refactor(gitea): eliminate retry duplication, harden redactURL and MaxInt64 edge case

- Extract doGetWithReader to share retry/backoff logic between doGet and doGetLimited, eliminating ~60 lines of duplicated code (addresses MINOR finding from all reviewers). - redactURL now strips userinfo credentials (user:pass@host) in addition to query parameters (addresses security-review-bot finding). - GetPullRequestDiff treats MaxDiffSize == math.MaxInt64 as disabled, preventing the silent enforcement bypass where the overflow clamp makes the size check unreachable (addresses security-review-bot finding). - Improved error message wording: 'response exceeds N bytes' (NIT fix).
fix(gitea): address review feedback on diff size limiting
2026-05-13 13:39:37 +00:00 · 2026-05-13 13:39:37 +00:00 · 2026-05-13 13:39:37 +00:00 · 2026-05-13 13:39:37 +00:00 · 2026-05-13 13:16:40 +00:00 · 2026-05-13 02:56:06 -07:00
1 changed files with 1 additions and 3 deletions
@@ -9,7 +9,7 @@

 | Package | Use Case | Scope |
 |---------|----------|-------|
-| `github.com/goccy/go-yaml` | YAML parsing (persona files, config) | production |
+| `github.com/goccy/go-yaml` | YAML parsing and AST inspection (subpkgs: `ast`, `parser`) | production |
 | `github.com/google/go-cmp` | Test comparisons (`cmp.Diff`) | test only |

 **Any import not in this table or the Go standard library is forbidden.**
@@ -21,8 +21,6 @@ To request a new dependency:
 2. Requires explicit approval from Aaron
 3. After merge, a separate PR may use the package

-<!-- Deviation from step 1+3 for go-yaml migration: see #91 for rationale. -->
-
 *Enforcement: `scripts/check-deps.sh` parses this table — update only here.*

 ## Error Handling
Author	SHA1	Message	Date
claw	49d6ca77a3	refactor(gitea): eliminate retry duplication, harden redactURL and MaxInt64 edge case PR Ready Gate / clear-labels (pull_request) Successful in 2s Details CI / test (pull_request) Successful in 17s Details CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 32s Details CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 1m2s Details CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 2m21s Details - Extract doGetWithReader to share retry/backoff logic between doGet and doGetLimited, eliminating ~60 lines of duplicated code (addresses MINOR finding from all reviewers). - redactURL now strips userinfo credentials (user:pass@host) in addition to query parameters (addresses security-review-bot finding). - GetPullRequestDiff treats MaxDiffSize == math.MaxInt64 as disabled, preventing the silent enforcement bypass where the overflow clamp makes the size check unreachable (addresses security-review-bot finding). - Improved error message wording: 'response exceeds N bytes' (NIT fix).	2026-05-13 13:39:37 +00:00
claw	6ebf66aefb	fix(gitea): address review feedback on diff size limiting - Add concurrency safety note to MaxDiffSize field documentation, mirroring the existing note on RetryBackoff - Consolidate six individual test functions into a single table-driven test (TestGetPullRequestDiff_SizeLimits) reducing repetition - Add //nolint:errcheck annotation to test handler w.Write calls	2026-05-13 13:39:37 +00:00
claw	004343d05f	fix(gitea): address review findings — clamp overflow, clarify maxSize doc - Clamp maxBytes+1 to prevent integer overflow to negative when maxBytes == math.MaxInt64 (falls back to math.MaxInt64) - Update MaxDiffSize doc: 'any negative value' disables the limit, matching actual behavior of 'maxSize < 0' check	2026-05-13 13:39:37 +00:00
claw	92b84976cf	feat(gitea): harden GetPullRequestDiff against unbounded diff size Add a configurable MaxDiffSize field to Client that limits how much data GetPullRequestDiff will read into memory. The default is 10 MB (DefaultMaxDiffSize). When the diff exceeds the limit, ErrDiffTooLarge is returned, allowing callers to skip position translation gracefully. Implementation uses io.LimitReader to read maxBytes+1, detecting overflow without buffering the entire response. Setting MaxDiffSize to -1 disables the limit entirely. Closes #92	2026-05-13 13:39:37 +00:00
aweiker	881ce232eb	Merge pull request 'docs(deps): update CONVENTIONS.md allowlist for go-yaml' (#108 ) from review-bot-issue-91 into main CI / test (push) Successful in 17s Details CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (push) Has been skipped Details CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (push) Has been skipped Details CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (push) Has been skipped Details Reviewed-on: #108 Reviewed-by: security-review-bot <10+security-review-bot@noreply.gitea.weiker.me> Reviewed-by: Aaron Weiker <aaron@weiker.org>	2026-05-13 13:16:40 +00:00
claw	bf52fceea0	docs(deps): update CONVENTIONS.md allowlist for go-yaml CI / test (pull_request) Successful in 20s Details CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 20s Details CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 48s Details CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 51s Details Update the approved dependency table to document go-yaml subpackage usage (ast, parser) and remove the deviation comment now that the proper allowlist process is being followed. Closes #91	2026-05-13 02:56:06 -07:00