feat: Config Protection Plugin - Bounty #30 ($75)

[zhaog100]

Resolves #30

Config Protection Plugin

A UbiquityOS plugin that protects configuration files from unauthorized modifications by automatically reverting changes made by users without admin or billing_manager permissions.

Plugin Repository

https://github.com/zhaog100/config-protection

How It Works

1. Listens for push events on the default branch
2. Detects modifications to protected config files (.ubiquity-os.config.yml, etc.)
3. Checks if the committer has admin or billing_manager role via GitHub API
4. Auto-reverts unauthorized commits using the Git Data API with a descriptive revert commit

Features

• Configurable protected paths - defaults to all common UbiquityOS config file locations
• Configurable allowed roles - defaults to admin and billing_manager
• Automatic revert - unauthorized commits are immediately reverted
• Default branch only - only monitors pushes to the default branch
• Case-insensitive matching - catches config files regardless of casing
• Billing manager detection - checks org-level billing_manager role via membership API

Configuration

# .ubiquity-os.config.yml (plugin settings)
protectedConfigPaths:
  - .ubiquity-os.config.yml
  - .github/ubiquity-os.config.yml
allowedRoles:
  - admin
  - billing_manager

Events

• push - Monitors pushes to the default branch for config file changes

Technical Implementation

• Built with TypeScript + UbiquityOS Plugin SDK
• Uses GitHub REST API for permission checking and commit reversion
• Revert creates a new commit with the parent tree, effectively undoing the unauthorized change
• The revert commit message identifies the unauthorized user and original commit SHA

[coderabbitai]

Warning

Rate limit exceeded

@zhaog100 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 53 minutes and 52 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 53 minutes and 52 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d7d114b4-6903-461b-adcd-f0d7880ae325

📥 Commits

Reviewing files that changed from the base of the PR and between bcc90a6 and 76bc1de.

📒 Files selected for processing (1)

• README.md

📝 Walkthrough

Walkthrough

The change adds documentation to README.md by introducing a new "Implemented Plugins" section with an entry for Config Protection. The entry documents the plugin's implementation status, associated bounty amount, repository reference, and describes its functionality: restricting configuration file modifications to authorized roles (admins and billing managers) and automatically reverting any unauthorized changes through immediate rollback commits.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: documentation of a Config Protection Plugin implementation addressing bounty #30.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, explaining the plugin's purpose, functionality, configuration, and technical implementation.
Linked Issues check	✅ Passed	The PR documentation demonstrates full compliance with issue #30 requirements: config protection via role verification (admin/billing_manager), unauthorized commit detection and automatic reversion, and fraud prevention.
Out of Scope Changes check	✅ Passed	The changes are limited to README documentation adding the 'Implemented Plugins' section for the Config Protection plugin, which is directly scoped to issue #30 requirements.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 409d2ac0-0939-47e9-ab57-58ef8f1b0ab1

📥 Commits

Reviewing files that changed from the base of the PR and between edb3383 and bcc90a6.

📒 Files selected for processing (1)

• README.md