[EnforceAuth] Update policy: POS Authorization

[boorad]

Update Policy: POS Authorization

---

Created via EnforceAuth

Summary by CodeRabbit

• Chores

  • Updated policy metadata title, CI linting workflow, and added Regal configuration for project roots and lint rules.

• Bug Fixes

  • Enforced stricter numeric/non-negative validation for return amounts and discount percentages in POS checks.

• Refactor

  • Simplified authentication helper internals (no behavioral change).

• Tests

  • Reformatted many policy tests to use compact inline input literals and added negative input-validation test cases.

• Documentation

  • Rewrote module descriptions to a wrapped multi-line format.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e1312f75-d435-47c7-98a7-9961dd84be0a

📥 Commits

Reviewing files that changed from the base of the PR and between 1c2acbf and c543bde.

📒 Files selected for processing (3)

• dev/store-ops/pos/authorization_test.rego
• prod/store-ops/pos/authorization_test.rego
• stage/store-ops/pos/authorization_test.rego

🚧 Files skipped from review as they are similar to previous changes (3)

• dev/store-ops/pos/authorization_test.rego
• stage/store-ops/pos/authorization_test.rego
• prod/store-ops/pos/authorization_test.rego

---

📝 Walkthrough

Walkthrough

Reformatted many Rego tests and module metadata, added a .regal/config.yaml, adjusted a GitHub Actions rego-lint step, simplified an internal binding in shared authenticated_claims, and added numeric/non-negative validation guards to two POS helper predicates (_within_return_limit, _within_discount_limit).

Changes

Cohort / File(s)	Summary
CI lint action ​.github/actions/rego-lint/action.yml	Compute changed directories as a newline-separated unique list and emit multiline dirs output; split CHANGED_DIRS into an array and call regal lint with separate directory args ("${dirs[@]}") instead of a single quoted string.
Regal config .regal/config.yaml	Add Regal configuration setting project.roots: [dev, prod, stage] and downgrade several rule checks to ignore (rule-level overrides).
Shared authentication helpers dev/shared/authentication.rego, stage/shared/authentication.rego, prod/shared/authentication.rego	Remove intermediate token := extract_token local; call valid_token(extract_token) and claims(extract_token) directly in authenticated_claims. No signature changes.
POS authorization helpers dev/store-ops/pos/authorization.rego, stage/store-ops/pos/authorization.rego, prod/store-ops/pos/authorization.rego	Add guards: require input.request.body.amount / input.request.body.discount_percent to be numeric (is_number(...)) and >= 0 before comparing to role-specific upper limits in _within_return_limit and _within_discount_limit.
Module metadata / comments dev/store-ops/pos/authorization.rego, dev/website/api/authorization.rego, stage/website/api/authorization.rego, prod/website/api/authorization.rego	Minor metadata/comment formatting: shorten POS title comment and convert # description to a folded multi-line style. No logic changes.
Tests — POS / Timeclock / Website / Rate-limiter (dev/prod/stage) dev/.../authorization_test.rego, dev/.../timeclock/authorization_test.rego, dev/website/.../authorization_test.rego, dev/website/cyber-monday-rate-limiter/authorization_test.rego, prod/.../authorization_test.rego, stage/.../authorization_test.rego	Reformatted many tests to use compact/inline with input as {...} object literals and adjusted mock user permission literal formatting; added new negative input-validation tests for POS allow_return (string/null/negative amount) and allow_price_override (string/null/negative discount). No assertions or rule signatures changed.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat: add CI/CD workflows and Claude Code commands #1 — edits the same .github/actions/rego-lint/action.yml (likely related to lint dirs handling).

Poem

🐰 I hop through lines and tidy space,
Numbers checked before they race.
Tests condensed and lint aligned,
Tokens passed with bounds defined.
A little nibble, change embraced. 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title '[EnforceAuth] Update policy: POS Authorization' directly addresses the main change: adding input validation to the POS Authorization policy helpers across all environments.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ea/policy/pos-authorization-1776385372771

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[amazon-q-developer]

Summary

This PR updates the policy metadata title from "POS Transaction Authorization" to "POS Authorization" - a cosmetic simplification with no functional changes to the authorization logic.

The change is safe to merge as it only affects documentation metadata.

---

You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

dev/store-ops/pos/authorization.rego (2)

114-117: ⚠️ Potential issue | 🟠 Major

Add input validation for discount_percent field.

The helper doesn't validate that discount_percent exists, is numeric, or is non-negative. A negative discount could bypass discount limits, and missing fields could cause policy evaluation errors.

🛡️ Proposed fix to add validation

 _within_discount_limit(user_claims) if {
 	limit := _discount_limit_for_role[user_claims.role]
+	is_number(input.request.body.discount_percent)
+	input.request.body.discount_percent >= 0
 	input.request.body.discount_percent <= limit
 }

As per coding guidelines, ensure input validation is sufficient in OPA/Rego policies to prevent malicious or malformed inputs.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@dev/store-ops/pos/authorization.rego` around lines 114 - 117, The helper
_within_discount_limit should validate input.request.body.discount_percent
before comparing to _discount_limit_for_role[user_claims.role]; update
_within_discount_limit to first ensure discount_percent is present, is a number
(use Rego's is_number/typeof checks), and is >= 0, and only then compare
discount_percent <= limit from _discount_limit_for_role; treat any missing,
non-numeric, or negative discount_percent as failing the helper (i.e., do not
allow bypass) so policy evaluation remains safe.

---

104-107: ⚠️ Potential issue | 🟠 Major

Add input validation for amount field.

The helper doesn't validate that amount exists, is numeric, or is non-negative. A negative amount could bypass return limits, and missing fields could cause policy evaluation errors.

🛡️ Proposed fix to add validation

 _within_return_limit(user_claims) if {
 	limit := _return_limit_for_role[user_claims.role]
+	is_number(input.request.body.amount)
+	input.request.body.amount >= 0
 	input.request.body.amount <= limit
 }

As per coding guidelines, ensure input validation is sufficient in OPA/Rego policies to prevent malicious or malformed inputs.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@dev/store-ops/pos/authorization.rego` around lines 104 - 107, The
_within_return_limit helper currently compares input.request.body.amount to
_return_limit_for_role[user_claims.role] without validating amount; update
_within_return_limit to first ensure input.request and input.request.body.amount
exist, the amount is a number (use is_number/typeof checks) and amount >= 0, and
only then perform the comparison against
_return_limit_for_role[user_claims.role]; if any validation fails the rule
should not succeed (i.e., return false/leave the rule unsatisfied) so malformed
or negative amounts cannot bypass limits.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@dev/store-ops/pos/authorization.rego`:
- Around line 114-117: The helper _within_discount_limit should validate
input.request.body.discount_percent before comparing to
_discount_limit_for_role[user_claims.role]; update _within_discount_limit to
first ensure discount_percent is present, is a number (use Rego's
is_number/typeof checks), and is >= 0, and only then compare discount_percent <=
limit from _discount_limit_for_role; treat any missing, non-numeric, or negative
discount_percent as failing the helper (i.e., do not allow bypass) so policy
evaluation remains safe.
- Around line 104-107: The _within_return_limit helper currently compares
input.request.body.amount to _return_limit_for_role[user_claims.role] without
validating amount; update _within_return_limit to first ensure input.request and
input.request.body.amount exist, the amount is a number (use is_number/typeof
checks) and amount >= 0, and only then perform the comparison against
_return_limit_for_role[user_claims.role]; if any validation fails the rule
should not succeed (i.e., return false/leave the rule unsatisfied) so malformed
or negative amounts cannot bypass limits.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1a22ba45-cfb9-4928-9755-c1db567aca77

📥 Commits

Reviewing files that changed from the base of the PR and between a446547 and 118cfda.

📒 Files selected for processing (1)

• dev/store-ops/pos/authorization.rego

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/actions/rego-lint/action.yml:
- Around line 32-40: The "Lint changed Rego files" step currently injects
unquoted ${{ steps.changed.outputs.dirs }} directly into the shell which allows
command injection and fails on paths with spaces; change the output `dirs` to be
newline-separated and update the step's run script to read that multiline output
into a shell array (e.g., using readarray/IFS-safe read) and invoke `regal lint`
with the array expansion quoted (so each path is passed as a separate,
safely-quoted argument) instead of interpolating the raw output into the
command.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 228f64a5-5cc4-491a-b5be-aabd5dcb78d9

📥 Commits

Reviewing files that changed from the base of the PR and between 118cfda and 75ca57f.

📒 Files selected for processing (1)

• .github/actions/rego-lint/action.yml

[boorad]

Addressed both outside-diff-range findings:

• _within_return_limit (lines 104-107): Added is_number(input.request.body.amount) and >= 0 guard so non-numeric or negative amounts fail the rule.
• _within_discount_limit (lines 114-117): Added is_number(input.request.body.discount_percent) and >= 0 guard so negative discounts can't bypass limits.

Applied across all three environments (dev/prod/stage). All 153 OPA tests pass.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@prod/store-ops/pos/authorization.rego`:
- Around line 105-106: Add explicit deny-path unit tests in
prod/store-ops/pos/authorization_test.rego that exercise the new is_number
guards for input.request.body.amount and input.request.body.discount_percent:
create cases that pass string numbers ("49.99", "10"), null values, and negative
numbers for both amount and discount_percent and assert the policy denies those
requests; ensure each new test targets the same rule(s) exercised by the
allow-path tests (the rules that reference is_number(input.request.body.amount)
and is_number(input.request.body.discount_percent)) so both allow and deny
behaviors are covered per guidelines.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b01eb978-f71f-48f7-af22-564de67fbd82

📥 Commits

Reviewing files that changed from the base of the PR and between b7687c8 and 1c2acbf.

📒 Files selected for processing (4)

• .github/actions/rego-lint/action.yml
• dev/store-ops/pos/authorization.rego
• prod/store-ops/pos/authorization.rego
• stage/store-ops/pos/authorization.rego

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/actions/rego-lint/action.yml
• dev/store-ops/pos/authorization.rego