Skip to content
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
148 changes: 148 additions & 0 deletions .coderabbit.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,148 @@
# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json
language: "en-US"
tone_instructions: "Be concise and direct. Focus on correctness, security, and API contract adherence. This is an Auth0 SDK — any deviation from expected authentication/token behaviors is high severity."
early_access: false

reviews:
profile: "assertive"
request_changes_workflow: false
high_level_summary: true
high_level_summary_placeholder: "@coderabbitai summary"
auto_title_placeholder: "@coderabbitai"
review_status: true
commit_status: true
collapse_walkthrough: false
sequence_diagrams: true

auto_review:
enabled: true
drafts: false
base_branches:
- main
- "beta-release/**"

@sanchitmehtagit sanchitmehtagit Jun 9, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

need to double check if we have branches with prefix beta-release

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

- "release/**"

# Ignore generated, example, and lock files
path_filters:
# Example app — not part of the published SDK

@sanchitmehtagit sanchitmehtagit Jun 9, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should exclude symlink files. While they still need to be updated for new features, they typically duplicate changes and can nearly double the number of files in a PR, so it makes sense to keep them out of the review scope.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For example, in PR #804, much of the file bloat came from symlink files.

- "!**/example/**"
# Appium/E2E test infra
- "!appium-test/**"
# Dart generated files
- "!**/*.g.dart"
- "!**/*.mocks.dart"
- "!**/doc/api/**"
- "!**/.dart_tool/**"
- "!**/.flutter-plugins"
- "!**/.flutter-plugins-dependencies"
# Build outputs
- "!**/build/**"
- "!**/coverage/**"
- "!**/DerivedData/**"
# iOS/macOS generated
- "!**/Pods/**"
- "!**/Flutter/ephemeral/**"
- "!**/Flutter/Generated.xcconfig"
- "!**/Flutter/flutter_export_environment.sh"
- "!**/GeneratedPluginRegistrant.*"
# Android generated
- "!**/.gradle/**"
- "!**/local.properties"
- "!**/GeneratedPluginRegistrant.java"
- "!**/*.class"
# Windows generated
- "!**/flutter/ephemeral/**"
# Lock files and package caches
- "!**/*.lock"
- "!**/node_modules/**"
# Windows native deps
- "!**/vcpkg/**"
- "!**/vcpkg-binary-cache/**"

path_instructions:
# Dart/Flutter — both packages
- path: "**/*.dart"
instructions: |
- Enforce strict Dart analysis: strict-casts, strict-inference, strict-raw-types are all enabled.
- Flag any missing null checks, unsafe casts (use `as?` equivalents / `is` checks before casting).
Comment thread
coderabbitai[bot] marked this conversation as resolved.
Outdated
- Prefer `final` for local variables and parameters.
- Public APIs must have type annotations.
- `unawaited_futures` is an error — every async call must be awaited or explicitly `unawaited(...)`.
- Lines must not exceed 80 characters.
- Check that new public symbols are covered by tests.

# Platform interface — contract stability is critical
- path: "auth0_flutter_platform_interface/**/*.dart"
instructions: |
- Platform interface changes are breaking API changes. Flag any removal or signature change of public methods.
- New methods added to the platform interface must have a default implementation or be abstract with a clear migration path.
- Ensure method channel argument names and types stay consistent with native implementations.

# Android/Kotlin
- path: "auth0_flutter/android/**/*.kt"
instructions: |
- Avoid force-casts (`as Type`) — use safe casts (`as? Type`) and handle null/failure cases explicitly.
- ClassCastException from unsafe casts in MethodChannel handlers has caused crashes in the past — treat any unchecked cast as a bug.
- Ensure all MethodChannel result callbacks (`result.success`, `result.error`, `result.notImplemented`) are called exactly once per invocation.
- Auth errors must be surfaced through `result.error`, never swallowed silently.
- minSdk is 21; avoid APIs above that level without version guards.

# iOS/macOS Swift
- path: "auth0_flutter/ios/**/*.swift"
instructions: |
- Force-unwraps (`!`) are not acceptable in MethodChannel handlers — use guard/if-let.
- All FlutterResult callbacks must be invoked exactly once.
- Auth errors must propagate to Flutter as `FlutterError`, never silently dropped.
- iOS deployment target is 14.0; macOS is 11.0 — flag any API usage above those baselines.

- path: "auth0_flutter/macos/**/*.swift"
instructions: |
- Same rules as iOS Swift. macOS deployment target is 11.0.

- path: "auth0_flutter/darwin/**/*.swift"
instructions: |
- Shared iOS/macOS code — verify changes work for both platform targets.
- All FlutterResult callbacks must be invoked exactly once.

# Windows C++
- path: "auth0_flutter/windows/**/*.cpp"
instructions: |
- All MethodChannel result callbacks must be called exactly once.
- Auth errors must surface to Flutter, not be silently ignored.
- Flag any raw pointer usage that could leak or dangle — prefer smart pointers.

# Web Dart
- path: "auth0_flutter/lib/src/web/**"
instructions: |
- Web implementation wraps auth0-spa-js — verify any token/session behavior matches the JS SDK contract.
- Browser security: check for XSS risks in any HTML/JS interop.

# CI/CD
- path: ".github/workflows/**"
instructions: |
- All actions must be pinned to a full commit SHA, not a mutable tag.
- Secrets must use `${{ secrets.NAME }}` syntax, never hardcoded.
- Permissions block should follow least-privilege — flag any `write-all` or unnecessary write permissions.
- Check that new jobs are added to the `upload-coverage.needs` list if they produce coverage.

# Pubspec files
- path: "**/pubspec.yaml"
instructions: |
- Dependency version bumps that cross a major version are breaking changes — flag them prominently.
- `secure_pubspec_urls` lint is enabled — all URLs must use HTTPS.
- Check that `version` fields in auth0_flutter and auth0_flutter_platform_interface are bumped consistently when the interface changes.

# Changelogs
- path: "**/CHANGELOG.md"
instructions: |
- Entries must follow Keep a Changelog format.
- PR title prefixes are `af:` (auth0_flutter) and `afpi:` (auth0_flutter_platform_interface) — verify the correct changelog is updated.

chat:
auto_reply: true

knowledge_base:
opt_out: false
web_search: true
learnings:
scope: auto
Loading