feat(philosophy): expand to 12-principle QWED constitution + CI boundary gate

[Rahul Dass (rahuldass19)]

Description

Expands QWED_RULES.md from 7 to 12 principles, updates all governance files (CONTRIBUTING.md, PR template, copilot-instructions, coderabbit), and adds an AST-based CI boundary check gate.

Changes:

File	What
QWED_RULES.md	7 principles → 12 (Deterministic Decisions, Explicit Boundaries, Approved Paths Only, Vulnerability Family Thinking, Ecosystem Neutrality, Hardening Over Features, Existing Issues Must Survive)
CONTRIBUTING.md	Added Approved Paths table (safe_parse_expr vs parse_expr, safe_eval vs eval)
.github/pull_request_template.md	Expanded enforcement checklist (7 items)
.github/copilot-instructions.md	Added no-scoring, approved-paths-only, legacy-issues rules
.coderabbit.yaml	Added vulnerability-family-thinking to path instructions
.github/workflows/ci.yml	Added Boundary Check (QWED Rules) step
scripts/check_boundary.py	New file — AST-based CI gate exempting safe_parser.py and safe_evaluator.py

Summary by CodeRabbit

• Documentation

  • Enhanced security enforcement rules with new criteria prohibiting confidence-based heuristics and system prompt reliance as security boundaries.
  • Updated contribution guidelines defining approved paths for sensitive operations with CI enforcement.
  • Expanded pull request checklist covering pre-execution verification, fail-closed behavior, and non-regression requirements.

• Chores

  • Added boundary validation step to CI pipeline.

[coderabbitai]

Warning

Review limit reached

@rahuldass19, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 17 minutes and 7 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 86179c13-c9ff-4229-881d-6c2ab2024725

📥 Commits

Reviewing files that changed from the base of the PR and between 65ee555 and 6e52e2c.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• scripts/check_boundary.py

📝 Walkthrough

Walkthrough

Expands QWED enforcement rules into 12 structured Core Principles and two new Forbidden Suggestions in QWED_RULES.md. Introduces scripts/check_boundary.py, an AST-based CI gate that flags direct eval/exec/parse_expr calls outside an approved wrapper allowlist. Wires the script into the CI workflow and propagates the updated rules into CONTRIBUTING.md, the PR template, .coderabbit.yaml, and Copilot instructions.

Changes

QWED Enforcement Hardening

Layer / File(s)	Summary
Core Principles and Forbidden Suggestions QWED_RULES.md	Replaces the prior short rule list with 12 explicit Core Principles (deterministic enforcement, approved-wrapper routing, fail-closed behavior, vulnerability-family thinking, additive boundaries, etc.) and adds two Forbidden Suggestions rejecting LLM confidence thresholds and system-prompt reliance.
AST boundary-check script scripts/check_boundary.py	New standalone script that walks src/**/*.py via ast, extracts call names from ast.Call nodes including attribute chains, flags direct eval/exec/parse_expr calls outside an approved wrapper allowlist, and exits 1 on violations or 0 on success.
CI wiring and contributing docs .github/workflows/ci.yml, CONTRIBUTING.md	Inserts a "Boundary Check (QWED Rules)" step running check_boundary.py into the CI workflow before Python setup; adds an Approved Paths section and two new Common Misunderstandings rows to CONTRIBUTING.md.
AI review tooling and PR template .coderabbit.yaml, .github/copilot-instructions.md, .github/pull_request_template.md	Propagates the new rules into CodeRabbit review instructions (two new rejection criteria, renumbered list), Copilot instructions (expanded rule block), and the PR template (rewritten seven-item QWED Enforcement Checklist).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• QWED-AI/qwed-verification#115: Modifies the same QWED enforcement documentation sources (QWED_RULES.md, .coderabbit.yaml, .github/*) and aligns fail-closed/deterministic-boundary rules, making it a direct predecessor to this PR's rule expansions.

Poem

🐇 Hoppity-hop through the AST,
No sneaky eval escapes from me!
Fail-closed or fail hard — there's no in-between,
The wrapper allowlist keeps the boundary clean.
With twelve core rules and a CI gate,
This rabbit ensures no vuln gets through the crate! 🛡️

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	The PR description provides a clear summary with a detailed change table and file-by-file breakdown, though it does not follow the required template structure with checklist items and validation details.	Complete the PR description using the required template format: include the QWED Enforcement Checklist items, explicit Summary and Validation sections, and QWED_RULES.md compliance Notes.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately captures the main change: expanding QWED rules from 7 to 12 principles and implementing an automated CI boundary gate.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/philosophy-12-principles

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codspeed-hq]

Merging this PR will not alter performance

✅ 20 untouched benchmarks

---

_{Comparing feat/philosophy-12-principles (f55a8aa) with main (7be2dc6)}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[greptile-apps]

Greptile Summary

This PR expands QWED_RULES.md from 7 to 12 principles and adds a new AST-based CI boundary gate (scripts/check_boundary.py) to enforce them. The governance documentation updates are clean and coherent, but the PR also inadvertently commits several local development artifacts that must be removed.

• scripts/check_boundary.py: The gate correctly uses full-path exemptions and handles builtins.eval, but misses the entire family of from X import Y style imports — from subprocess import run; run([...]) and similar patterns produce bare short-names that are absent from FORBIDDEN_CALLS, silently bypassing the gate.
• test_venv/ directory: A Windows Python virtual environment, including compiled .exe binaries, was accidentally committed and should be removed and added to .gitignore.
• fix_cache.py / update_cache.py: Appear to be one-off local patching scripts inadvertently included in the PR; fix_cache.py contains only a UTF-8 BOM with no code.

Confidence Score: 3/5

Not safe to merge as-is: the CI security gate has a meaningful detection gap and compiled Windows binaries inside test_venv/ should not land on main.

The AST gate's FORBIDDEN_CALLS set only covers fully-qualified attribute-style calls. A contributor who writes from subprocess import run; run([...]) produces a bare ast.Name whose short-name is absent from the set, so the check passes silently — the opposite of the fail-closed posture the PR is trying to enforce. The accidental commit of test_venv/ brings compiled .exe binaries onto main, and fix_cache.py / update_cache.py are local dev scripts with no place in the repository.

scripts/check_boundary.py (from-import bypass gap), test_venv/ (entire directory should be removed), fix_cache.py and update_cache.py (accidental dev artifacts).

Important Files Changed

Filename	Overview
scripts/check_boundary.py	New AST-based CI gate for forbidden call detection; correctly uses full-path exemptions and catches builtins.eval, but from X import Y style imports bypass FORBIDDEN_CALLS entirely for all subprocess/os shell calls.
test_venv/Scripts/Activate.ps1	Windows virtual environment activation script accidentally committed; entire test_venv/ tree including compiled .exe binaries should not be in source control.
fix_cache.py	Contains only a UTF-8 BOM with no code — an accidental empty file commit alongside update_cache.py, a one-off local patching script.
.github/workflows/ci.yml	Adds Boundary Check step correctly placed after actions/setup-python@v5; ordering is safe.
QWED_RULES.md	Expanded from 7 to 12 well-structured principles; new additions are clear and internally consistent.
CONTRIBUTING.md	Adds Approved Paths table documenting safe wrappers for eval/exec/parse_expr/shell calls; consistent with the new QWED_RULES principles.
.github/pull_request_template.md	PR checklist expanded to 7 items covering verification, fail-closed, approved paths, and non-regression.
.coderabbit.yaml	Adds two new review instructions (vulnerability-family-thinking and no-scoring rules); straightforward documentation update.
.github/copilot-instructions.md	Three new directives added aligning with new QWED_RULES principles.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[CI trigger] --> B[checkout]
    B --> C[Setup Python 3.11]
    C --> D[Boundary Check check_boundary.py]
    D --> E{rglob src py files}
    E --> F[AST parse each file]
    F --> G{Call node type?}
    G -->|ast.Name| H[bare name]
    G -->|ast.Attribute| I[dotted name]
    G -->|chained call| J[empty - skipped]
    H --> K{in FORBIDDEN_CALLS or eval/exec leaf?}
    I --> K
    K -->|yes and not in wrapper| M[FAIL - exit 1]
    K -->|no| N[pass]
    J --> N
    N --> O[from subprocess import run produces bare run not in FORBIDDEN_CALLS]
    O --> N
    M --> P[CI blocked]
    N --> Q[Continue - install deps and tests]

Loading

Comments Outside Diff (2)

1. scripts/check_boundary.py, line 264-274 (link)

   from X import Y imports bypass FORBIDDEN_CALLS entirely

   FORBIDDEN_CALLS holds only fully-qualified names ("subprocess.run", "subprocess.Popen", "os.system", etc.). When a contributor writes from subprocess import run; run([...]) the AST walker resolves the callee to an ast.Name with id="run", so call_names = ["run"]. Because "run" is not in FORBIDDEN_CALLS, the gate passes silently. The same gap applies to from subprocess import Popen, from subprocess import call, from os import system, and friends — none of their bare short-names appear in the set (note "Popen" with capital P is absent; only lowercase "popen" is listed). This directly contradicts Rule 11 (Vulnerability Family Thinking): a whole class of bypasses is left unguarded. Add the bare short-names ("system", "Popen", "run", "call", "check_call", "check_output") alongside import-alias tracking, or resolve call names against import aliases collected in a first AST pass.

2. test_venv/Scripts/Activate.ps1, line 1 (link)

   Virtual environment directory accidentally committed

   The entire test_venv/ tree — including compiled Windows binaries (pip.exe, python.exe, pythonw.exe, pip3.exe, pip3.11.exe) — has been committed to the repository. Virtual environments are platform-specific, machine-specific, and generated artifacts that must never live in source control. The CI workflow already provisions its own environment via actions/setup-python and pip install -e ".[server,dev]", so this directory serves no purpose there. It should be removed from the PR and test_venv/ added to .gitignore.

_{Reviews (2): Last reviewed commit: "chore: remove accidentally staged files" | Re-trigger Greptile}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

.github/copilot-instructions.md (1)

10-12: 💤 Low value

Consider rewording to reduce repetitive "Do not" sentence openings.

Lines 10–12 begin three consecutive bullets with "Do not," which may reduce readability. You could vary the phrasing (e.g., "Reject suggestions that…" or restructure one as a positive directive) while preserving the enforcement semantics.

♻️ Example rewording (optional)

  - Do not suggest fallback execution paths.
  - Do not suggest graceful degradation that continues past failed verification.
  - Do not suggest retries that weaken enforcement.
  - Do not trust model output as proof of correctness.
- - Do not use scoring, confidence thresholds, or heuristics for decisions.
- - Do not suggest `eval` / `exec` / `parse_expr` outside approved wrappers.
+ - Reject scoring, confidence thresholds, or heuristics for enforcement decisions.
+ - Do not suggest `eval` / `exec` / `parse_expr` outside approved wrappers.
  - Prefer fail-closed behavior over convenience or availability.

Or combine them differently—the key is varying the sentence structure to improve flow.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/copilot-instructions.md around lines 10 - 12, The three consecutive
bullets (lines 10-12) in the copilot-instructions.md file all begin with "Do
not," creating repetitive sentence structure that reduces readability. Vary the
phrasing of these three bullets while maintaining their enforcement meaning—for
example, restructure one as a positive directive like "Reject suggestions
that...", use alternative negations like "Never...", or restructure them to
improve overall flow and sentence variety. The semantic content about
distrusting model output, avoiding scoring/heuristics, and rejecting
eval/exec/parse_expr usage should remain intact.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/check_boundary.py`:
- Around line 48-49: The wrapper allowlist keying mechanism uses filepath.name
(basename only) which implicitly trusts any file with that name regardless of
its location, weakening boundary enforcement. Replace the basename-only approach
with the full or relative file path to ensure trust is explicitly tied to
specific approved paths rather than just filenames. This change is needed at the
location shown (around line 48-49) where filename is assigned from
filepath.name, and also at lines 63-67 where this filename variable is
subsequently used in the allowlist lookup logic.
- Around line 45-46: The except SyntaxError block at lines 45-46 currently
silently returns errors when a file has syntax issues, allowing malformed files
to be skipped instead of blocking CI execution. To implement fail-closed
behavior as required by coding guidelines, replace the silent return with logic
that raises or propagates the SyntaxError exception (or logs it as a fatal error
that causes the script to exit with a non-zero status), ensuring that parse
failures block CI rather than being ignored.
- Around line 56-67: The dangerous-call matching in the conditional blocks for
"parse_expr", "eval", and "exec" is incomplete and bypassable. Update the checks
to handle both bare function names and qualified forms (e.g., builtins.eval,
module.parse_expr) by extracting the function name from qualified calls.
Additionally, add comprehensive checks for the full vulnerability family
including os.system and subprocess.Popen, which are documented as CI-gated but
currently not enforced. Create a deterministic matching mechanism that covers
all declared forbidden families rather than just partial symbol variants,
ensuring that no dangerous call can bypass the checks through qualification or
aliasing.

---

Nitpick comments:
In @.github/copilot-instructions.md:
- Around line 10-12: The three consecutive bullets (lines 10-12) in the
copilot-instructions.md file all begin with "Do not," creating repetitive
sentence structure that reduces readability. Vary the phrasing of these three
bullets while maintaining their enforcement meaning—for example, restructure one
as a positive directive like "Reject suggestions that...", use alternative
negations like "Never...", or restructure them to improve overall flow and
sentence variety. The semantic content about distrusting model output, avoiding
scoring/heuristics, and rejecting eval/exec/parse_expr usage should remain
intact.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ecc5fd3a-4050-4946-a79e-00b7ee36c817

📥 Commits

Reviewing files that changed from the base of the PR and between 7be2dc6 and 65ee555.

📒 Files selected for processing (7)

• .coderabbit.yaml
• .github/copilot-instructions.md
• .github/pull_request_template.md
• .github/workflows/ci.yml
• CONTRIBUTING.md
• QWED_RULES.md
• scripts/check_boundary.py

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud