Fix/policy priority anyapproval authoritative

[zacharyblasczyk]

Two policies target the same deployment with anyApproval rules. The higher priority policy (priority 1) requires 0 approvals, the lower priority policy (priority 0) requires 1 approval. The test expects the higher priority policy to win, allowing deployment without approvals. It fails because both rules are evaluated independently and both must pass.

Error: Exit code 1                                                                                                                                                                
     === RUN   TestEngine_PolicyPriority_HigherPriorityAnyApprovalIsAuthoritative                                                                                                      
         engine_policy_priority_test.go:89: expected 1 job (higher priority policy requires 0 approvals), got 0 — the lower priority policy's anyApproval rule should not block        
     deployment                                                                                                                                                                        
     --- FAIL: TestEngine_PolicyPriority_HigherPriorityAnyApprovalIsAuthoritative (0.00s)                                                                                              
     FAIL                                                                                                                                                                              
     FAIL       workspace-engine/test/e2e       1.591s                                                                                                                                 
     FAIL                                                                                                                                                                              
                                                                                                                                                                                       
     === RUN   TestEngine_PolicyPriority_HigherPriorityAnyApprovalIsAuthoritative                                                                                                      
         engine_policy_priority_test.go:89: expected 1 job (higher priority policy requires 0 approvals), got 0 — the lower priority policy's anyApproval rule should not block        
     deployment                 

Summary by CodeRabbit

• Documentation
  • Updated policy rule evaluation: policies now use priority-based resolution. The highest-priority policy's rule applies for each rule type, while different rule types continue to combine across policies. Higher numeric priority values take precedence.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request adds test coverage and documentation for policy priority semantics. A new end-to-end test validates that higher-priority policies take precedence over lower-priority ones during rule evaluation. A helper function enables priority assignment in test setup, and documentation clarifies that higher numeric priority values take precedence during rule resolution.

Changes

Cohort / File(s)	Summary
Test Infrastructure apps/workspace-engine/test/e2e/engine_policy_priority_test.go, apps/workspace-engine/test/integration/opts.go	Added e2e test verifying policy priority behavior when multiple policies target the same deployment, and added PolicyPriority helper function for test policy construction.
Documentation docs/policies/overview.mdx	Updated policy evaluation semantics to clarify that only the highest-priority policy's rule is used per rule type, with higher numeric values indicating higher priority.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Priorities sorted, rules aligned at last!
Higher numbers hop ahead, leaving lower ranks past.
Tested and documented with floppy-eared care,
Policy precedence floats through the air! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title references the main issue (policy priority with anyApproval) and the expected behavior (authoritative), matching the core problem being addressed in the PR.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/policy-priority-anyapproval-authoritative

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (3)

docs/policies/overview.mdx (1)

294-297: Document tie behavior for equal priorities.

The doc now defines “highest priority wins,” but it still leaves equal-priority collisions undefined for the same rule type. Please add the tie-break rule (or explicitly state it’s unsupported) to avoid nondeterministic interpretation.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/policies/overview.mdx` around lines 294 - 297, Update the "Resolves
rules by priority" item to explicitly define tie behavior for equal-priority
rules: state the deterministic tie-breaker (for example, "if two rules have
equal priority, the rule from the policy with the lexicographically smallest
policy ID wins" or "the policy most recently applied wins") or explicitly
declare that equal priorities are unsupported and will be rejected; update the
sentence that currently reads "For each rule type, only the highest priority
policy's rule is used" to include this tie-break rule so readers know how
conflicts at the same priority are resolved.

apps/workspace-engine/test/e2e/engine_policy_priority_test.go (2)

55-66: Trim inline comments that duplicate the code literals.

These comments mostly restate immediate values/actions and add noise in an otherwise clear test setup.

As per coding guidelines, "Do not add comments that simply restate what the code does".

Also applies to: 79-87

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/workspace-engine/test/e2e/engine_policy_priority_test.go` around lines
55 - 66, Remove the inline comments that simply repeat the code literals in the
test policy setup; specifically delete the comment lines like "// High priority
policy (priority=1): no approval needed" and "// Low priority policy
(priority=0): requires 1 approval" that sit above the integration.WithPolicy
blocks, and likewise remove the duplicate restating comments around the other
policy definitions (around lines with integration.WithPolicy,
integration.PolicyID, integration.PolicyName, integration.PolicyPriority,
integration.WithPolicySelector, integration.WithPolicyRule, and
integration.WithRuleAnyApproval) so the test remains concise and only contains
descriptive comments when they add value.

---

85-91: Strengthen the assertion to prove approval is bypassed.

The current check (len(allJobs) == 1) validates job creation, but it doesn’t fully prove the lower-priority approval rule was ignored. Consider also asserting the deployment is not waiting on approvals (or equivalent approval-gated state) to avoid false positives.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/workspace-engine/test/e2e/engine_policy_priority_test.go` around lines
85 - 91, The test currently only checks job creation; after fetching allJobs via
engine.Workspace().Jobs().Items(), also assert the created job is not in an
approval-gated state by inspecting the job's approval/status fields (e.g.,
allJobs[0].Status.WaitingForApproval == false or calling a helper like
allJobs[0].IsWaitingForApproval() or verifying the job phase is
Running/Completed), so you prove the lower-priority anyApproval rule was
bypassed rather than the job simply being created.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@apps/workspace-engine/test/e2e/engine_policy_priority_test.go`:
- Around line 55-66: Remove the inline comments that simply repeat the code
literals in the test policy setup; specifically delete the comment lines like
"// High priority policy (priority=1): no approval needed" and "// Low priority
policy (priority=0): requires 1 approval" that sit above the
integration.WithPolicy blocks, and likewise remove the duplicate restating
comments around the other policy definitions (around lines with
integration.WithPolicy, integration.PolicyID, integration.PolicyName,
integration.PolicyPriority, integration.WithPolicySelector,
integration.WithPolicyRule, and integration.WithRuleAnyApproval) so the test
remains concise and only contains descriptive comments when they add value.
- Around line 85-91: The test currently only checks job creation; after fetching
allJobs via engine.Workspace().Jobs().Items(), also assert the created job is
not in an approval-gated state by inspecting the job's approval/status fields
(e.g., allJobs[0].Status.WaitingForApproval == false or calling a helper like
allJobs[0].IsWaitingForApproval() or verifying the job phase is
Running/Completed), so you prove the lower-priority anyApproval rule was
bypassed rather than the job simply being created.

In `@docs/policies/overview.mdx`:
- Around line 294-297: Update the "Resolves rules by priority" item to
explicitly define tie behavior for equal-priority rules: state the deterministic
tie-breaker (for example, "if two rules have equal priority, the rule from the
policy with the lexicographically smallest policy ID wins" or "the policy most
recently applied wins") or explicitly declare that equal priorities are
unsupported and will be rejected; update the sentence that currently reads "For
each rule type, only the highest priority policy's rule is used" to include this
tie-break rule so readers know how conflicts at the same priority are resolved.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 19cc8e0 and 4df91a4.

📒 Files selected for processing (3)

• apps/workspace-engine/test/e2e/engine_policy_priority_test.go
• apps/workspace-engine/test/integration/opts.go
• docs/policies/overview.mdx