feat: Add path_utils.py with method resolve_repo_path

[jgarciao]

• Adds shared function to resolve and validate any user-supplied or parametrized file paths, preventing path-traversal and symlink-escape outside the repository root
• Recommends it's usage in CONSTITUTION.md

Summary by CodeRabbit

Release Notes

• Chores
  • Strengthened path-handling to prevent unauthorized file access outside the repository.
• Tests
  • Updated test utilities to rely on the centralized path-resolution behavior for more consistent and reliable test runs.
• Style
  • Expanded lint configuration to include an additional rule for improved code quality.

[github-actions]

The following are automatically added/executed:

• PR size label.
• Run pre-commit
• Run tox
• Add PR author as the PR assignee
• Build image based on the PR

Available user actions:

• To mark a PR as WIP, add /wip in a comment. To remove it from the PR comment /wip cancel to the PR.
• To block merging of a PR, add /hold in a comment. To un-block merging of PR comment /hold cancel.
• To mark a PR as approved, add /lgtm in a comment. To remove, add /lgtm cancel.
  lgtm label removed on each new commit push.
• To mark PR as verified comment /verified to the PR, to un-verify comment /verified cancel to the PR.
  verified label removed on each new commit push.
• To Cherry-pick a merged PR /cherry-pick <target_branch_name> to the PR. If <target_branch_name> is valid,
  and the current PR is merged, a cherry-picked PR would be created and linked to the current PR.
• To build and push image to quay, add /build-push-pr-image in a comment. This would create an image with tag
  pr-<pr_number> to quay repository. This image tag, however would be deleted on PR merge or close action.

Supported labels

{'/wip', '/lgtm', '/hold', '/cherry-pick', '/build-push-pr-image', '/verified'}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: b054b0ff-932d-4592-8a62-37068e3cc90f

📥 Commits

Reviewing files that changed from the base of the PR and between 5cee8ca and 1576dc2.

📒 Files selected for processing (2)

• pyproject.toml
• tests/llama_stack/utils.py

✅ Files skipped from review due to trivial changes (1)

• pyproject.toml

🚧 Files skipped from review as they are similar to previous changes (1)

• tests/llama_stack/utils.py

---

📝 Walkthrough

Walkthrough

Centralizes repository-bound path resolution by adding utilities.path_utils.resolve_repo_path and updating tests to use it instead of ad-hoc Path.resolve() checks; enforces repo confinement to mitigate path traversal (CWE-22) and symlink escape risks.

Changes

Cohort / File(s)	Summary
Path Resolution Infrastructure utilities/path_utils.py	New module providing resolve_repo_path(source, repo_root=None) that resolves symlinks, computes repo root, and validates final paths are within the repo (raises ValueError on escape).
Security Policy Documentation CONSTITUTION.md	Added requirement to use utilities.path_utils.resolve_repo_path for any resolution/validation of user-supplied or parameterized file paths.
Vector Store Integration (tests) tests/llama_stack/conftest.py, tests/llama_stack/utils.py	Removed repo_root parameter from vector_store_upload_doc_sources; replaced manual Path.resolve() + is_relative_to() logic with calls to resolve_repo_path for local (non-URL) sources and per-file resolution.
Lint config pyproject.toml	Expanded Ruff external list to include FCN001 in addition to E501.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 1 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description explains the purpose (preventing path-traversal and symlink escape) but lacks testing confirmation, related issues, and follows the template minimally with only a summary section.	Complete the template by adding 'Related Issues' links, specifying testing method (Locally/Jenkins), and any additional requirements from the checklist.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding a new path_utils.py module with the resolve_repo_path method, which is the primary feature introduced in this PR.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

tests/llama_stack/utils.py (1)

282-287: Type hint for doc_sources is too permissive.

doc_sources: Any loses type safety. Since the function expects a list of strings and validates this at runtime (line 304), tighten the signature.

 def vector_store_upload_doc_sources(
-    doc_sources: Any,
+    doc_sources: list[str],
     llama_stack_client: LlamaStackClient,
     vector_store: Any,
     vector_io_provider: str,
 ) -> None:

This makes the runtime TypeError check at line 304-305 redundant (static analysis catches misuse), or keep the check for defense-in-depth but update the type hint regardless.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/llama_stack/utils.py` around lines 282 - 287, The doc_sources parameter
on vector_store_upload_doc_sources is too permissive (Any); change its type hint
to a stricter collection type such as Sequence[str] or List[str] (e.g.,
doc_sources: Sequence[str]) and add the necessary import from typing, while
optionally keeping the existing runtime TypeError check in the function for
defense-in-depth; update references in the function body to rely on the stronger
static type and adjust tests/type annotations accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@CONSTITUTION.md`:
- Line 82: The term "parametrized" in the CONSTITUTION.md line referencing
utilities.path_utils.resolve_repo_path is inconsistent with the project's
spelling "parameterized"; update that occurrence to "parameterized" so it
matches other uses (e.g., "parameterized fixtures") and ensure wording around
utilities.path_utils.resolve_repo_path remains unchanged except for the
corrected spelling.

In `@utilities/path_utils.py`:
- Line 37: The trailing noqa comment "FCN001" on the Path(source) assignment is
invalid for Ruff; remove the invalid "# noqa: FCN001" from the raw =
Path(source) line, or if FCN001 is intended from another linter, add "FCN001" to
the lint.external list in pyproject.toml so Ruff won't flag it; update the raw =
Path(source) line (or pyproject.toml) accordingly and run the linter to confirm
the warning is resolved.

---

Nitpick comments:
In `@tests/llama_stack/utils.py`:
- Around line 282-287: The doc_sources parameter on
vector_store_upload_doc_sources is too permissive (Any); change its type hint to
a stricter collection type such as Sequence[str] or List[str] (e.g.,
doc_sources: Sequence[str]) and add the necessary import from typing, while
optionally keeping the existing runtime TypeError check in the function for
defense-in-depth; update references in the function body to rely on the stronger
static type and adjust tests/type annotations accordingly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 8262c5b1-effa-4809-8e5e-aa084e79298f

📥 Commits

Reviewing files that changed from the base of the PR and between 5957e10 and 2d1de22.

📒 Files selected for processing (4)

• CONSTITUTION.md
• tests/llama_stack/conftest.py
• tests/llama_stack/utils.py
• utilities/path_utils.py

💤 Files with no reviewable changes (1)

• tests/llama_stack/conftest.py

[coderabbitai]

♻️ Duplicate comments (1)

utilities/path_utils.py (1)

37-37: ⚠️ Potential issue | 🟡 Minor

Remove or register invalid # noqa code on Line 37.

# noqa: FCN001 is not recognized by Ruff (RUF102), so this suppression is ineffective. Either remove the inline noqa or add FCN001 to Ruff lint.external if another linter truly owns that code.

Proposed fix (file-local)

-    raw = Path(source)  # noqa: FCN001
+    raw = Path(source)

#!/bin/bash
set -euo pipefail

echo "== Find invalid noqa usage =="
rg -n 'noqa:\s*FCN001' --type py

echo
echo "== Check whether Ruff external codes include FCN001 =="
fd pyproject.toml --exec sh -c 'echo "--- {} ---"; rg -n "external|FCN001" "{}" || true'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@utilities/path_utils.py` at line 37, The inline suppression "# noqa: FCN001"
on the statement "raw = Path(source)" is invalid for Ruff (RUF102); either
remove the inline noqa or register FCN001 as an external code in your Ruff
config. Fix by deleting the trailing " # noqa: FCN001" from the "raw =
Path(source)" line in utilities/path_utils.py, or alternatively add "FCN001"
under lint.external in pyproject.toml so Ruff recognizes the suppression;
reference the "raw" variable and the "Path(source)" expression when making the
change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@utilities/path_utils.py`:
- Line 37: The inline suppression "# noqa: FCN001" on the statement "raw =
Path(source)" is invalid for Ruff (RUF102); either remove the inline noqa or
register FCN001 as an external code in your Ruff config. Fix by deleting the
trailing " # noqa: FCN001" from the "raw = Path(source)" line in
utilities/path_utils.py, or alternatively add "FCN001" under lint.external in
pyproject.toml so Ruff recognizes the suppression; reference the "raw" variable
and the "Path(source)" expression when making the change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: a5dde62c-0219-4b11-9b27-4fac286c3a5f

📥 Commits

Reviewing files that changed from the base of the PR and between 2d1de22 and 5cee8ca.

📒 Files selected for processing (4)

• CONSTITUTION.md
• tests/llama_stack/conftest.py
• tests/llama_stack/utils.py
• utilities/path_utils.py

💤 Files with no reviewable changes (1)

• tests/llama_stack/conftest.py

✅ Files skipped from review due to trivial changes (1)

• CONSTITUTION.md

🚧 Files skipped from review as they are similar to previous changes (1)

• tests/llama_stack/utils.py

[github-actions]

Status of building tag latest: success.
Status of pushing tag latest to image registry: success.