-119
Timestamp: 2025-12-01T00:02:51.580Z
Learning: In the jans-cedarling Rust codebase, avoid Python/Java-style doc comments with explicit `# Arguments` and `# Errors` sections. The project relies on Rust's type signatures and cargo doc's automatic documentation generation.

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/errors.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
  • jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Run specific test files using `cargo test -p cedarling --test authorize_unsigned` format

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use derive_more crate for error derivation when needed

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/errors.rs
  • jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs
📚 Learning: 2025-12-26T17:33:14.632Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12903
File: jans-cedarling/bindings/cedarling_wasm/src/lib.rs:83-97
Timestamp: 2025-12-26T17:33:14.632Z
Learning: In jans-cedarling WASM bindings (jans-cedarling/bindings/cedarling_wasm/**/*.rs), explicit documentation sections like `# Arguments` and `# Example` are acceptable because these bindings expose Rust to JavaScript consumers who benefit from more explicit parameter documentation and JavaScript usage examples.

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/errors.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/src/tests/**/*.rs : Place integration tests in src/tests/ directory

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Use test_utils crate for shared test helpers

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Run main crate tests with `cargo test -p cedarling`

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use SCREAMING_SNAKE_CASE for constants in Rust

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use smol_str for string optimization where appropriate in Rust

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-24T14:16:17.748Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12896
File: jans-cedarling/cedarling/src/entity_builder/trusted_issuer_index.rs:23-30
Timestamp: 2025-12-24T14:16:17.748Z
Learning: In jans-cedarling Rust code targeting WASM, avoid using `eprintln!` for warnings in constructors or initialization functions. Instead, accept an `Option<&Arc<LogStrategy>>` parameter and use `logger.log_any(LogEntry::new_with_data(LogType::System, None).set_message(...).set_log_level(LogLevel::WARN))` to emit warnings that work in WASM environments.

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-11-28T05:59:26.842Z 
Learnt from: haileyesus2433
Repo: JanssenProject/jans PR: 12455
File: jans-cedarling/cedarling/src/jwt/mod.rs:143-145
Timestamp: 2025-11-28T05:59:26.842Z
Learning: In jans-cedarling JWT service, the local-JWKS-only configuration (no trusted issuers) loads keys but does not initialize validators. This means signed tokens will hit ValidateJwtError::MissingValidator and be skipped. This is acceptable as the intended use case is authorize_unsigned. Validator setup for JWKS-only signed authorization is planned for future implementation.

Applied to files:

  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
🧬 Code graph analysis (3)
jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs (1)
jans-cedarling/cedarling/src/common/policy_store/vfs_adapter.rs (16)
  • read_file (48-53)
  • exists (59-59)
  • exists (134-138)
  • exists (248-252)
  • is_dir (62-62)
  • is_dir (140-146)
  • is_dir (254-260)
  • is_file (67-67)
  • is_file (148-154)
  • is_file (262-268)
  • read_dir (56-56)
  • read_dir (112-132)
  • read_dir (226-246)
  • open_file (42-42)
  • open_file (104-110)
  • open_file (218-224)
jans-cedarling/cedarling/src/common/policy_store/loader_tests.rs (7)
jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs (1)
  • create_test_archive (392-408)
jans-cedarling/cedarling/src/common/policy_store/loader.rs (5)
  • default (700-702)
  • new (218-220)
  • new_physical (228-230)
  • parse_policies (666-675)
  • create_policy_set (690-695)
jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs (3)
  • default (77-79)
  • new (48-55)
  • new (92-94)
jans-cedarling/cedarling/src/common/policy_store.rs (3)
  • default (240-256)
  • default (261-265)
  • new (445-463)
jans-cedarling/cedarling/src/common/policy_store/policy_parser.rs (2)
  • parse_policies (135-150)
  • create_policy_set (156-183)
jans-cedarling/cedarling/src/common/policy_store/schema_parser.rs (1)
  • parse_schema (70-92)
jans-cedarling/cedarling/src/common/policy_store/entity_parser.rs (2)
  • parse_entities (150-183)
  • create_entities_store (247-256)
jans-cedarling/cedarling/src/common/policy_store/manifest_validator.rs (2)
jans-cedarling/cedarling/src/common/policy_store/loader.rs (2)
  • new (218-220)
  • load_manifest (384-405)
jans-cedarling/cedarling/src/common/policy_store/vfs_adapter.rs (2)
  • new (82-85)
  • new (171-174)
🔇 Additional comments (9)
jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs (1)

251-273: Previous review feedback properly addressed.

The code correctly implements the fixes from previous reviews:

  1. Endpoint-specific JWKS loading (lines 257-268): Now checks self.keys_fetch_time.get(endpoint_str) for each issuer endpoint individually instead of using global has_keys(), ensuring multiple issuers load their keys correctly.

  2. Security-first validation order (line 462): Required claims validation executes after JWT signature verification (line 458), preventing information leakage about claim requirements to attackers with invalid signatures.

The implementation now follows defense-in-depth principles and correctly handles multi-issuer scenarios.

Also applies to: 379-465

jans-cedarling/cedarling/src/common/policy_store/loader.rs (8)

1-5: LGTM!

License header is correctly formatted with Apache 2.0 license and copyright attribution to Gluu, Inc.

21-27: LGTM!

Imports are correctly ordered: standard library imports first, then internal module imports. This follows the project's import conventions.

28-69: LGTM!

The native directory loading implementation correctly:

  • Uses spawn_blocking to offload blocking filesystem I/O from the async runtime
  • Validates the manifest when present (lines 54-56)
  • Handles errors comprehensively, including panic recovery from the blocking task

160-204: LGTM!

Data structures are well-designed with clear field names, appropriate derives, and consistent patterns. The use of String for file names and content is reasonable and straightforward.

206-298: LGTM!

The loader implementation is well-structured:

  • Generic design over VfsFileSystem enables different storage backends
  • PhysicalVfs-specific convenience constructors are appropriately gated
  • Logger handling (lines 286-294) correctly checks for Some before calling log_any, avoiding the compilation error flagged in previous reviews
  • Manifest validation methods provide flexibility with and without logging

300-656: LGTM!

The loader methods demonstrate solid implementation quality:

  • Consistent error handling with rich context (file paths, expected extensions)
  • Proper validation of directory structure, file extensions, and UTF-8 content
  • Graceful handling of optional directories (templates, entities, trusted-issuers)
  • Recursive policy loading supports nested directory structures
  • The main load_directory method orchestrates all components cleanly

658-703: LGTM!

Test-only helper methods are properly gated with #[cfg(test)] and provide convenient wrappers for policy parsing in tests. The Default implementation for PhysicalVfs appropriately delegates to new_physical() and is correctly restricted to native platforms.

122-158: Clarify that manifest validation is intentionally unavailable on WASM.

Manifest validation is not performed in WASM (line 140: #[cfg(not(target_arch = "wasm32"))]) because ManifestValidator itself is gated for non-WASM platforms and does not exist in WASM builds. This is an intentional architectural decision, not a compilation workaround.

However, this creates a potential security gap: the function documentation claims it's useful for "WASM environments," yet archives loaded on WASM bypass integrity validation entirely. Since WASM archives may originate from untrusted sources (e.g., URLs), consider whether validation should be enabled for WASM as well. The validation logic itself (hex, SHA-256 checksums) should be compatible with WASM.

@haileyesus2433
refactor(policy_store): improve benchmark performance and enhance err…
7027984 
…or handling

- Updated the benchmark for ZIP archive parsing to use `iter_batched` for better performance measurement.
- Enhanced error handling in the `archive_handler` tests to use `expect` for clearer failure messages.
- Adjusted the issuer parser tests to accept empty token metadata for JWKS-only configurations, improving validation logic.

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>
coderabbitai[bot]
coderabbitai bot requested changes Jan 1, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 06d8cb6 and 7027984.

📒 Files selected for processing (4)
  • jans-cedarling/cedarling/benches/policy_store_benchmark.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/common/policy_store/issuer_parser.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
🧰 Additional context used
📓 Path-based instructions (1)
jans-cedarling/**/*.rs

📄 CodeRabbit inference engine (jans-cedarling/AGENTS.md)

jans-cedarling/**/*.rs: Check formatting compliance with cargo fmt --check and follow rustfmt settings in rustfmt.toml
Review clippy.toml for project-specific lint rules
Use rustfmt with project's rustfmt.toml settings for all Rust code
Enforce maximum line width of 100 characters in Rust code
Use HorizontalVertical imports layout with StdExternalCrate grouping in rustfmt.toml
Use 4-space indentation (no tabs) in all Rust code
Group imports with std/external crates first, then internal modules, using imports_granularity = "Module"
Follow existing import patterns in the codebase
Use snake_case for variables, functions, and modules in Rust
Use PascalCase for types, traits, and enums in Rust
Use SCREAMING_SNAKE_CASE for constants in Rust
Follow Rust naming conventions as established by the language
Use thiserror crate for custom error types
Prefer Result<T, E> over panics for error handling
Use derive_more crate for error derivation when needed
Include context in error messages for better debugging
Use typed-builder crate for complex struct construction
Leverage serde for serialization/deserialization in Rust
Use smol_str for string optimization where appropriate in Rust
Prefer strong typing over stringly-typed APIs in Rust
Use standard Rust docstrings without Python-style sections (avoid # Arguments, # Returns)
Document public API items with docstrings focusing on 'why' not 'what'
Include examples in docstrings for complex functionality
Keep documentation concise, focusing on explanatory content rather than obvious details
Each Rust file must contain the Apache 2.0 license header with copyright attribution to Gluu, Inc.

Files:

  • jans-cedarling/cedarling/benches/policy_store_benchmark.rs
  • jans-cedarling/cedarling/src/common/policy_store/issuer_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
🧠 Learnings (28)
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Run benchmarks using `cargo bench -p cedarling`

Applied to files:

  • jans-cedarling/cedarling/benches/policy_store_benchmark.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Group imports with std/external crates first, then internal modules, using imports_granularity = "Module"

Applied to files:

  • jans-cedarling/cedarling/benches/policy_store_benchmark.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-12-26T17:33:14.632Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12903
File: jans-cedarling/bindings/cedarling_wasm/src/lib.rs:83-97
Timestamp: 2025-12-26T17:33:14.632Z
Learning: In jans-cedarling WASM bindings (jans-cedarling/bindings/cedarling_wasm/**/*.rs), explicit documentation sections like `# Arguments` and `# Example` are acceptable because these bindings expose Rust to JavaScript consumers who benefit from more explicit parameter documentation and JavaScript usage examples.

Applied to files:

  • jans-cedarling/cedarling/benches/policy_store_benchmark.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Keep documentation concise, focusing on explanatory content rather than obvious details

Applied to files:

  • jans-cedarling/cedarling/benches/policy_store_benchmark.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Enforce maximum line width of 100 characters in Rust code

Applied to files:

  • jans-cedarling/cedarling/benches/policy_store_benchmark.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Review clippy.toml for project-specific lint rules

Applied to files:

  • jans-cedarling/cedarling/benches/policy_store_benchmark.rs
  • jans-cedarling/cedarling/src/common/policy_store/issuer_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use smol_str for string optimization where appropriate in Rust

Applied to files:

  • jans-cedarling/cedarling/benches/policy_store_benchmark.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Check formatting compliance with `cargo fmt --check` and follow rustfmt settings in rustfmt.toml

Applied to files:

  • jans-cedarling/cedarling/benches/policy_store_benchmark.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use standard Rust docstrings without Python-style sections (avoid `# Arguments`, `# Returns`)

Applied to files:

  • jans-cedarling/cedarling/benches/policy_store_benchmark.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use 4-space indentation (no tabs) in all Rust code

Applied to files:

  • jans-cedarling/cedarling/benches/policy_store_benchmark.rs
📚 Learning: 2025-12-04T12:17:12.662Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12797
File: jans-cedarling/AGENTS.md:82-88
Timestamp: 2025-12-04T12:17:12.662Z
Learning: In the jans-cedarling project, the AGENTS.md file is AI-generated and used only by AI agents, so markdown linting issues (such as MD031, MD040) for this file can be ignored during code reviews.

Applied to files:

  • jans-cedarling/cedarling/benches/policy_store_benchmark.rs
  • jans-cedarling/cedarling/src/common/policy_store/issuer_parser.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Use test_utils crate for shared test helpers

Applied to files:

  • jans-cedarling/cedarling/benches/policy_store_benchmark.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Follow existing import patterns in the codebase

Applied to files:

  • jans-cedarling/cedarling/benches/policy_store_benchmark.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-12-01T00:02:51.580Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12768
File: jans-cedarling/cedarling/src/common/default_entities_limits.rs:52-119
Timestamp: 2025-12-01T00:02:51.580Z
Learning: In the jans-cedarling Rust codebase, avoid Python/Java-style doc comments with explicit `# Arguments` and `# Errors` sections. The project relies on Rust's type signatures and cargo doc's automatic documentation generation.

Applied to files:

  • jans-cedarling/cedarling/benches/policy_store_benchmark.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use HorizontalVertical imports layout with StdExternalCrate grouping in rustfmt.toml

Applied to files:

  • jans-cedarling/cedarling/benches/policy_store_benchmark.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Follow Rust naming conventions as established by the language

Applied to files:

  • jans-cedarling/cedarling/benches/policy_store_benchmark.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Each Rust file must contain the Apache 2.0 license header with copyright attribution to Gluu, Inc.

Applied to files:

  • jans-cedarling/cedarling/benches/policy_store_benchmark.rs
📚 Learning: 2025-12-10T14:10:48.131Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12819
File: jans-cedarling/cedarling/src/common/policy_store/manager.rs:101-107
Timestamp: 2025-12-10T14:10:48.131Z
Learning: In all Rust source files under the jans-cedarling directory, avoid using println! or eprintln! because they do not work in WASM builds. Use the provided Logger API, e.g. logger.log(&System::log_msg(...)) to log messages. Ensure the logger is properly initialized in the WASM context and replace direct prints with the logger pattern in relevant code paths (especially in WASM targets).

Applied to files:

  • jans-cedarling/cedarling/benches/policy_store_benchmark.rs
  • jans-cedarling/cedarling/src/common/policy_store/issuer_parser.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-11-28T05:59:26.842Z 
Learnt from: haileyesus2433
Repo: JanssenProject/jans PR: 12455
File: jans-cedarling/cedarling/src/jwt/mod.rs:143-145
Timestamp: 2025-11-28T05:59:26.842Z
Learning: In jans-cedarling JWT service, the local-JWKS-only configuration (no trusted issuers) loads keys but does not initialize validators. This means signed tokens will hit ValidateJwtError::MissingValidator and be skipped. This is acceptable as the intended use case is authorize_unsigned. Validator setup for JWKS-only signed authorization is planned for future implementation.

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/issuer_parser.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-12-17T13:07:08.750Z 
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12847
File: jans-config-api/docs/jans-config-api-swagger.yaml:15497-15498
Timestamp: 2025-12-17T13:07:08.750Z
Learning: When reviewing components like `jans-auth`, `jans-fido2`, `jans-lock` in the JanssenProject/jans repository, raise issues about missing property descriptions in API model classes, as these descriptions will be reflected in the auto-generated Swagger specifications.

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/issuer_parser.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Use `expect_err("explicit comment")` instead of `panic()` in tests

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Prefer Result<T, E> over panics for error handling

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : For error checking in tests, use `assert!(matches!(...), "explicit comment")` instead of `assert!(result.is_err())`

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/authorize_*.rs : Follow existing test patterns in authorize_*.rs files

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Always include explicit comments explaining what error is expected in test assertions

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Include both positive and negative test cases in test files

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Include context in error messages for better debugging

Applied to files:

  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Document public API items with docstrings focusing on 'why' not 'what'

Applied to files:

  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
🧬 Code graph analysis (3)
jans-cedarling/cedarling/benches/policy_store_benchmark.rs (2)
jans-cedarling/cedarling/src/common/policy_store/loader.rs (2)
  • new (218-220)
  • default (700-702)
jans-cedarling/cedarling/src/common/policy_store/test_utils.rs (2)
  • new (60-75)
  • default (53-55)
jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs (1)
jans-cedarling/cedarling/src/common/policy_store/vfs_adapter.rs (20)
  • new (82-85)
  • new (171-174)
  • read_file (48-53)
  • exists (59-59)
  • exists (134-138)
  • exists (248-252)
  • is_dir (62-62)
  • is_dir (140-146)
  • is_dir (254-260)
  • is_file (67-67)
  • is_file (148-154)
  • is_file (262-268)
  • read_dir (56-56)
  • read_dir (112-132)
  • read_dir (226-246)
  • open_file (42-42)
  • open_file (104-110)
  • open_file (218-224)
  • default (97-99)
  • default (211-213)
jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs (1)
jans-cedarling/cedarling/src/jwt/key_service.rs (1)
  • has_keys (157-159)
🔇 Additional comments (16)
jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs (3)

1-28: License header, module documentation, and imports look good.

The Apache 2.0 license header with Gluu, Inc. copyright is present. The module documentation clearly explains WASM compatibility and the purpose of this VFS implementation. Imports follow the codebase patterns with std first, then external crates.

70-97: Proper path traversal prevention using enclosed_name().

The implementation correctly uses the zip crate's enclosed_name() method to validate paths, which handles path traversal, backslashes, absolute paths, and Windows drive letters. This is the secure approach recommended by the zip crate documentation.

117-139: Native-only file loading with extension validation looks good.

The #[cfg(not(target_arch = "wasm32"))] gate is appropriate since file system access isn't available in WASM. Extension validation ensures only .cjar files are loaded through this path. Error handling properly captures the source IO error.

jans-cedarling/cedarling/benches/policy_store_benchmark.rs (6)

1-51: License header, imports, and constants are well-structured.

The Apache 2.0 license header is present. Constants are appropriately defined as byte slices for efficient archive writing. The different schema variants (basic vs. with attributes) support the varying benchmark scenarios.

52-94: Well-designed helper functions for benchmark setup.

The start_policy_store_archive helper properly extracts common archive bootstrap logic. The parse_archive function efficiently measures I/O overhead using io::copy to sink rather than allocating buffers. Good use of black_box to prevent compiler optimizations.

96-161: Archive creation helpers are well-implemented.

The policy and entity archive creators properly use the extracted start_policy_store_archive helper. The entity batching strategy (500 per file) is reasonable for preventing excessively large JSON files. The concat! macro usage keeps format strings readable while avoiding line length issues.

167-182: Correct use of iter_batched to exclude setup overhead.

The benchmark correctly uses iter_batched with BatchSize::PerIteration to exclude the archive.clone() cost from measurements. This ensures the benchmark accurately measures only ZIP parsing overhead.

199-241: Parsing benchmarks efficiently reuse archive data.

The archive is created once per test case (outside the benchmark loop), and parse_archive operates on a borrowed slice without cloning. This correctly measures only the parsing overhead without archive creation cost.

243-302: Proper WASM/native conditional compilation for directory benchmarks.

The directory creation benchmark is correctly gated with #[cfg(not(target_arch = "wasm32"))]. The TempDir is passed to black_box to prevent premature cleanup before the benchmark iteration completes. The criterion groups are properly split for WASM vs native builds.

jans-cedarling/cedarling/src/common/policy_store/issuer_parser.rs (7)

1-16: LGTM!

License header is compliant. Module documentation is concise and clear. Imports follow the expected grouping pattern.

17-27: LGTM!

Clean data structure with appropriate derives and documentation for each field.

28-69: LGTM!

The namespace pattern using a unit struct is idiomatic. Error handling with contextual file information is well-implemented. Pre-allocation of the result vector is a good optimization.

71-137: LGTM!

Required field validation is well-structured with clear error messages. The optional handling of description and token_metadata aligns with the design for supporting JWKS-only configurations.

200-229: LGTM!

Duplicate detection logic is correct. The comment at lines 217-221 clearly documents the design decision to allow empty token_metadata for JWKS-only configurations, which aligns with the project's requirements for unsigned token authorization.

231-252: LGTM!

The Entry API usage is idiomatic Rust. The defensive duplicate handling with explanatory comments is appropriate. Pre-allocation optimizes performance.

254-611: LGTM!

Comprehensive test coverage including:

  • Happy path scenarios (simple issuer, token metadata, multiple issuers)
  • Error cases (missing fields, invalid URL, invalid JSON)
  • Validation scenarios (duplicates, empty token_metadata)
  • Map creation

The test_validate_issuers_no_token_metadata test correctly validates that empty token_metadata is accepted for JWKS-only configurations.

@haileyesus2433
refactor(policy_store): update policy store schema for clarity and st…
96b86dc 
…ructure

- Revised the schema definitions for policies and trusted issuers to improve clarity and enforce structure.
- Enhanced descriptions and types for various properties to ensure better understanding and validation.
- Removed redundant definitions and streamlined the schema for easier maintenance and readability.

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>
coderabbitai[bot]
coderabbitai bot requested changes Jan 1, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7027984 and 96b86dc.

📒 Files selected for processing (1)
  • jans-cedarling/schema/policy_store_schema.json
🧰 Additional context used
🧠 Learnings (2)
📚 Learning: 2025-12-17T13:07:08.750Z 
Learnt from: pujavs
Repo: JanssenProject/jans PR: 12847
File: jans-config-api/docs/jans-config-api-swagger.yaml:15497-15498
Timestamp: 2025-12-17T13:07:08.750Z
Learning: When reviewing components like `jans-auth`, `jans-fido2`, `jans-lock` in the JanssenProject/jans repository, raise issues about missing property descriptions in API model classes, as these descriptions will be reflected in the auto-generated Swagger specifications.

Applied to files:

  • jans-cedarling/schema/policy_store_schema.json
📚 Learning: 2025-12-17T13:08:11.604Z 
Learnt from: dagregi
Repo: JanssenProject/jans PR: 12833
File: jans-cedarling/schema/minimal_policy_store.json:13-21
Timestamp: 2025-12-17T13:08:11.604Z
Learning: In jans-cedarling/schema/cedarling_core.cedarschema, the Access_token entity intentionally includes both a `scope?: Set<String>` attribute and `tags Set<String>` declaration. This dual approach is by design, allowing scope to be accessed either as an attribute or dynamically as a tag depending on the use case.

Applied to files:

  • jans-cedarling/schema/policy_store_schema.json
🔇 Additional comments (3)
jans-cedarling/schema/policy_store_schema.json (3)

80-103: LGTM!

The SchemaDefinition is well-structured with appropriate enums for encoding and content_type, sensible defaults, and strict validation via additionalProperties: false.

141-164: LGTM!

The PolicyContent definition is well-structured with clear documentation explaining the cedar limitation. Consistent design with SchemaDefinition.

165-196: LGTM!

The TrustedIssuer definition appropriately requires name and openid_configuration_endpoint, and correctly uses format: "uri" for endpoint validation. The token_metadata patternProperties provide consistent key validation.

coderabbitai[bot]
coderabbitai bot previously approved these changes Jan 1, 2026
View reviewed changes
@haileyesus2433
Merge branch 'main' into jans-cedarling-12253
147fa75 
Signed-off-by: Haileyesus Ayanaw <85413826+haileyesus2433@users.noreply.github.com>
coderabbitai[bot]
coderabbitai bot requested changes Jan 1, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 96b86dc and 147fa75.

📒 Files selected for processing (2)
  • jans-cedarling/cedarling/Cargo.toml
  • jans-cedarling/cedarling/src/common/policy_store.rs
🧰 Additional context used
📓 Path-based instructions (2)
jans-cedarling/**/Cargo.toml

📄 CodeRabbit inference engine (jans-cedarling/AGENTS.md)

Build all workspace members using cargo build --workspace

Files:

  • jans-cedarling/cedarling/Cargo.toml
jans-cedarling/**/*.rs

📄 CodeRabbit inference engine (jans-cedarling/AGENTS.md)

jans-cedarling/**/*.rs: Check formatting compliance with cargo fmt --check and follow rustfmt settings in rustfmt.toml
Review clippy.toml for project-specific lint rules
Use rustfmt with project's rustfmt.toml settings for all Rust code
Enforce maximum line width of 100 characters in Rust code
Use HorizontalVertical imports layout with StdExternalCrate grouping in rustfmt.toml
Use 4-space indentation (no tabs) in all Rust code
Group imports with std/external crates first, then internal modules, using imports_granularity = "Module"
Follow existing import patterns in the codebase
Use snake_case for variables, functions, and modules in Rust
Use PascalCase for types, traits, and enums in Rust
Use SCREAMING_SNAKE_CASE for constants in Rust
Follow Rust naming conventions as established by the language
Use thiserror crate for custom error types
Prefer Result<T, E> over panics for error handling
Use derive_more crate for error derivation when needed
Include context in error messages for better debugging
Use typed-builder crate for complex struct construction
Leverage serde for serialization/deserialization in Rust
Use smol_str for string optimization where appropriate in Rust
Prefer strong typing over stringly-typed APIs in Rust
Use standard Rust docstrings without Python-style sections (avoid # Arguments, # Returns)
Document public API items with docstrings focusing on 'why' not 'what'
Include examples in docstrings for complex functionality
Keep documentation concise, focusing on explanatory content rather than obvious details
Each Rust file must contain the Apache 2.0 license header with copyright attribution to Gluu, Inc.

Files:

  • jans-cedarling/cedarling/src/common/policy_store.rs
🧠 Learnings (27)
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Review clippy.toml for project-specific lint rules

Applied to files:

  • jans-cedarling/cedarling/Cargo.toml
  • jans-cedarling/cedarling/src/common/policy_store.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Run benchmarks using `cargo bench -p cedarling`

Applied to files:

  • jans-cedarling/cedarling/Cargo.toml
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Follow existing import patterns in the codebase

Applied to files:

  • jans-cedarling/cedarling/Cargo.toml
  • jans-cedarling/cedarling/src/common/policy_store.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Check formatting compliance with `cargo fmt --check` and follow rustfmt settings in rustfmt.toml

Applied to files:

  • jans-cedarling/cedarling/Cargo.toml
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Generate and view documentation with `cargo doc -p cedarling --no-deps --open`

Applied to files:

  • jans-cedarling/cedarling/Cargo.toml
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Group imports with std/external crates first, then internal modules, using imports_granularity = "Module"

Applied to files:

  • jans-cedarling/cedarling/Cargo.toml
  • jans-cedarling/cedarling/src/common/policy_store.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use HorizontalVertical imports layout with StdExternalCrate grouping in rustfmt.toml

Applied to files:

  • jans-cedarling/cedarling/Cargo.toml
  • jans-cedarling/cedarling/src/common/policy_store.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/Cargo.toml : Build all workspace members using `cargo build --workspace`

Applied to files:

  • jans-cedarling/cedarling/Cargo.toml
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Run main crate tests with `cargo test -p cedarling`

Applied to files:

  • jans-cedarling/cedarling/Cargo.toml
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Leverage serde for serialization/deserialization in Rust

Applied to files:

  • jans-cedarling/cedarling/Cargo.toml
  • jans-cedarling/cedarling/src/common/policy_store.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Use test_utils crate for shared test helpers

Applied to files:

  • jans-cedarling/cedarling/Cargo.toml
  • jans-cedarling/cedarling/src/common/policy_store.rs
📚 Learning: 2025-12-04T12:17:12.662Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12797
File: jans-cedarling/AGENTS.md:82-88
Timestamp: 2025-12-04T12:17:12.662Z
Learning: In the jans-cedarling project, the AGENTS.md file is AI-generated and used only by AI agents, so markdown linting issues (such as MD031, MD040) for this file can be ignored during code reviews.

Applied to files:

  • jans-cedarling/cedarling/Cargo.toml
  • jans-cedarling/cedarling/src/common/policy_store.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use smol_str for string optimization where appropriate in Rust

Applied to files:

  • jans-cedarling/cedarling/Cargo.toml
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Keep documentation concise, focusing on explanatory content rather than obvious details

Applied to files:

  • jans-cedarling/cedarling/Cargo.toml
  • jans-cedarling/cedarling/src/common/policy_store.rs
📚 Learning: 2025-12-01T00:02:51.580Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12768
File: jans-cedarling/cedarling/src/common/default_entities_limits.rs:52-119
Timestamp: 2025-12-01T00:02:51.580Z
Learning: In the jans-cedarling Rust codebase, avoid Python/Java-style doc comments with explicit `# Arguments` and `# Errors` sections. The project relies on Rust's type signatures and cargo doc's automatic documentation generation.

Applied to files:

  • jans-cedarling/cedarling/Cargo.toml
  • jans-cedarling/cedarling/src/common/policy_store.rs
📚 Learning: 2025-12-26T17:33:14.632Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12903
File: jans-cedarling/bindings/cedarling_wasm/src/lib.rs:83-97
Timestamp: 2025-12-26T17:33:14.632Z
Learning: In jans-cedarling WASM bindings (jans-cedarling/bindings/cedarling_wasm/**/*.rs), explicit documentation sections like `# Arguments` and `# Example` are acceptable because these bindings expose Rust to JavaScript consumers who benefit from more explicit parameter documentation and JavaScript usage examples.

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Document public API items with docstrings focusing on 'why' not 'what'

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use snake_case for variables, functions, and modules in Rust

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use standard Rust docstrings without Python-style sections (avoid `# Arguments`, `# Returns`)

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Prefer strong typing over stringly-typed APIs in Rust

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use PascalCase for types, traits, and enums in Rust

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use SCREAMING_SNAKE_CASE for constants in Rust

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Include examples in docstrings for complex functionality

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store.rs
📚 Learning: 2025-10-30T13:03:03.905Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12544
File: jans-cedarling/cedarling/src/tests/authorize_resource_entity.rs:65-109
Timestamp: 2025-10-30T13:03:03.905Z
Learning: In Rust, when `use tokio::test;` is present at the top of a file, the `#[test]` attribute refers to `tokio::test` (the async test macro), not the standard library's `#[test]`. This is a valid pattern for writing async tests with Tokio.

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use thiserror crate for custom error types

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Build main cedarling crate using `cargo build -p cedarling`

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store.rs
📚 Learning: 2025-12-10T14:10:48.131Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12819
File: jans-cedarling/cedarling/src/common/policy_store/manager.rs:101-107
Timestamp: 2025-12-10T14:10:48.131Z
Learning: In all Rust source files under the jans-cedarling directory, avoid using println! or eprintln! because they do not work in WASM builds. Use the provided Logger API, e.g. logger.log(&System::log_msg(...)) to log messages. Ensure the logger is properly initialized in the WASM context and replace direct prints with the logger pattern in relevant code paths (especially in WASM targets).

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store.rs
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (12)
  • GitHub Check: python_tests (3.11)
  • GitHub Check: python_tests (3.10)
  • GitHub Check: rust_tests
  • GitHub Check: golang_tests
  • GitHub Check: rust_benchmarks
  • GitHub Check: wasm_tests
  • GitHub Check: python_tests (3.10)
  • GitHub Check: python_tests (3.11)
  • GitHub Check: rust_tests
  • GitHub Check: wasm_tests
  • GitHub Check: rust_benchmarks
  • GitHub Check: golang_tests
🔇 Additional comments (5)
jans-cedarling/cedarling/src/common/policy_store.rs (4)

13-13: Verify intentional public exposure of test utilities.

The test_utils module is now pub instead of pub(crate), exposing test utilities to external consumers. If these utilities are only intended for internal testing, consider restricting visibility to pub(crate).

Based on learnings, test utilities should typically use the test_utils crate pattern for shared helpers within the project.

46-48: LGTM! Clear public API surface.

The re-exports are well-documented and appropriately expose the required types for external consumers and internal modules.

195-209: LGTM! Well-integrated metadata support.

The optional metadata field properly supports the new directory/archive format while maintaining backward compatibility with legacy stores. The documentation clearly explains when metadata is present.

476-504: LGTM! Constructors properly support format conversion.

The constructors correctly support converting from the new directory/archive format to the legacy format:

  • new() properly maps descriptions while creating empty policy content (consistent with the TODO about not needing raw content at runtime)
  • new_empty() handles cases without descriptions

Both implementations are straightforward and correct.

jans-cedarling/cedarling/Cargo.toml (1)

85-88: Benchmark file is properly implemented and ready for execution.

The policy_store_benchmark.rs file exists and is correctly structured with criterion benchmarks, appropriate use of tempfile for test data generation, and proper documentation.

coderabbitai[bot]
coderabbitai bot previously approved these changes Jan 2, 2026
View reviewed changes
@haileyesus2433
refactor(policy_store): enhance schema handling and improve error man…
ae74352 
…agement

- Updated `CedarSchema` to use an optional `ValidatorSchema` for better compatibility with WebAssembly targets.
- Improved error handling in `archive_handler` by refining path validation and ensuring clearer error messages.
- Enhanced entity and issuer parsing tests to ensure proper validation and error reporting for invalid JSON structures.
- Streamlined logging conditions in the policy store loader for unlisted files.

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>
coderabbitai[bot]
coderabbitai bot requested changes Jan 2, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
jans-cedarling/cedarling/src/jwt/status_list.rs (1)

178-178: Fix typo in documentation.

The word "stull" should be "still".

🔎 Proposed fix 
-    /// Helper function to figure out if the JWT is stull valid based on it's status
+    /// Helper function to figure out if the JWT is still valid based on it's status
📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 147fa75 and ae74352.

📒 Files selected for processing (10)
  • jans-cedarling/cedarling/src/common/cedar_schema/mod.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
  • jans-cedarling/cedarling/src/common/policy_store/test.rs
  • jans-cedarling/cedarling/src/common/policy_store/test_utils.rs
  • jans-cedarling/cedarling/src/init/service_factory.rs
  • jans-cedarling/cedarling/src/jwt/status_list.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
🧰 Additional context used
📓 Path-based instructions (2)
jans-cedarling/**/*.rs

📄 CodeRabbit inference engine (jans-cedarling/AGENTS.md)

jans-cedarling/**/*.rs: Check formatting compliance with cargo fmt --check and follow rustfmt settings in rustfmt.toml
Review clippy.toml for project-specific lint rules
Use rustfmt with project's rustfmt.toml settings for all Rust code
Enforce maximum line width of 100 characters in Rust code
Use HorizontalVertical imports layout with StdExternalCrate grouping in rustfmt.toml
Use 4-space indentation (no tabs) in all Rust code
Group imports with std/external crates first, then internal modules, using imports_granularity = "Module"
Follow existing import patterns in the codebase
Use snake_case for variables, functions, and modules in Rust
Use PascalCase for types, traits, and enums in Rust
Use SCREAMING_SNAKE_CASE for constants in Rust
Follow Rust naming conventions as established by the language
Use thiserror crate for custom error types
Prefer Result<T, E> over panics for error handling
Use derive_more crate for error derivation when needed
Include context in error messages for better debugging
Use typed-builder crate for complex struct construction
Leverage serde for serialization/deserialization in Rust
Use smol_str for string optimization where appropriate in Rust
Prefer strong typing over stringly-typed APIs in Rust
Use standard Rust docstrings without Python-style sections (avoid # Arguments, # Returns)
Document public API items with docstrings focusing on 'why' not 'what'
Include examples in docstrings for complex functionality
Keep documentation concise, focusing on explanatory content rather than obvious details
Each Rust file must contain the Apache 2.0 license header with copyright attribution to Gluu, Inc.

Files:

  • jans-cedarling/cedarling/src/common/policy_store/test.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/common/cedar_schema/mod.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
  • jans-cedarling/cedarling/src/common/policy_store/test_utils.rs
  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
  • jans-cedarling/cedarling/src/init/service_factory.rs
  • jans-cedarling/cedarling/src/jwt/status_list.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
jans-cedarling/**/*test*.rs

📄 CodeRabbit inference engine (jans-cedarling/AGENTS.md)

jans-cedarling/**/*test*.rs: Use test_utils crate for shared test helpers
Include both positive and negative test cases in test files
For error checking in tests, use assert!(matches!(...), "explicit comment") instead of assert!(result.is_err())
Use expect_err("explicit comment") instead of panic() in tests
Always include explicit comments explaining what error is expected in test assertions

Files:

  • jans-cedarling/cedarling/src/common/policy_store/test.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
  • jans-cedarling/cedarling/src/common/policy_store/test_utils.rs
🧠 Learnings (36)
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Use `expect_err("explicit comment")` instead of `panic()` in tests

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/test.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : For error checking in tests, use `assert!(matches!(...), "explicit comment")` instead of `assert!(result.is_err())`

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/test.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Always include explicit comments explaining what error is expected in test assertions

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/test.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
  • jans-cedarling/cedarling/src/jwt/status_list.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Include both positive and negative test cases in test files

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/test.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
  • jans-cedarling/cedarling/src/common/policy_store/test_utils.rs
  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/src/tests/**/*.rs : Place integration tests in src/tests/ directory

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/test.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
  • jans-cedarling/cedarling/src/common/policy_store/test_utils.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/authorize_*.rs : Follow existing test patterns in authorize_*.rs files

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/test.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Prefer Result<T, E> over panics for error handling

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/test.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Include context in error messages for better debugging

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/test.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Use test_utils crate for shared test helpers

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/test.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
  • jans-cedarling/cedarling/src/common/policy_store/test_utils.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Review clippy.toml for project-specific lint rules

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/test.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Run specific test files using `cargo test -p cedarling --test authorize_unsigned` format

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/test.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Run main crate tests with `cargo test -p cedarling`

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/test.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Run benchmarks using `cargo bench -p cedarling`

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/test.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Leverage serde for serialization/deserialization in Rust

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/test.rs
  • jans-cedarling/cedarling/src/common/cedar_schema/mod.rs
📚 Learning: 2025-12-10T14:10:48.131Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12819
File: jans-cedarling/cedarling/src/common/policy_store/manager.rs:101-107
Timestamp: 2025-12-10T14:10:48.131Z
Learning: In all Rust source files under the jans-cedarling directory, avoid using println! or eprintln! because they do not work in WASM builds. Use the provided Logger API, e.g. logger.log(&System::log_msg(...)) to log messages. Ensure the logger is properly initialized in the WASM context and replace direct prints with the logger pattern in relevant code paths (especially in WASM targets).

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/test.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/common/cedar_schema/mod.rs
  • jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs
  • jans-cedarling/cedarling/src/common/policy_store/test_utils.rs
  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
  • jans-cedarling/cedarling/src/init/service_factory.rs
  • jans-cedarling/cedarling/src/jwt/status_list.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Follow existing import patterns in the codebase

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/common/cedar_schema/mod.rs
  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Follow Rust naming conventions as established by the language

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use thiserror crate for custom error types

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/common/cedar_schema/mod.rs
📚 Learning: 2025-12-04T12:17:12.662Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12797
File: jans-cedarling/AGENTS.md:82-88
Timestamp: 2025-12-04T12:17:12.662Z
Learning: In the jans-cedarling project, the AGENTS.md file is AI-generated and used only by AI agents, so markdown linting issues (such as MD031, MD040) for this file can be ignored during code reviews.

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-26T17:33:20.543Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12903
File: jans-cedarling/bindings/cedarling_wasm/src/lib.rs:83-97
Timestamp: 2025-12-26T17:33:20.543Z
Learning: In jans-cedarling WASM bindings (jans-cedarling/bindings/cedarling_wasm/**/*.rs), explicit documentation sections like `# Arguments` and `# Example` are acceptable because these bindings expose Rust to JavaScript consumers who benefit from more explicit parameter documentation and JavaScript usage examples.

Applied to files:

  • jans-cedarling/cedarling/src/common/cedar_schema/mod.rs
  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use PascalCase for types, traits, and enums in Rust

Applied to files:

  • jans-cedarling/cedarling/src/common/cedar_schema/mod.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use derive_more crate for error derivation when needed

Applied to files:

  • jans-cedarling/cedarling/src/common/cedar_schema/mod.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Keep documentation concise, focusing on explanatory content rather than obvious details

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use standard Rust docstrings without Python-style sections (avoid `# Arguments`, `# Returns`)

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-01T00:02:51.580Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12768
File: jans-cedarling/cedarling/src/common/default_entities_limits.rs:52-119
Timestamp: 2025-12-01T00:02:51.580Z
Learning: In the jans-cedarling Rust codebase, avoid Python/Java-style doc comments with explicit `# Arguments` and `# Errors` sections. The project relies on Rust's type signatures and cargo doc's automatic documentation generation.

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Document public API items with docstrings focusing on 'why' not 'what'

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Include examples in docstrings for complex functionality

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use 4-space indentation (no tabs) in all Rust code

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Check formatting compliance with `cargo fmt --check` and follow rustfmt settings in rustfmt.toml

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use HorizontalVertical imports layout with StdExternalCrate grouping in rustfmt.toml

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Enforce maximum line width of 100 characters in Rust code

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-11-28T05:59:26.842Z 
Learnt from: haileyesus2433
Repo: JanssenProject/jans PR: 12455
File: jans-cedarling/cedarling/src/jwt/mod.rs:143-145
Timestamp: 2025-11-28T05:59:26.842Z
Learning: In jans-cedarling JWT service, the local-JWKS-only configuration (no trusted issuers) loads keys but does not initialize validators. This means signed tokens will hit ValidateJwtError::MissingValidator and be skipped. This is acceptable as the intended use case is authorize_unsigned. Validator setup for JWKS-only signed authorization is planned for future implementation.

Applied to files:

  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Group imports with std/external crates first, then internal modules, using imports_granularity = "Module"

Applied to files:

  • jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs
  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-24T14:16:17.748Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12896
File: jans-cedarling/cedarling/src/entity_builder/trusted_issuer_index.rs:23-30
Timestamp: 2025-12-24T14:16:17.748Z
Learning: In jans-cedarling Rust code targeting WASM, avoid using `eprintln!` for warnings in constructors or initialization functions. Instead, accept an `Option<&Arc<LogStrategy>>` parameter and use `logger.log_any(LogEntry::new_with_data(LogType::System, None).set_message(...).set_log_level(LogLevel::WARN))` to emit warnings that work in WASM environments.

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use smol_str for string optimization where appropriate in Rust

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Prefer strong typing over stringly-typed APIs in Rust

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/loader.rs
🧬 Code graph analysis (3)
jans-cedarling/cedarling/src/common/policy_store/test.rs (2)
jans-cedarling/cedarling/src/common/policy_store/manager.rs (1)
  • parse_cedar_version (396-404)
jans-cedarling/cedarling/src/common/policy_store.rs (1)
  • parse_cedar_version (312-325)
jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs (2)
jans-cedarling/cedarling/src/common/policy_store/test_utils.rs (5)
  • create_corrupted_archive (418-423)
  • create_deep_nested_archive (426-439)
  • create_path_traversal_archive (404-415)
  • new (59-74)
  • default (52-54)
jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs (2)
  • from_buffer (167-170)
  • from_file (129-150)
jans-cedarling/cedarling/src/init/service_factory.rs (3)
jans-cedarling/cedarling/src/common/policy_store.rs (1)
  • new (476-494)
jans-cedarling/cedarling/src/entity_builder/mod.rs (1)
  • new (62-93)
jans-cedarling/cedarling/src/lib.rs (1)
  • new (115-161)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (15)
  • GitHub Check: build-with-disabled-tests (jans-bom, true)
  • GitHub Check: run-tests (PGSQL)
  • GitHub Check: run-tests (MYSQL)
  • GitHub Check: python_tests (3.11)
  • GitHub Check: rust_tests
  • GitHub Check: python_tests (3.10)
  • GitHub Check: golang_tests
  • GitHub Check: golang_tests
  • GitHub Check: rust_benchmarks
  • GitHub Check: rust_tests
  • GitHub Check: rust_benchmarks
  • GitHub Check: wasm_tests
  • GitHub Check: python_tests (3.11)
  • GitHub Check: wasm_tests
  • GitHub Check: python_tests (3.10)
🔇 Additional comments (58)
jans-cedarling/cedarling/src/jwt/status_list.rs (1)

334-334: The TTL value change from 600 to 300 is correct. The MockServer::generate_status_list_endpoint method (jans-cedarling/cedarling/src/jwt/test_utils.rs, line 262) explicitly defaults to 300 seconds when the ttl parameter is None, as documented in the comment: "defaults to 5 mins if the ttl is None". The test assertion expecting Some(300) is accurate.

jans-cedarling/cedarling/src/common/cedar_schema/mod.rs (3)

6-7: LGTM! Correct conditional import for WASM compatibility.

The Extensions import is appropriately gated for non-wasm32 targets only, aligning with its usage at line 164 where ValidatorSchema is initialized.

53-53: LGTM! Clean WASM-compatible validator schema handling.

The Option<ValidatorSchema> approach correctly handles target differences:

  • Non-wasm32 targets populate the validator schema with full validation
  • wasm32 targets skip validator schema initialization (set to None)
  • Mutually exclusive cfg blocks ensure the field is always initialized

This maintains consistent API surface while accommodating WASM constraints.

Also applies to: 162-176

197-199: LGTM! Error variant correctly gated for non-WASM targets.

The ParseCedarSchemaJson error variant is appropriately conditional, matching its usage at line 168 where ValidatorSchema::from_json_str is called only on non-wasm32 targets.

jans-cedarling/cedarling/src/init/service_factory.rs (2)

14-16: LGTM! Clean metadata accessor for new policy store format.

The new policy_store_metadata() method appropriately:

  • Exposes PolicyStoreMetadata when available (directory/archive formats)
  • Returns Option to handle legacy formats that lack metadata
  • Includes clear documentation explaining availability

Also applies to: 64-70

115-115: LGTM! Correct Option handling for validator schema.

The change from &policy_store.schema.validator_schema to .as_ref() correctly adapts to the Option<ValidatorSchema> type introduced in cedar_schema/mod.rs. This properly converts to Option<&ValidatorSchema> as expected by EntityBuilder::new().

Also applies to: 119-119

jans-cedarling/cedarling/src/common/policy_store/test.rs (10)

88-96: LGTM!

The change from unwrap_err() to expect_err() with an explicit error message follows the project's test guidelines. The assertion clearly verifies that the error contains the expected base64 decoding failure message.

Based on learnings, as per coding guidelines for test files.

159-175: LGTM!

The error handling follows the project's test guidelines with expect_err() and explicit error messages. The assertions provide clear failure messages that identify both the failing policy ID and the specific syntax error.

Based on learnings, as per coding guidelines for test files.

196-228: LGTM!

All three version parsing error tests correctly use expect_err() with explicit, descriptive messages explaining the expected failure. The assertions verify that error messages contain the expected "error parsing cedar version" text, and each test case covers a distinct invalid version format scenario.

Based on learnings, as per coding guidelines for test files.

267-301: LGTM!

The missing field validation tests properly use expect_err() with explicit messages for both test cases (missing cedar_version and missing policy_stores). The assertions verify that error messages correctly identify which required field is missing, with clear failure messages for debugging.

Based on learnings, as per coding guidelines for test files.

306-368: LGTM!

The invalid policy store entry tests correctly validate three distinct missing field scenarios (name, schema, policies) using expect_err() with explicit messages. Each assertion verifies the appropriate missing field error message, and the comments clearly separate the test cases.

Based on learnings, as per coding guidelines for test files.

385-390: LGTM!

The test properly uses expect_err() with an explicit message and verifies that the error contains the expected "invalid cedar_version format" text.

Based on learnings, as per coding guidelines for test files.

407-412: LGTM!

The test properly uses expect_err() with an explicit message and verifies that the error contains the expected "error parsing schema" text.

Based on learnings, as per coding guidelines for test files.

435-440: LGTM!

The test properly uses expect_err() with an explicit message and verifies that the error contains the expected "unable to decode policy with id" text, which appropriately identifies policy decoding failures.

Based on learnings, as per coding guidelines for test files.

465-471: LGTM!

The test properly uses expect_err() with an explicit message and verifies that the error contains the expected invalid URL message for the openid_configuration_endpoint field.

Based on learnings, as per coding guidelines for test files.

142-149: The test correctly checks for ParsePolicySetMessage::String, which is the proper error variant for UTF-8 parsing failures. The enum variant is explicitly documented as "Indicates failure to decode policy content to a UTF-8 string," and the error handling code at line 594 of policy_store.rs maps UTF-8 decoding errors to this variant. No ParsePolicySetMessage::Utf8 variant exists in the codebase.

Likely an incorrect or invalid review comment.

jans-cedarling/cedarling/src/jwt/validation/trusted_issuer_validator.rs (14)

1-18: LGTM!

License header and module documentation are well-structured and comply with project guidelines.

19-34: LGTM!

Imports are properly grouped following the project guidelines: std crates first, then external crates, then internal modules.

36-107: LGTM!

Error enum is well-designed using thiserror with descriptive, contextual error messages. The structured error variants support debugging and error handling.

109-119: LGTM!

Result type alias and JWKS cache duration constants are well-defined with sensible bounds.

121-143: LGTM!

Struct design is well-thought-out with the reverse lookup map (url_to_issuer) for O(1) issuer matching and per-endpoint JWKS timing for correct multi-issuer support.

145-195: LGTM!

Constructor implementation correctly builds both forward and reverse lookup maps with proper URL normalization. The pre-allocation with HashMap::with_capacity is a good performance optimization.

197-220: LGTM!

Issuer lookup is efficient with O(1) HashMap lookups and proper URL normalization. The fallback from ID match to URL match handles common issuer claim formats.

222-249: LGTM!

OIDC configuration fetching with caching is correctly implemented. The cache-first approach and Arc wrapping for shared ownership are appropriate.

One consideration: OIDC configs are cached indefinitely. This is generally acceptable since these configurations change infrequently, and JWKS keys (which do change) have their own TTL-based refresh logic.

314-325: LGTM!

Clean delegation to the standalone function, allowing both instance-based and standalone usage patterns.

345-369: LGTM!

Standalone validation function correctly validates entity type configuration and required claims. The separation between "mapping fields" (hints for extraction) and "required claims" (strictly validated) is well-documented.

383-469: LGTM with minor observation on audience validation.

The validation flow is correctly structured:

  1. Header decode → issuer extraction → trusted issuer lookup
  2. JWKS preload → signature verification
  3. Required claims validation (correctly placed after signature verification)

The validate_aud = false on line 459 disables audience validation. This is acceptable if audience validation is handled elsewhere or not required by the use case, but consider documenting this decision.

482-517: LGTM!

Test utilities are well-designed with create_test_issuer and create_test_issuer_with_metadata providing flexible test data setup.

917-996: LGTM!

Comprehensive integration test covering the full validation flow with mocked OIDC and JWKS endpoints. The test correctly validates that missing required claims (defined in required_claims set) are caught after signature verification.

291-299: No action needed. The logger pattern safely handles the None case via the explicit LogWriter implementation for Option<Arc<LogStrategy>>, which uses if let Some(logger) to gracefully skip logging when the logger is unavailable.

jans-cedarling/cedarling/src/common/policy_store/archive_security_tests.rs (6)

1-28: LGTM! Well-structured security test module.

The file has proper Apache 2.0 license header, clear module documentation explaining what the tests cover (path traversal, malicious archives, input validation, resource exhaustion), and appropriate imports. The organization into submodules by concern is clean.

34-131: Path traversal tests are comprehensive and follow coding guidelines.

Tests cover parent directory traversal, absolute paths, double-dot sequences, and Windows-style separators. All assertions use expect_err() with explicit comments and matches!() with descriptive messages as required by coding guidelines.

137-235: LGTM! Comprehensive malicious archive handling tests.

Good coverage of edge cases including corrupted ZIPs, non-ZIP files, empty files, empty ZIPs, deeply nested paths (100 levels), and long filenames (1000 chars). The deeply nested path test correctly validates file content after loading.

241-410: LGTM! Input validation tests cover important error scenarios.

Tests properly validate rejection of invalid JSON, invalid Cedar syntax, invalid entities, invalid trusted issuers, and duplicate entity UIDs. The unicode filename and special character tests verify graceful handling of edge cases. Error assertions follow the coding guidelines pattern.

416-576: LGTM! Manifest security tests properly validate integrity checking.

The checksum mismatch test correctly modifies a file post-archive-extraction to trigger the validation error. Tests appropriately use #[cfg(not(target_arch = "wasm32"))] since they require filesystem access. Error matching uses the full path to ManifestErrorType variants which is clear and explicit.

582-710: LGTM! Resource exhaustion and extension validation tests are well-designed.

Resource exhaustion tests cover 100 policies, large policy conditions (1000 attribute checks), and 50-level entity hierarchies. File extension validation correctly tests rejection of .zip and acceptance of .cjar. Tests appropriately use #[cfg(not(target_arch = "wasm32"))] for file-based tests.

jans-cedarling/cedarling/src/common/policy_store/archive_handler.rs (5)

1-52: LGTM! Well-documented module with clear WASM compatibility notes.

The module documentation clearly explains the WASM support model, and the ArchiveVfs<T> struct is properly documented with thread safety notes. Using Mutex<ZipArchive<T>> is appropriate for thread-safe access.

71-108: LGTM! Path traversal protection uses recommended enclosed_name() API.

The implementation correctly uses file.enclosed_name() from the zip crate to validate and normalize paths, which properly handles path traversal, backslashes, and absolute paths. The additional check for ".." sequences provides defense-in-depth.

128-151: LGTM! Extension validation and file opening are correct.

The from_file constructor properly validates the .cjar extension before attempting to open the file, and uses appropriate error types. The #[cfg(not(target_arch = "wasm32"))] attribute correctly restricts this to native platforms.

264-385: LGTM! VfsFileSystem implementation handles mutex poisoning gracefully.

The implementation properly handles mutex poisoning by returning errors or false values rather than panicking. The two-pass algorithm in read_dir with is_directory_locked helper correctly avoids deadlocks. The open_file implementation appropriately reads file content and wraps it in a Cursor for the Read trait.

387-608: LGTM! Comprehensive test coverage for ArchiveVfs.

Tests cover valid archive creation, invalid ZIP handling, path traversal rejection, file reading, existence checks, directory detection, directory listing, extension validation, and complex directory structures. The test helper create_test_archive is well-designed for building test fixtures.

jans-cedarling/cedarling/src/common/policy_store/loader.rs (5)

1-27: LGTM! Clean module documentation and imports.

The module documentation clearly explains the internal API nature and archive loading design. Import ordering follows the project convention with std::path::Path first, then internal super:: imports.

161-205: LGTM! Clean data structures for loaded policy store components.

The LoadedPolicyStore and related file structures are well-documented and appropriately designed. Using String for file names and content is acceptable.

301-363: LGTM! Directory structure validation is thorough.

The validate_directory_structure method properly checks for directory existence, required files (metadata.json, schema.cedarschema), and required directories (policies/). Error messages are clear and actionable.

626-657: LGTM! load_directory orchestrates loading correctly.

The method validates directory structure first, then loads all components in a logical order. Documentation correctly notes that manifest validation is not performed here and should be called separately for backends that need it.

659-708: LGTM! Test helpers are appropriately scoped with #[cfg(test)].

The test-only helper functions provide convenient wrappers around PolicyParser methods. The Default implementation for PhysicalVfs loader is a nice convenience for native platforms.

jans-cedarling/cedarling/src/common/policy_store/test_utils.rs (5)

1-49: LGTM! Well-documented test utilities module with clear builder pattern.

The PolicyStoreTestBuilder struct has all necessary fields for creating test policy stores, including support for manifest generation and extra files. Public fields enable direct manipulation when needed.

159-282: LGTM! Builder implementation correctly generates metadata, manifest, and archives.

The build_metadata_json creates valid JSON structure with optional description. The build_manifest_json correctly computes SHA-256 checksums for all files except itself. The build_archive method properly creates a ZIP archive with Deflated compression and handles errors via PolicyStoreError::Io.

288-397: LGTM! Fixtures provide comprehensive test scenarios.

The fixtures module provides both valid scenarios (minimal_valid, with_multiple_policies, with_multiple_entities) and invalid scenarios (invalid_metadata_json, invalid_policy_syntax, duplicate_entity_uids, invalid_trusted_issuer). This follows the coding guidelines for including both positive and negative test cases.

403-525: LGTM! Archive and performance utilities are well-designed.

The archive utilities (create_path_traversal_archive, create_corrupted_archive, create_deep_nested_archive) are useful for security testing. The create_large_policy_store function generates realistic large stores with proper issuer configuration including openid_configuration_endpoint and entity_type_name.

527-594: LGTM! Tests validate builder and utility functionality.

Tests cover metadata JSON generation, archive creation (verifying ZIP magic number), fixture behavior, and utility functions. The tests are appropriately simple for validating test utilities.

jans-cedarling/cedarling/src/common/policy_store/manager.rs (7)

1-40: LGTM! Clear module documentation and appropriate imports.

The architecture diagram in the module docs clearly shows the conversion mapping from LoadedPolicyStore to PolicyStore. Imports are well-organized with conditional compilation for WASM-incompatible types.

41-67: LGTM! ConversionError enum uses thiserror correctly.

The error enum covers all conversion failure scenarios with clear, descriptive messages. Using thiserror for derive follows the coding guidelines for custom error types.

171-229: LGTM! Schema conversion with documented performance tradeoff.

The implementation correctly documents the double-parsing at lines 191-194, acknowledging it as a performance consideration rather than a correctness issue. The WASM-conditional ValidatorSchema creation is handled appropriately.

236-279: LGTM! Policy and template conversion handles all cases correctly.

The implementation properly handles the empty case, parses policies and templates with error context, creates the combined PolicySet, and builds the raw_policy_info map. Error messages include the filename for debugging.

315-404: LGTM! Entity conversion with comprehensive validation pipeline.

The 5-step entity conversion process is well-documented: parse → detect duplicates → validate hierarchy (non-fatal) → create store validation → convert to HashMap. The clone at line 352 is explained in the comment. Error messages include content truncation for debugging large entities.

407-739: LGTM! Comprehensive test coverage for all conversion scenarios.

Tests cover valid and invalid cases for version parsing, schema conversion, policy/template conversion, issuer conversion, entity conversion, and full end-to-end conversion. Error assertions use expect_err() with matches!() pattern following coding guidelines.

110-160: No action needed - logger.log_any() pattern is correct.

The code correctly uses logger.log_any() on Option<Logger> (which is Option<Arc<LogStrategy>>). This works through a blanket trait implementation of LogWriter for Option<Arc<LogStrategy>> defined in log/interface.rs:31-36, which safely handles the None case. This is idiomatic Rust and is used consistently throughout the codebase.

Likely an incorrect or invalid review comment.

@haileyesus2433
refactor(schema): streamline validator schema handling and remove unn…
8ad644e 
…ecessary conditionals

- Updated `CedarSchema` and `PolicyStoreManager` to use a non-optional `ValidatorSchema`, simplifying the code and improving clarity.
- Removed conditional compilation for WebAssembly targets related to `ValidatorSchema`, ensuring consistent behavior across platforms.
- Enhanced logging and error handling in the schema deserialization process.

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>
coderabbitai[bot]
coderabbitai bot requested changes Jan 2, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

♻️ Duplicate comments (1)
jans-cedarling/cedarling/src/common/policy_store/manager.rs (1)

108-158: Fix docstring format to comply with Rust conventions.

The # Arguments, # Returns, and # Errors sections (lines 95-107) use Python-style documentation format. Per the coding guidelines, use standard Rust docstrings without these Python-style sections. Rewrite to focus on explaining the 'why' in narrative form:

/// Converts a loaded policy store to the legacy format with optional logging.
///
/// This function orchestrates the conversion of all policy store components
/// (schema, policies, issuers, entities) from the new directory/archive format
/// into the legacy format used by existing Cedarling services. If a logger is
/// provided, it logs key conversion milestones and validation warnings.
///
/// # Errors
///
/// Returns `ConversionError` if schema, policy, issuer, entity, or Cedar version
/// conversion fails.

The logger.log_any() calls on lines 114, 141, and 353 work correctly with Option<Logger> due to the LogWriter trait implementation for Option<Arc<LogStrategy>>.

📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ae74352 and 8ad644e.

📒 Files selected for processing (2)
  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
  • jans-cedarling/cedarling/src/init/service_factory.rs
🧰 Additional context used
📓 Path-based instructions (1)
jans-cedarling/**/*.rs

📄 CodeRabbit inference engine (jans-cedarling/AGENTS.md)

jans-cedarling/**/*.rs: Check formatting compliance with cargo fmt --check and follow rustfmt settings in rustfmt.toml
Review clippy.toml for project-specific lint rules
Use rustfmt with project's rustfmt.toml settings for all Rust code
Enforce maximum line width of 100 characters in Rust code
Use HorizontalVertical imports layout with StdExternalCrate grouping in rustfmt.toml
Use 4-space indentation (no tabs) in all Rust code
Group imports with std/external crates first, then internal modules, using imports_granularity = "Module"
Follow existing import patterns in the codebase
Use snake_case for variables, functions, and modules in Rust
Use PascalCase for types, traits, and enums in Rust
Use SCREAMING_SNAKE_CASE for constants in Rust
Follow Rust naming conventions as established by the language
Use thiserror crate for custom error types
Prefer Result<T, E> over panics for error handling
Use derive_more crate for error derivation when needed
Include context in error messages for better debugging
Use typed-builder crate for complex struct construction
Leverage serde for serialization/deserialization in Rust
Use smol_str for string optimization where appropriate in Rust
Prefer strong typing over stringly-typed APIs in Rust
Use standard Rust docstrings without Python-style sections (avoid # Arguments, # Returns)
Document public API items with docstrings focusing on 'why' not 'what'
Include examples in docstrings for complex functionality
Keep documentation concise, focusing on explanatory content rather than obvious details
Each Rust file must contain the Apache 2.0 license header with copyright attribution to Gluu, Inc.

Files:

  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
  • jans-cedarling/cedarling/src/init/service_factory.rs
🧠 Learnings (17)
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Review clippy.toml for project-specific lint rules

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Keep documentation concise, focusing on explanatory content rather than obvious details

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use standard Rust docstrings without Python-style sections (avoid `# Arguments`, `# Returns`)

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
📚 Learning: 2025-12-01T00:02:51.580Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12768
File: jans-cedarling/cedarling/src/common/default_entities_limits.rs:52-119
Timestamp: 2025-12-01T00:02:51.580Z
Learning: In the jans-cedarling Rust codebase, avoid Python/Java-style doc comments with explicit `# Arguments` and `# Errors` sections. The project relies on Rust's type signatures and cargo doc's automatic documentation generation.

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Document public API items with docstrings focusing on 'why' not 'what'

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
📚 Learning: 2025-12-26T17:33:20.543Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12903
File: jans-cedarling/bindings/cedarling_wasm/src/lib.rs:83-97
Timestamp: 2025-12-26T17:33:20.543Z
Learning: In jans-cedarling WASM bindings (jans-cedarling/bindings/cedarling_wasm/**/*.rs), explicit documentation sections like `# Arguments` and `# Example` are acceptable because these bindings expose Rust to JavaScript consumers who benefit from more explicit parameter documentation and JavaScript usage examples.

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Include examples in docstrings for complex functionality

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use 4-space indentation (no tabs) in all Rust code

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Check formatting compliance with `cargo fmt --check` and follow rustfmt settings in rustfmt.toml

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Use HorizontalVertical imports layout with StdExternalCrate grouping in rustfmt.toml

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Include both positive and negative test cases in test files

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*test*.rs : Always include explicit comments explaining what error is expected in test assertions

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Enforce maximum line width of 100 characters in Rust code

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/authorize_*.rs : Follow existing test patterns in authorize_*.rs files

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
📚 Learning: 2025-12-10T08:24:27.240Z 
Learnt from: CR
Repo: JanssenProject/jans PR: 0
File: jans-cedarling/AGENTS.md:0-0
Timestamp: 2025-12-10T08:24:27.240Z
Learning: Applies to jans-cedarling/**/*.rs : Follow existing import patterns in the codebase

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
📚 Learning: 2025-12-10T14:10:48.131Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12819
File: jans-cedarling/cedarling/src/common/policy_store/manager.rs:101-107
Timestamp: 2025-12-10T14:10:48.131Z
Learning: In all Rust source files under the jans-cedarling directory, avoid using println! or eprintln! because they do not work in WASM builds. Use the provided Logger API, e.g. logger.log(&System::log_msg(...)) to log messages. Ensure the logger is properly initialized in the WASM context and replace direct prints with the logger pattern in relevant code paths (especially in WASM targets).

Applied to files:

  • jans-cedarling/cedarling/src/common/policy_store/manager.rs
  • jans-cedarling/cedarling/src/init/service_factory.rs
📚 Learning: 2025-12-24T14:16:17.748Z 
Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12896
File: jans-cedarling/cedarling/src/entity_builder/trusted_issuer_index.rs:23-30
Timestamp: 2025-12-24T14:16:17.748Z
Learning: In jans-cedarling Rust code targeting WASM, avoid using `eprintln!` for warnings in constructors or initialization functions. Instead, accept an `Option<&Arc<LogStrategy>>` parameter and use `logger.log_any(LogEntry::new_with_data(LogType::System, None).set_message(...).set_log_level(LogLevel::WARN))` to emit warnings that work in WASM environments.

Applied to files:

  • jans-cedarling/cedarling/src/init/service_factory.rs
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)
  • GitHub Check: wasm_tests
  • GitHub Check: golang_tests
  • GitHub Check: python_tests (3.10)
  • GitHub Check: python_tests (3.11)
  • GitHub Check: rust_tests
  • GitHub Check: rust_benchmarks
🔇 Additional comments (10)
jans-cedarling/cedarling/src/init/service_factory.rs (3)

14-16: LGTM: Import addition follows project conventions.

The addition of PolicyStoreMetadata to the existing crate::common::policy_store import follows the module-level imports grouping pattern established in the coding guidelines.

64-70: LGTM: Well-documented accessor method.

The new policy_store_metadata() method is a clean, idiomatic accessor that properly returns Option<&PolicyStoreMetadata>. The documentation effectively explains when metadata is available versus when it's not, focusing on the 'why' as recommended by the coding guidelines.

104-108: LGTM: Formatting improvement with proper WASM-compatible logging.

The reformatted log entry construction improves readability while maintaining correct usage of the Logger API (avoiding println!/eprintln!), which is essential for WASM compatibility as noted in the project learnings.

jans-cedarling/cedarling/src/common/policy_store/manager.rs (7)

1-21: LGTM!

The license header and module documentation are well-structured. The architecture diagram effectively illustrates the conversion mapping between new and legacy formats.

22-37: LGTM!

Imports are properly organized following the project's conventions with external crates grouped before internal modules.

39-65: LGTM!

The ConversionError enum follows project conventions with thiserror derivation and provides clear, contextual error messages for each failure mode.

169-222: LGTM!

The schema conversion logic is correct, and the double-parsing tradeoff is appropriately documented. Error handling provides good context at each step.

274-306: LGTM!

The issuer conversion correctly aggregates issuers from multiple files, validates for duplicates, and provides clear error messages with joined validation errors.

388-398: LGTM!

The version parsing correctly handles the optional "v" prefix and provides clear error context including both the invalid version string and parsing details.

341-364: No issues identified. The code correctly uses all_parsed_entities on line 361 (shown as line 62 in full context) because the ? operator on line 346 ensures the function returns early if detect_duplicates finds any duplicates. By the time line 361 executes, all_parsed_entities is guaranteed to be duplicate-free. The clone strategy is intentional: cloning preserves the original for hierarchy validation while detecting duplicates, then failing fast if any are found. The code is sound.

coderabbitai[bot]
coderabbitai bot previously approved these changes Jan 2, 2026
View reviewed changes
@haileyesus2433
refactor(benchmarks): adjust policy count for improved performance me…
7b28663 
…asurement

- Reduced policy counts in benchmark tests to [5, 10] to ensure execution stays under the 1ms threshold.
- Updated comments to clarify the rationale behind keeping policy counts low for more accurate benchmarking.

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>
coderabbitai[bot]
coderabbitai bot previously approved these changes Jan 2, 2026
View reviewed changes
@haileyesus2433
revert(schema): policy store schema
4b0c716 
Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>
coderabbitai[bot]
coderabbitai bot previously approved these changes Jan 2, 2026
View reviewed changes
dagregi
dagregi reviewed Jan 2, 2026
View reviewed changes
jans-cedarling/cedarling/src/common/policy_store/loader.rs
for entry in entries {
if !entry.is_dir {
// Validate .json extension
if !entry.name.ends_with(".json") {
Copy link
Contributor

@dagregi dagregi Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you considered making this check case-insensitive, although the chances of this happening is low what if the file extension is .JSON this would fail

jans-cedarling/cedarling/src/common/policy_store/loader.rs
self.load_cedar_files_recursive(&entry.path, files)?;
} else {
// Validate .cedar extension
if !entry.name.ends_with(".cedar") {
Copy link
Contributor

@dagregi dagregi Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Case-sensitive comparison here

jans-cedarling/cedarling/src/common/policy_store/loader.rs
for entry in entries {
if !entry.is_dir {
// Validate .json extension
if !entry.name.ends_with(".json") {
Copy link
Contributor

@dagregi dagregi Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The same idea here as well

jans-cedarling/cedarling/src/bootstrap_config/decode.rs
source: PolicyStoreSource::LockServer(policy_store_uri),
// Case: get the policy store from a URI (auto-detect .cjar archives)
(None, Some(policy_store_uri), None) => {
let source = if policy_store_uri.to_lowercase().ends_with(".cjar") {
Copy link
Contributor

@dagregi dagregi Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be an edgecase but what if the url is used to fetch a policy store from a lock server and it ends with .cjar wouldn't this just fail?

jans-cedarling/cedarling/src/bootstrap_config/decode.rs
source: PolicyStoreSource::LockServer(policy_store_uri),
// Case: get the policy store from a URI (auto-detect .cjar archives)
(None, Some(policy_store_uri), None) => {
let source = if policy_store_uri.to_lowercase().ends_with(".cjar") {
Copy link
Contributor

@dagregi dagregi Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also another comment I have is if we want to load an archive from a url we shouldn't check if it ends with a .cjar or not but if the url points to a policy store file or if it's an archive

@haileyesus2433
docs(policy-store): add detailed sections for template, entity, and t…
ed8d0cc 
…rusted issuer files

- Introduced new sections in the policy store documentation to explain the structure and requirements for template files, entity files, and trusted issuer configuration files.
- Provided examples for each file type to enhance clarity and understanding of their formats and attributes.

Signed-off-by: haileyesus2433 <haileyesusbe@gmail.com>
coderabbitai[bot]
coderabbitai bot requested changes Jan 2, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4b0c716 and ed8d0cc.

📒 Files selected for processing (1)
  • docs/cedarling/reference/cedarling-policy-store.md
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)
  • GitHub Check: python_tests (3.11)
  • GitHub Check: python_tests (3.10)
  • GitHub Check: rust_benchmarks
  • GitHub Check: Deploy docs
  • GitHub Check: golang_tests
  • GitHub Check: wasm_tests
  • GitHub Check: rust_tests
  • GitHub Check: python_tests (3.10)
  • GitHub Check: rust_tests
  • GitHub Check: wasm_tests
  • GitHub Check: rust_benchmarks
  • GitHub Check: golang_tests
  • GitHub Check: python_tests (3.11)
🔇 Additional comments (1)
docs/cedarling/reference/cedarling-policy-store.md (1)

241-253: Verify Rust and WASM function names and signatures match implementation.

Line 246 references load_policy_store_archive_bytes() and line 245 references init_from_archive_bytes() for WASM. These function names and their exact signatures should be verified against the actual implementation to ensure documentation accuracy.

The documentation references external APIs that should be validated. Can you confirm:

  1. Does the Rust implementation export PolicyStoreSource::ArchiveBytes variant and load_policy_store_archive_bytes() function?
  2. Does the WASM binding export init_from_archive_bytes() function with the documented signature?
  3. Are these the official public API functions users should call?

olehbozhok
olehbozhok requested changes Jan 2, 2026
View reviewed changes
docs/cedarling/tutorials/go.md
import "C"
```
```go
// #cgo LDFLAGS: -L. -lcedarling_go
Copy link
Contributor

@olehbozhok olehbozhok Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have changed indentation from 4 spaces to 3, why?

Copy link
Contributor

@olehbozhok olehbozhok Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In other places indentation also changed for no reason

jans-cedarling/bindings/cedarling_python/PYTHON_TYPES.md

AuthorizeMultiIssuerRequest
===========================
## Policy Store Sources
Copy link
Contributor

@olehbozhok olehbozhok Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this file is autogenerated by python3 ./print_documentation.py > ./PYTHON_TYPES.md . So, eventually any comment will we rewritten by that command.

jans-cedarling/bindings/cedarling_go/README.md
}
```

**manifest.json structure (optional, for integrity validation):**
Copy link
Contributor

@olehbozhok olehbozhok Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can add link to the documentation, for this topic.
Same to other files.

jans-cedarling/bindings/cedarling_go/README.md
}
```

#### Cedar Archive (.cjar) Format
Copy link
Contributor

@olehbozhok olehbozhok Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can add link to the documentation, for this topic.
Same to other files.

jans-cedarling/bindings/cedarling_wasm/README.md
* @param config - Bootstrap configuration (policy store config is ignored)
* @param archive_bytes - The .cjar archive as Uint8Array
*/
export function init_from_archive_bytes(
Copy link
Contributor

@olehbozhok olehbozhok Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please, build WASM bindings and copy paste from file bindings/cedarling_wasm/pkg/cedarling_wasm.d.ts part related to function init_from_archive_bytes. To be consistent.

jans-cedarling/cedarling/src/jwt/validation/validator.rs
#[error("failed to deserialize the JWT's status claim: {0}")]
DeserializeStatusClaim(#[from] serde_json::Error),
#[error("failed to validate the JWT's trusted issuer: {0}")]
TrustedIssuerValidation(String),
Copy link
Contributor

@olehbozhok olehbozhok Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't better to use TrustedIssuerError here?

Suggested change
TrustedIssuerValidation(String),
TrustedIssuerValidation(TrustedIssuerError),

jans-cedarling/cedarling/src/jwt/mod.rs
.validators
.get(&validator_key)
.ok_or(ValidateJwtError::MissingValidator(validator_key.owned()))?;
let validator: Arc<std::sync::RwLock<JwtValidator>> =
Copy link
Contributor

@olehbozhok olehbozhok Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You remove use std::sync::RwLock; from top. Just to use here std::sync::RwLock what is the point?

jans-cedarling/cedarling/Cargo.toml
hex = "0.4.3"
sha2 = "0.10.8"
zip = "6.0.0"

Copy link
Contributor

@olehbozhok olehbozhok Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how about update zip to 7.0.0?

jans-cedarling/cedarling/src/http/mod.rs
// Fetch the JWKS from the jwks_uri
/// Retries are performed silently - the final error is returned if all attempts fail.
/// This keeps HttpClient as a simple, low-level utility without logging dependencies.
async fn get_with_retry(&self, uri: &str) -> Result<reqwest::Response, HttpClientError> {
Copy link
Contributor

@olehbozhok olehbozhok Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't better to use Sender and Backoff from http_utils crate?

jans-cedarling/schema/policy_store_schema.json
}
}
}
"$schema": "https://json-schema.org/draft/2020-12/schema",
Copy link
Contributor

@olehbozhok olehbozhok Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see that indentation was 4 space, but now only 2. And it is really hard to see what actually changed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dagregi dagregi dagregi left review comments

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

@olehbozhok olehbozhok olehbozhok requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@haileyesus2433 haileyesus2433

Labels

area-documentation Documentation needs to change as part of issue or PR comp-docs Touching folder /docs comp-jans-cedarling Touching folder /jans-cedarling kind-feature Issue or PR is a new feature request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat (jans-cedarling): Support new Policy Store ZIP format

5 participants

@haileyesus2433 @mo-auto @olehbozhok @dagregi