Skip to content

Policies: specificity-aware default position on the server#1395

Merged
RhysSullivan merged 2 commits into
mainfrom
fix/policy-position-race
Jul 10, 2026
Merged

Policies: specificity-aware default position on the server#1395
RhysSullivan merged 2 commits into
mainfrom
fix/policy-position-race

Conversation

@RhysSullivan

Copy link
Copy Markdown
Collaborator

Found by running the selfhost-docker e2e suite against the production image: the policies-ui scenario intermittently ends with a category rule shadowing a leaf rule created moments before.

The UI computes a specificity-aware position for new rules, but only from its local policy list; when that list is stale (the optimistic atom hasn't refreshed between two quick writes) it sends no position at all, and the server's default put the new rule at the top of the list — letting the broad rule shadow the narrow one.

This moves the specificity placement into the sdk and makes it the server-side default for positionless creates, computed against the server's own list. The React hook reuses the same helper so optimistic ordering matches what the server commits. Covered by a new sdk test.

The UI computed a specificity-aware position for new rules client-side,
but the server defaulted a positionless create to the TOP of the owner's
list. When the client's policy list was stale (e.g. the optimistic atom
hadn't refreshed between two quick writes), the UI sent no usable
position and the top-of-list default let a broad category rule shadow a
narrower leaf rule written moments earlier — surfaced by the policies-ui
scenario failing against the production selfhost image.

Move the specificity placement into the sdk (positionForNewPattern) and
make it the server-side default for create; the React hook now reuses
the same helper so the optimistic order matches what the server commits.
@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Cloudflare preview

Torn down — the PR is closed.

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 10, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs
executor-marketing f953c5b Commit Preview URL

Branch Preview URL
Jul 10 2026, 08:46 AM

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 10, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs
executor-cloud f953c5b Jul 10 2026, 08:48 AM

@pkg-pr-new

pkg-pr-new Bot commented Jul 10, 2026

Copy link
Copy Markdown

Open in StackBlitz

@executor-js/cli

npm i https://pkg.pr.new/@executor-js/cli@1395

@executor-js/config

npm i https://pkg.pr.new/@executor-js/config@1395

@executor-js/execution

npm i https://pkg.pr.new/@executor-js/execution@1395

@executor-js/sdk

npm i https://pkg.pr.new/@executor-js/sdk@1395

@executor-js/codemode-core

npm i https://pkg.pr.new/@executor-js/codemode-core@1395

@executor-js/runtime-quickjs

npm i https://pkg.pr.new/@executor-js/runtime-quickjs@1395

@executor-js/plugin-file-secrets

npm i https://pkg.pr.new/@executor-js/plugin-file-secrets@1395

@executor-js/plugin-graphql

npm i https://pkg.pr.new/@executor-js/plugin-graphql@1395

@executor-js/plugin-keychain

npm i https://pkg.pr.new/@executor-js/plugin-keychain@1395

@executor-js/plugin-mcp

npm i https://pkg.pr.new/@executor-js/plugin-mcp@1395

@executor-js/plugin-onepassword

npm i https://pkg.pr.new/@executor-js/plugin-onepassword@1395

@executor-js/plugin-openapi

npm i https://pkg.pr.new/@executor-js/plugin-openapi@1395

executor

npm i https://pkg.pr.new/executor@1395

commit: f953c5b

The detail badge's Clear resolved the rule to remove by pattern-matching
the local policies list. Right after the badge authors a rule, the
post-commit refetch may not have landed, so the lookup missed and the
clear silently no-oped — the second race the policies-ui scenario hit on
the production image. Thread the resolved EffectivePolicy's policyId
through as a fallback for exactly that window.
@RhysSullivan RhysSullivan force-pushed the fix/policy-position-race branch from eedfe17 to f953c5b Compare July 10, 2026 08:44
@RhysSullivan RhysSullivan marked this pull request as ready for review July 10, 2026 09:32
@RhysSullivan RhysSullivan merged commit d90d8be into main Jul 10, 2026
21 checks passed
@RhysSullivan RhysSullivan mentioned this pull request Jul 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant