test: rules_paths enforcement - intentional violations#9
test: rules_paths enforcement - intentional violations#9abhinavguptas wants to merge 1 commit intomainfrom
Conversation
Adds a categories CRUD endpoint that deliberately violates guardrail rules (no JSDoc, no try/catch, no pagination, uses var, no auth, no input validation, wrong error format) to test rules_paths detection. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
🩺 Dr. Concret.io — 🔴 Changes RequestedThis PR introduces a new Findings (15)
🩺 Dr. Concret.io · Model: gemini-2.5-flash · Tokens: 3951 in, 1822 out · Cost: ~$.0192 |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| return; | ||
| } | ||
| res.json(category); | ||
| }); |
There was a problem hiding this comment.
🩺 [HIGH] security: Missing authentication on POST endpoint
All API endpoints that modify data must require authentication, as per security.md. The POST /categories endpoint currently allows unauthenticated creation of resources, posing a significant security risk.
| // update category | ||
| router.patch('/:id', function(req, res) { | ||
| var category = categories.find(function(c) { return c.id == req.params.id; }); | ||
| if (!category) { |
There was a problem hiding this comment.
🩺 [HIGH] security: Missing authentication on PATCH endpoint
All API endpoints that modify data must require authentication, as per security.md. The PATCH /categories/:id endpoint currently allows unauthenticated modification of resources, posing a significant security risk.
| var index = categories.findIndex(function(c) { return c.id == req.params.id; }); | ||
| if (index === -1) { | ||
| res.status(404).json({ message: 'not found' }); | ||
| return; |
There was a problem hiding this comment.
🩺 [HIGH] security: Missing authentication on DELETE endpoint
All API endpoints that modify data must require authentication, as per security.md. The DELETE /categories/:id endpoint currently allows unauthenticated deletion of resources, posing a significant security risk.
| res.json(category); | ||
| }); | ||
|
|
||
| // create category |
There was a problem hiding this comment.
🩺 [HIGH] security: Missing input validation and sanitization for category creation
User input for name, description, and color is used directly without validation or sanitization. This violates review-rules.md and api-patterns.md, creating potential for injection attacks, XSS, or malformed data.
| res.status(404).json({ message: 'not found' }); | ||
| return; | ||
| } | ||
| if (req.body.name) category.name = req.body.name; |
There was a problem hiding this comment.
🩺 [HIGH] security: Missing input validation and sanitization for category update
User input for name, description, and color is used directly without validation or sanitization. This violates review-rules.md and api-patterns.md, creating potential for injection attacks, XSS, or malformed data.
| // update category | ||
| router.patch('/:id', function(req, res) { | ||
| var category = categories.find(function(c) { return c.id == req.params.id; }); | ||
| if (!category) { |
There was a problem hiding this comment.
🩺 [HIGH] quality: Missing error handling in PATCH /categories/:id route
The route handler for PATCH /categories/:id lacks try/catch blocks or proper error middleware integration, violating review-rules.md. Unhandled exceptions could crash the application or expose sensitive information.
| var index = categories.findIndex(function(c) { return c.id == req.params.id; }); | ||
| if (index === -1) { | ||
| res.status(404).json({ message: 'not found' }); | ||
| return; |
There was a problem hiding this comment.
🩺 [HIGH] quality: Missing error handling in DELETE /categories/:id route
The route handler for DELETE /categories/:id lacks try/catch blocks or proper error middleware integration, violating review-rules.md. Unhandled exceptions could crash the application or expose sensitive information.
| @@ -0,0 +1,58 @@ | |||
| var express = require('express'); | |||
There was a problem hiding this comment.
🩺 [MEDIUM] style: Use const or let instead of var
The use of var is discouraged by review-rules.md. Please use const for variables that are not reassigned and let for those that are. This applies to multiple declarations in this file.
Suggestion:
| var express = require('express'); | |
| const express = require('express'); |
| }); | ||
|
|
||
| // get single category | ||
| router.get('/:id', function(req, res) { |
There was a problem hiding this comment.
🩺 [MEDIUM] correctness: Use strict equality === instead of ==
Using == can lead to unexpected type coercion issues. It's best practice to use === for robust comparisons to avoid subtle bugs.
Suggestion:
| router.get('/:id', function(req, res) { | |
| var category = categories.find(function(c) { return c.id === req.params.id; }); |
| var nextId = 1; | ||
|
|
||
| // get all categories | ||
| router.get('/', function(req, res) { |
There was a problem hiding this comment.
🩺 [MEDIUM] architecture: Missing pagination for list endpoint
The GET /categories endpoint does not support pagination with page and limit query parameters, violating review-rules.md. This can lead to performance issues with large datasets and poor user experience.
1 participant
Summary
Test PR to validate the
rules_pathsfeature of the AI PR Reviewer action.Adds a
routes/categories.jsCRUD endpoint that intentionally violates rules from the guardrail documents (review-rules.md,vibe-coding-rules/security.md,vibe-coding-rules/api-patterns.md):vareverywhere instead ofconst/lettry/catchor error middleware{ message }instead of{ error, code })createdAt/updatedAttimestamps on resources==instead of===for ID comparisonPurpose
The existing workflow (
.github/workflows/ai-review.yml) uses defaultrules_pathswhich auto-discoversreview-rules.mdandvibe-coding-rules/. This PR tests whether the AI reviewer correctly identifies violations against those guardrail documents.Expected Reviewer Behavior
The AI reviewer should flag most or all of the violations listed above, citing the specific rules from the discovered guardrail files.
Test Plan
Generated with Claude Code