feat: Config Protection Proposal - Bounty #30 ($75)

[zhaog100]

Config Protection

Bounty: #30 | Reward: $75

Addresses configuration protection for UbiquityOS plugins to prevent unauthorized changes.

Proposal Highlights

• 3-layer protection: CODEOWNERS gate + webhook-level rollback + audit trail
• Auto-rollback: Unauthorized config changes are automatically reverted by the bot
• Role-based authorization: Only admins and billing managers can modify financial config
• Tamper detection: SHA-256 hash chain of config states

See proposals/config-protection.md for full details.

[coderabbitai]

Warning

Rate limit exceeded

@zhaog100 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 57 minutes and 15 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 57 minutes and 15 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: fa04ec76-2d5f-49df-9ac1-aaa19f9d5140

📥 Commits

Reviewing files that changed from the base of the PR and between 2416035 and 0384c08.

📒 Files selected for processing (1)

• proposals/config-protection.md

📝 Walkthrough

Walkthrough

Adds a proposal document that defines a three-layer protection for UbiquityOS plugin config files affecting financial operations: (1) CODEOWNERS review gates and branch protection for specific config paths, (2) a webhook-driven plugin that detects watched config changes on push, verifies pusher permissions via the GitHub Collaborator API, and automatically rolls back unauthorized changes with admin notifications, and (3) an audit-trail layer that posts change details, writes audit entries, and maintains a SHA-256 hash chain of config states. The proposal includes phased implementation steps and a test plan.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title clearly describes the main change: a config protection proposal. It references the bounty number and reward, matching the PR's primary focus.
Description check	✅ Passed	Description is directly related to the changeset. It outlines the proposal's core features (3-layer protection, auto-rollback, role-based authorization, tamper detection) and references the full proposal document.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (2)

proposals/config-protection.md (2)

61-70: Code example incomplete—show how to obtain previousTreeSha.

The snippet references previousTreeSha but doesn't demonstrate how to retrieve it. Implementers need to see the tree retrieval step.

📚 Suggested enhancement

 4. **Rollback mechanism** — If unauthorized:
    ```typescript
+   // Get previous commit
+   const previousCommit = await octokit.git.getCommit({ commit_sha: previousSha });
+   const previousTreeSha = previousCommit.data.tree.sha;
+   
    // Get previous commit's config content
    const previousConfig = await octokit.repos.getContent({ ref: previousSha, ... });

---

96-96: Address force-push race conditions.

Force-pushing the branch back could create conflicts if other developers pulled the unauthorized commit. Consider documenting the race condition handling strategy or warning admins to verify no one has pulled the bad commit.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a7b7c7ac-258c-457f-bc07-bdf2fc9fa6ee

📥 Commits

Reviewing files that changed from the base of the PR and between edb3383 and 189ee4e.

📒 Files selected for processing (1)

• proposals/config-protection.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

What are the valid permission levels returned by GitHub's GET /repos/{owner}/{repo}/collaborators/{username}/permission API?

💡 Result:

GET /repos/{owner}/{repo}/collaborators/{username}/permission returns a permission value that is one of the legacy base roles:

• admin
• write
• read
• none [1]

(If you need the non-legacy role, use the role_name field, which can include maintain, triage, or a custom repository role name.) [1]

Sources:
[1] GitHub Docs – “Get repository permissions for a user” (REST API: Collaborators) (docs.github.com)

Citations:

• 1: https://docs.github.com/v3/repos/collaborators/

---

GitHub API endpoint doesn't support "billing_manager" role.

The GET /repos/{owner}/{repo}/collaborators/{username}/permission API returns only: admin, write, read, none (or maintain, triage via role_name). Define how authorization checks will identify billing managers—via GitHub team membership or custom metadata instead.

[zhaog100]

Superseded by #91 (updated version with CodeRabbit feedback addressed). Closing this duplicate.