spec(projects): define Project preview URL allowlist

[jsell-rh]

Summary

• Replace the separate ProjectSettings kind with kube-shaped Project spec.preview.allowedHosts.
• Specify Project storage/API/apply behavior for metadata, spec.description, spec.prompt, and spec.preview.
• Define ambient-ui preview proxy hardening, continuation-token navigation, Settings > Preview editing, and field-level RBAC for Project preview policy.

Review Notes

• Reflects peer feedback: no ProjectSettings kind; preview trust is typed Project desired state.
• Addresses CodeRabbit comments by making the session-scoped BFF preview route required, clarifying Project storage shape, and specifying 400 handling for Project path/body name mismatches. ProjectSettings-specific comments are obsolete after the design change.

Validation

• git diff --check -- specs/api/ambient-model.spec.md specs/ambient-ui/ambient-ui.spec.md specs/security/rbac-enforcement.spec.md
• rg check for stale ProjectSettings/project_settings references in touched specs
• git commit --amend pre-commit hook: passed

[netlify]

✅ Deploy Preview for cheerful-kitten-f556a0 canceled.

Name	Link
🔨 Latest commit	ae2f36d
🔍 Latest deploy log	https://app.netlify.com/projects/cheerful-kitten-f556a0/deploys/6a2ac847b8cc490008b5deee

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 916d5754-9d2a-483e-8538-cadb2d4c0f94

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR specifies ProjectSettings, a per-Project singleton resource for managing preview URL trust policy with conditional Ambient token relay. The changes span the data model (Kind definition, storage, GitOps sync), API/CLI interface (project-scoped routes and apply semantics), RBAC authorization (permissions and scope resolution), and UI integration (Live Preview hardening and Settings Preview tab).

Changes

ProjectSettings: Preview Trust Configuration

Layer / File(s)	Summary
ProjectSettings Entity & Storage Model specs/api/ambient-model.spec.md	ProjectSettings is a per-Project singleton Kind with Kubernetes-style envelope, typed preview allowlist, and forwardAmbientToken trust relay configuration. ER diagram, storage constraints (unique name/project_id, FK, immutability), and GitOps sync behavior (create/update after Project) are documented.
ProjectSettings API Routes & CLI Commands specs/api/ambient-model.spec.md	Project-scoped singleton endpoints (GET/PUT/PATCH /projects/{id}/settings) and compatibility routes; CLI commands (get project-settings, apply -f); PATCH vs. PUT creation semantics; immutable metadata mismatch handling (HTTP 409); preview clearing via empty allowedHosts.
ProjectSettings Authorization & Scope Resolution specs/security/rbac-enforcement.spec.md	Permission resource project_settings with read/list/create/update capabilities filtered by owning Project bindings; database-based project_id resolution for singleton and compatibility routes; authorization scenarios including filtered list responses and opaque 404 for unauthorized reads.
Live Preview UI Hardening & Settings Integration specs/ambient-ui/ambient-ui.spec.md	URL allowlist validation against ProjectSettings.spec.preview.allowedHosts, session-scoped BFF proxy with per-request redirect revalidation, conditional Ambient token relay gated by forwardAmbientToken and platform policy, stricter CSP frame-src rules, new tabbed Settings > Preview configuration UI with role-based editing/read-only behavior.
Implementation Coverage Tracking specs/api/ambient-model.spec.md	Specification metadata updates (last-modified timestamps) and implementation coverage matrix entries for ProjectSettings spanning storage, validation, project-scoped routes, RBAC, and acpctl apply support.

Possibly Related PRs

• ambient-code/platform#1611: Earlier PR introduced the UI ops console specification that this PR's ProjectSettings model now formalizes and replaces the generic preview allowlist approach with a typed, project-scoped trust model.
• ambient-code/platform#1640: Existing RBAC enforcement spec that this PR extends with ProjectSettings-specific scope resolution and authorization rules.

🚥 Pre-merge checks | ✅ 8

✅ Passed checks (8 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Performance And Algorithmic Complexity	✅ Passed	Spec-only PR with no code implementation. ProjectSettings design includes bounded pattern matching, proper storage constraints (unique indices, FK), and RBAC-filtered list operations—no O(n^2) algo...
Security And Secret Handling	✅ Passed	Specification-only PR (3 .md files, no source code). Comprehensive security requirements for token handling (HTTPS-only, never log/persist, no service tokens), RBAC authorization (project-scoped, r...
Kubernetes Resource Safety	✅ Passed	PR changes only specification documents (.spec.md files), not Kubernetes manifests, deployments, containers, or RBAC configurations. Kubernetes Resource Safety check is inapplicable to specificatio...
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Title follows Conventional Commits format (spec(projects): ...) and clearly describes the main change: introducing ProjectSettings for preview URL allowlist.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch jsell/project-preview-allowlist

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch jsell/project-preview-allowlist

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@specs/ambient-ui/ambient-ui.spec.md`:
- Around line 834-835: Add a session-scoped BFF endpoint that enforces Session
annotation-based preview URL validation: implement a handler (e.g.,
handlePreviewRequest) for the route pattern matching
/api/projects/{projectId}/sessions/{sessionId}/preview that calls a server-side
Session fetch (e.g., fetchSessionById(sessionId)), reads the
ambient-code.io/ui/preview-url annotation, and only accepts the incoming url
query when it equals that annotation or is a validated redirect derived from it
(extract/validate via a helper like validatePreviewUrl). Wire all proxied
requests and injected-link navigations through a proxyRequest flow that
revalidates the target against validatePreviewUrl and recomputes token relay per
target host (e.g., recomputeTokenRelay) before forwarding; return a 4xx when
validation fails.

In `@specs/api/ambient-model.spec.md`:
- Around line 478-487: Clarify and lock down the final ProjectSettings storage
schema and transition plan: explicitly state that ProjectSettings will have
separate persisted columns name (text, unique, not null), project_id (text,
unique, not null, foreign key -> projects.id), and spec (jsonb) while legacy
columns group_access and repositories may remain temporarily for transition but
are slated for removal; require rows be backfilled with name =
'<project-name>-settings' and spec.projectRef.name = <project-name> on
migration, and enforce immutability of project_id and spec.projectRef.name after
creation (describe the enforcement mechanism); update references to
ProjectSettings/ProjectId and any migration steps to indicate whether project_id
will be permanently denormalized or removed after dual-write, and include the
exact SQL constraints (unique non-deleted name and project_id, FK, not-null) to
be applied.
- Line 773: The ProjectSettings doc currently states metadata.name is immutable
after creation (ProjectSettings, metadata.name, spec.projectRef.name,
/projects/{id}/settings, acpctl apply) but does not warn that arbitrary names
will permanently lock future applies; either enforce the recommended convention
at creation or explicitly document the footgun—update the ProjectSettings
section to require/validate metadata.name follows the "{project}-settings"
pattern on create (reject otherwise) OR add a clear note explaining that
metadata.name is immutable, that first apply with a nonconforming name will
permanently lock that name (causing future acpctl apply to 409 unless deleted),
and provide the supported remediation (delete-and-recreate) so users are aware.

In `@specs/security/rbac-enforcement.spec.md`:
- Around line 146-151: Update the spec for the compatibility POST
/project_settings route to require a 400 Bad Request response when the payload
contains mismatched project references (e.g., project_id vs spec.projectRef.name
disagree), and specify that the error body MUST identify the conflicting fields
and their provided values (e.g., { "error": "project_reference_mismatch",
"fields": { "project_id": "proj-1", "spec.projectRef.name": "proj-2" } }) so
clients can correct the payload; reference the POST /project_settings
compatibility route and the fields project_id and spec.projectRef.name when
adding this requirement.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e4469263-d892-4263-bc73-2d8d0eeb0070

📥 Commits

Reviewing files that changed from the base of the PR and between 16bf3e5 and 2a0efcb.

📒 Files selected for processing (3)

• specs/ambient-ui/ambient-ui.spec.md
• specs/api/ambient-model.spec.md
• specs/security/rbac-enforcement.spec.md