Skip to content

feat: add component-level context and boundary lint rules#941

Open
h0pers wants to merge 1 commit into
opendatahub-io:mainfrom
h0pers:feat/ai-scaffolding-tier3
Open

feat: add component-level context and boundary lint rules#941
h0pers wants to merge 1 commit into
opendatahub-io:mainfrom
h0pers:feat/ai-scaffolding-tier3

Conversation

@h0pers

@h0pers h0pers commented Jul 2, 2026

Copy link
Copy Markdown

What this PR does / why we need it:

Implements AI Scaffolding Tier 3 checks 3.1 and 3.3 for the distributed-workloads repo:

  • Check 3.1 — Component-level context files: Add .claude/rules/ with path-scoped rules for tests/trainer/, tests/common/support/, and general test conventions (mandatory tags, namespace isolation, resource naming, import boundaries).
  • Check 3.3 — Architectural boundary lint rules: Enable depguard in .golangci.yml with per-suite boundary rules preventing cross-suite imports between tests/kfto/, tests/trainer/, tests/fms/, and tests/odh/. Move shared image helpers (GetAlpacaDatasetImage, GetBloomModelImage) from tests/kfto/ to tests/common/support/environment.go to resolve existing cross-suite import violations.

Which issue(s) this PR fixes:

Fixes #940

Summary by CodeRabbit

  • Documentation

    • Added new test-convention guidance covering namespace isolation, naming, cleanup, shared helpers, and import boundaries.
  • Bug Fixes

    • Standardized test image lookups through shared support helpers, reducing duplicate references across test suites.
    • Updated notebook loading to use a direct file read with explicit error checking.
  • Chores

    • Strengthened linting rules to enforce test-suite import boundaries and shared-test code placement.

Add .claude/rules/ with path-scoped rules for trainer, common/support,
and general test conventions. Enable depguard in .golangci.yml with
per-suite boundary rules preventing cross-suite imports. Move shared
image helpers from tests/kfto/ to tests/common/support/ to eliminate
existing violations.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@openshift-ci openshift-ci Bot requested review from ChughShilpa and sutaakar July 2, 2026 07:20
@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign abhijeet-dhumal for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

Configuration change flagged: .golangci.yml now enables depguard, a supply-chain-relevant CI gate — verify the deny lists are exhaustive and list-mode: lax doesn't silently allow unlisted packages (fail-open risk). Three new .claude/rules/*.md files add non-enforced conventions (advisory only, no CWE relevance). Functional change: GetBloomModelImage/GetAlpacaDatasetImage moved from tests/kfto/environment.go (deleted) to tests/common/support/environment.go; both still resolve hardcoded default image digests via lookupEnvOrDefault — confirm digests are pinned by SHA, not mutable tags (CWE-829: reliance on untrusted/undated component). Call sites across tests/fms, tests/trainer, tests/kfto updated to drop cross-suite imports; odh.ReadFileExt replaced with os.ReadFile plus explicit error assertion.

Estimated code review effort: 2 (Simple) | ~15 minutes

Related Issues

Objectives from linked issues: Issue #940 — add component-level .claude/rules/ context files and enable depguard boundary rules in .golangci.yml; matches implemented changes.

Suggested labels: ci, testing, lint, documentation

Suggested reviewers: Confirm CODEOWNERS for tests/common/support/ and .golangci.yml before merge — CI config changes are supply-chain attack surface (CWE-1104: use of unmaintained third-party components applies to linter config drift).

No praise offered. Verify: (1) list-mode: lax in depguard does not create a fail-open bypass, (2) deleted tests/kfto/environment.go has zero remaining references (broken-import risk masked by compiler, not lint), (3) hardcoded image digests in the new getters are immutable references.

🚥 Pre-merge checks | ✅ 10
✅ Passed checks (10 passed)
Check name Status Explanation
Title check ✅ Passed The title matches the main change: component-level context plus boundary lint rules; no mismatch or ambiguity. CWE-668 risk is addressed.
Linked Issues check ✅ Passed The PR implements #940: scoped .claude rules, depguard boundary rules, and shared image helper relocation; no missing requirement is evident.
Out of Scope Changes check ✅ Passed No clear out-of-scope code changes are present; the test edits support the boundary move and rule enforcement. CWE-710 noise is minimal.
Contribution Quality And Spam Detection ✅ Passed PASS: Only one templated-content signal (formulaic PR body). The rest is a linked, repo-specific refactor/config update; no second category with concrete evidence.
No Hardcoded Secrets ✅ Passed No hardcoded secrets found; added literals are env-var names and SHA256 image digests, with no credential URLs or key material in the changed files.
No Weak Cryptography ✅ Passed No MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret/HMAC comparisons found in touched files; token use is only string substitution/status checks (CWE-327/328/208).
No Injection Vectors ✅ Passed No CWE-89/78/94/502/79 sinks were added; the non-test code only adds hardcoded env-var getters/default digests, and the remaining interpolation is in tests with trusted constants.
No Privileged Containers ✅ Passed No Kubernetes/OpenShift manifests, Helm templates, or Dockerfiles changed; the diff is docs, Go tests, and .golangci.yml only (CWE-250 not introduced).
No Sensitive Data In Logs ✅ Passed PASS: No new logging of secrets/PII was introduced; added helpers/docs only, and new env helpers only read env vars (CWE-532).
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@efazal

efazal commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

@h0pers wondering if we can make the rules common for both Claude and Cursor as well. Without repeating the md files, perhaps a suggestion like ai/rules folder will contain the rules and symlinks can be added to them in claude/cursor rules folders? or if we want generalize for any ai agents, then perhaps we can add a reference in the agents.md file pointing to the ai/rules folder.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add AI scaffolding (Tier 3) for distributed-workloads

2 participants