feat(jans-cedarling): add custom linter for inefficient string concatenation

[dagregi]

Prepare

• Read PR guidelines
• Read license information

---

Description

Target issue

closes #13010

Implementation Details

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

Summary by CodeRabbit

• New Features

  • Adds a custom lint (BAD_STRING_CONCATENATION) that flags inefficient string-construction patterns and offers suggestions.

• Chores

  • Introduces a new lint crate, toolchain/configuration, ignores build outputs, updates workspace configuration, and adds CI to run the lint.

• Tests

  • Adds self-contained UI tests with expected diagnostics for the lint.

• Documentation

  • Adds a README documenting the lint and development workflow.

• Bug Fixes

  • Improves parent-UID construction and related invalid-parent warnings.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a new dylint-style crate custom-lints (toolchain, manifest, build config), implements BAD_STRING_CONCATENATION lint with UI tests and expected stderr, updates CI to run a custom_lints job, and excludes custom-lints from the workspace Cargo.toml. (34 words)

Changes

Cohort / File(s)	Summary
Workspace config jans-cedarling/Cargo.toml	Added custom-lints to the workspace exclude list.
Custom-lints crate config jans-cedarling/custom-lints/.cargo/config.toml, jans-cedarling/custom-lints/Cargo.toml, jans-cedarling/custom-lints/rust-toolchain, jans-cedarling/custom-lints/.gitignore	New crate configuration: cdylib manifest, rustflags to link dylint-link, nightly toolchain with components, and /target ignored.
Lint implementation jans-cedarling/custom-lints/src/lib.rs	Adds BAD_STRING_CONCATENATION via declare_late_lint!; implements a LateLintPass detecting EntityUid::from_str(&format!(...)), extracts format arguments/literals, and emits diagnostics with suggestions.
UI tests & expected output jans-cedarling/custom-lints/ui/main.rs, jans-cedarling/custom-lints/ui/main.stderr	Adds UI test exercising lint triggers and non-triggers, plus expected stderr with warnings and suggestions.
CI workflow .github/workflows/test-cedarling.yml	Adds custom_lints job to install nightly toolchain, install dylint tooling, run tests in jans-cedarling/custom-lints, and run cargo dylint for the crate.
Cedar change jans-cedarling/cedarling/src/common/default_entities.rs	Parent UID construction now derives EntityId and uses EntityUid::from_type_name_and_id; on parse failure emits InvalidParentUid with original parent type/id string.
Docs jans-cedarling/custom-lints/README.md	New README documenting lint purpose, development workflow, build/run instructions, and testing guidance.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• chore(jans-cedarling): optimize entity building for authorization flow performance #12988: Modifies UID construction patterns (replaces EntityUid::from_str(&format!(...))), directly related to this lint's target.

Suggested reviewers

• olehbozhok
• haileyesus2433
• dagregi

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 42.86% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding a custom Rust linter to detect inefficient string concatenation patterns in EntityUid construction.
Description check	✅ Passed	The PR description follows the template with all required sections completed, includes the linked issue number (#13010), and provides implementation details about static analysis and testing.
Linked Issues check	✅ Passed	The PR successfully implements all coding objectives from #13010: prototypes a custom Rust lint detecting EntityUid::from_str with format!, documents the linter, adds unit tests, includes CI integration, and refactors existing code to use efficient alternatives.
Out of Scope Changes check	✅ Passed	All code changes are directly related to implementing the custom linter framework and addressing the performance issue identified in #13010, with no out-of-scope modifications detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch jans-cedarling-13010

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mo-auto]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[olehbozhok]

How can this new rule be applied to the Cedarling code?

[dagregi]

How can this new rule be applied to the Cedarling code?

We can add it to the CI that's why the pr is draft I wanted you guys opinion before continuing

[olehbozhok]

Looks OK to me, I don't know how to make it better

[haileyesus2433]

i think we should also fix the existing violations in this PR also don't forget to update the ci other than that LGTM, but the existing violations should be fixed

[coderabbitai]

Actionable comments posted: 7

🤖 Fix all issues with AI agents

In `@jans-cedarling/custom-lints/Cargo.toml`:
- Around line 2-6: Update the package metadata in Cargo.toml by replacing the
placeholder values for the authors and description fields with real,
project-appropriate values: set authors = ["Full Name <email@example.com>" or an
organization array] and provide a clear, concise description string describing
the crate's purpose (instead of "authors go here" and "description goes here");
keep other fields (name, version, edition) intact and ensure the metadata
reflects the repository ownership so tooling and diagnostics show accurate info.

In `@jans-cedarling/custom-lints/src/lib.rs`:
- Line 1: This file lacks the required Apache 2.0 license header; add the
standard Apache 2.0 header comment block at the very top of the file (above the
existing crate attribute #![feature(rustc_private)]) so every Rust source file
contains the license comment per guidelines; ensure the header uses the
project's canonical Apache 2.0 wording and year/owner as used across the repo.
- Around line 10-32: Update the docstring for the lint declared with
dylint_linting::declare_late_lint! to remove the "What it does" and "Why is this
bad" section headers and instead provide a single concise rationale explaining
why the pattern is problematic (e.g., using format! with EntityUid::from_str is
inefficient) and include a short example showing the bad pattern
(EntityUid::from_str(&format!(...))) and the recommended replacement (using
EntityTypeName/EntityId and EntityUid::from_type_name_and_id); keep wording in
standard Rust docstring style and trim excess narrative so the docs focus on the
rationale and example.

In `@jans-cedarling/custom-lints/ui/main.rs`:
- Line 1: This file is missing the required Apache 2.0 license header; add the
standard Apache-2.0 comment block at the very top of the Rust source (before the
fn main declaration) using the repository's canonical header text (including the
license name and copyright/years/owner placeholder as used across the project)
so every Rust file includes the Apache 2.0 header.
- Around line 3-17: The test contains unused local bindings (eid1, eid2, eid3,
eid4, eid5, user, literal) and an unused parameter s that trigger warnings;
rename these by prefixing an underscore (e.g., _eid1, _user, _literal) and
rename the function parameter s to _s (or similarly) to silence unused-variable
warnings; apply the same underscore-prefix fix to the analogous bindings
referenced in lines 23-25 as well.

In `@jans-cedarling/custom-lints/ui/main.stderr`:
- Around line 1-8: The lint help text is too vague for cases like
EntityUid::from_str(&format!(...))—update the lint message (the
bad_string_concatenation warning emission that triggers on EntityUid::from_str +
format!) to explain that using format! causes an unnecessary allocation and
subsequent parsing, and provide a concrete, efficient alternative such as using
a literal or a typed constructor (e.g., suggest
EntityUid::from_type_name_and_id("User", "alice") or passing a string literal
directly) so callers can see exactly how to avoid the allocation and parse step.
- Around line 10-16: The help text wrongly suggests "use string literals
instead" when the code uses format! with runtime data; update the lint that
detects the pattern involving EntityUid::from_str and format! so it
distinguishes literal-only format! uses from dynamic ones, and change the
guidance: for literal-only cases keep suggesting a string literal, but for
dynamic interpolation recommend using the typed constructor (e.g.,
EntityUid::from_type_name_and_id(type_name, id)) or another allocation-free API
instead of parsing; adjust the emitted message text and the detection logic that
looks for EntityUid::from_str(...) and format!(...) to produce the appropriate
message for each case.

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In @.github/workflows/test-cedarling.yml:
- Around line 40-47: The GitHub Actions step "Install dylint" currently runs an
unpinned "cargo install cargo-dylint dylint-link" which can install incompatible
versions; change that run to pin both tools to 5.0.0 (e.g., "cargo install
cargo-dylint@5.0.0 dylint-link@5.0.0") so they match the workspace dependency
dylint_linting = "5.0.0" and avoid runtime compatibility errors.

In `@jans-cedarling/custom-lints/src/lib.rs`:
- Around line 25-32: The documentation comment for the lint that checks the
EntityUid::from_str(&format!(...)) pattern contains a typo: "create" should be
"crate"; update the doc string in lib.rs (the comment block describing the lint
for EntityUid::from_str(&format!(...))) to replace "create documentation" with
"crate documentation" so the wording is correct.
- Around line 56-65: The match on the type path currently uses path.segments[0]
which misses qualified paths like cedar_policy::EntityUid; change it to inspect
the last segment safely (e.g., use path.segments.last() and compare its ident to
"EntityUid" or pattern-match Some(last) before comparing) so the check works for
both plain and qualified paths and avoids panics on empty segments; keep the
surrounding guards (ExprKind::Call, ExprKind::Path with QPath::TypeRelative,
TyKind::Path with QPath::Resolved, and the function name check segment.ident ==
sym::from_str) intact.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@jans-cedarling/custom-lints/src/lib.rs`:
- Around line 76-85: The suggestion currently emits an unqualified
"EntityUid::from_str(...)" which may not compile; modify the span_lint_and_sugg
call in the BAD_STRING_CONCATENATION branch (where
extract_string_literal(format_arg) is handled) to use the original qualified
type path snippet instead of the bare "EntityUid"—use snippet(cx, ty.span,
"EntityUid") (the ty that holds the type path) to build the replacement string
for EntityUid::from_str so the machine-applicable suggestion preserves the
original qualified path and compiles. Ensure you still pass the same
applicability and message, and update the formatted suggestion construction
where format_arg and expr.span are used.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@jans-cedarling/custom-lints/src/lib.rs`:
- Around line 53-100: There is a minor typo in the inline comment inside the
LateLintPass::check_expr implementation: change "extarct" to "extract" in the
comment that describes extracting the argument of the inner function call (near
the sequence of pattern matches including ExprKind::Call(_, [format_call]) and
ExprKind::Block(block, _)); update the comment text in the check_expr block
accordingly so it reads "extract" instead of "extarct".

[dagregi]

i think we should also fix the existing violations in this PR also don't forget to update the ci other than that LGTM, but the existing violations should be fixed

added the check in the CI I haven't found any existing issues though

[haileyesus2433]

i think we should also fix the existing violations in this PR also don't forget to update the ci other than that LGTM, but the existing violations should be fixed

added the check in the CI I haven't found any existing issues though

in

jans/jans-cedarling/cedarling/src/common/default_entities.rs

Lines 404 to 408 in f4eb2f5

	let parent_uid_str = format!("{parent_entity_type}::\"{id_v}\"");
	match EntityUid::from_str(&parent_uid_str) {
	Ok(parent_uid) => {
	parents_set.insert(parent_uid);
	},

should be refactored to use EntityUid::from_type_name_and_id() i saw this and assumed there might be other places too

[olehbozhok]

Maybe we can utilize cargo-binstall to download the binary instead of building it each time?

[dagregi]

resolved in d0dc044

[olehbozhok]

I think it would be great to add a README file to the custom-lints folder explaining how it works, so other coworkers don’t have to spend extra time getting up to speed.

[dagregi]

i think we should also fix the existing violations in this PR also don't forget to update the ci other than that LGTM, but the existing violations should be fixed

added the check in the CI I haven't found any existing issues though

in

jans/jans-cedarling/cedarling/src/common/default_entities.rs

Lines 404 to 408 in f4eb2f5

	let parent_uid_str = format!("{parent_entity_type}::\"{id_v}\"");
	match EntityUid::from_str(&parent_uid_str) {
	Ok(parent_uid) => {
	parents_set.insert(parent_uid);
	},

should be refactored to use EntityUid::from_type_name_and_id() i saw this and assumed there might be other places too

Good find I haven't thought about the format macro being assigned as a variable then passed to the method I will have to check first if it has a performance impact then add it to the linter

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/test-cedarling.yml:
- Line 45: Replace the unpinned action reference "uses:
cargo-bins/cargo-binstall@main" with a pinned full 40-character commit SHA
(e.g., "cargo-bins/cargo-binstall@<commit-sha>") to match the other pinned
actions; locate the exact line containing cargo-bins/cargo-binstall@main in the
workflow and update it to use a specific commit SHA for a stable release so the
workflow is consistent with the supply-chain security posture of the other
actions.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/test-cedarling.yml:
- Around line 53-58: The workflow installs stable then runs `cargo dylint` which
compiles the `custom-lints` crate with the wrong toolchain; change the Run
custom lints step so it invokes `cargo +nightly-2025-09-18 dylint --all
--workspace --path custom-lints` (matching the crate's rust-toolchain) instead
of installing or relying on stable, ensuring `cargo dylint` and the
`custom-lints` lint library are built with the same nightly-2025-09-18
toolchain.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/test-cedarling.yml:
- Around line 46-49: Update the two cargo binstall invocations that install
cargo-dylint and dylint-link to run non-interactively in CI by adding the
--no-confirm flag to both commands (the lines invoking "cargo binstall
cargo-dylint --version 5.0.0 --locked" and "cargo binstall dylint-link --version
5.0.0 --locked"); ensure both commands include --no-confirm so the workflow
won't hang waiting for user confirmation.

[olehbozhok]

i think we should also fix the existing violations in this PR also don't forget to update the ci other than that LGTM, but the existing violations should be fixed

added the check in the CI I haven't found any existing issues though

in

jans/jans-cedarling/cedarling/src/common/default_entities.rs

Lines 404 to 408 in f4eb2f5

	let parent_uid_str = format!("{parent_entity_type}::\"{id_v}\"");
	match EntityUid::from_str(&parent_uid_str) {
	Ok(parent_uid) => {
	parents_set.insert(parent_uid);
	},

should be refactored to use EntityUid::from_type_name_and_id() i saw this and assumed there might be other places too

Good find I haven't thought about the format macro being assigned as a variable then passed to the method I will have to check first if it has a performance impact then add it to the linter

According to this PR https://github.com/JanssenProject/jans/pull/12988/changes it has perfomance impact. But I assume creating linter for this case will be hard. If it is, we can just fix that code line and merge the current changes.

[dagregi]

i think we should also fix the existing violations in this PR also don't forget to update the ci other than that LGTM, but the existing violations should be fixed

added the check in the CI I haven't found any existing issues though

in

jans/jans-cedarling/cedarling/src/common/default_entities.rs

Lines 404 to 408 in f4eb2f5

	let parent_uid_str = format!("{parent_entity_type}::\"{id_v}\"");
	match EntityUid::from_str(&parent_uid_str) {
	Ok(parent_uid) => {
	parents_set.insert(parent_uid);
	},

should be refactored to use EntityUid::from_type_name_and_id() i saw this and assumed there might be other places too

Good find I haven't thought about the format macro being assigned as a variable then passed to the method I will have to check first if it has a performance impact then add it to the linter

According to this PR https://github.com/JanssenProject/jans/pull/12988/changes it has perfomance impact. But I assume creating linter for this case will be hard. If it is, we can just fix that code line and merge the current changes.

It's alright I already updated the linter for such case in f3c8b64 and it works fine,thanks for the thought

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/test-cedarling.yml:
- Around line 35-38: The harden-runner action usage in this job pins an older
commit (`@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4` # v2.7.1); update the `uses:
step-security/harden-runner@...` entry in this job to the same commit used
elsewhere (`@5ef0c079ce82195b2a36a210272d6b661572d83e` # v2.14.2) so the `Harden
Runner` step uses the consistent, up-to-date v2.14.2 release of the action.