refactor(audit): drop pre-yolo:scope inference fallback#84
Merged
Conversation
`Audit::scope()` inferred a resource's scope when the `yolo:scope` tag was absent — app-scope from a `yolo:app` tag, account-scope from the OIDC provider's ARN shape. That was backwards-compat for resources synced before the scope-tag rollout. Sync now stamps `yolo:scope` on everything it creates (via ResolvesTags, for every scope including the account-global OIDC provider), so the inference is dead weight. scope() now reads the tag and nothing else; a resource with no `yolo:scope` is, by definition, not YOLO-scoped (an unexpected/unowned resource) and is bucketed under `env` for display. Removes the now-unused `isAccountGlobal()` helper and the `Arn` argument only the inference needed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hey, I made a thing! 🥳
What problems are you solving?
Clean-up follow-up to #83.
Audit::scope()carried a backwards-compat inference fallback: when a resource had noyolo:scopetag, it guessed the scope — app-scope from ayolo:apptag, account-scope from the OIDC provider's ARN shape, env otherwise. That existed only for resources synced before theyolo:scopetag rollout.Sync now stamps
yolo:scopeon everything it creates (viaResolvesTags, for every scope — including the account-global OIDC provider, which explicitly carriesyolo:scope=account). So the inference is dead weight, and we don't need the back-compat.scope()now reads theyolo:scopetag and nothing else.yolo:scopeis, by definition, not YOLO-scoped — an unexpected/unowned resource — and is bucketed underenvfor display.isAccountGlobal()helper and theArnargument that only the inference needed.Is there anything the reviewer needs to know to deploy this?
yolo:scopetoday, so it always hit the explicit-tag arm anyway — including the OIDC provider. The removed arms only ever fired for pre-rollout (un-re-synced) resources, which is exactly the back-compat we're dropping.🤖 Generated with Claude Code