Install defaults YAML files under enclave/ package in wheel

[rporres]

Map defaults/operators.yaml and defaults/platforms.yaml to enclave/defaults/ via hatchling wheel source mapping, so they install under the enclave package tree instead of at the site-packages root.

Update defaults_path() accordingly: walk two levels up to the enclave package directory (instead of three) and fall back to repo_root/defaults/ for editable installs.

Summary by CodeRabbit

• Chores
  • Updated build configuration to properly package and locate default files across different installation environments.

[coderabbitai]

Warning

Review limit reached

@rporres, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 58 minutes and 53 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: bb22bb2f-7b08-4c9d-89d5-bbf9bd7ba028

📥 Commits

Reviewing files that changed from the base of the PR and between 3401db7 and e2db2b8.

📒 Files selected for processing (2)

• pyproject.toml
• src/enclave/reconcile/cli.py

Walkthrough

The defaults_path() function in cli.py is updated to resolve default file paths from the enclave package directory with a fallback to the parent's defaults/ directory. Simultaneously, pyproject.toml adds a defaults source mapping so the defaults/ directory is packaged into the wheel under enclave/defaults.

Changes

Defaults Path Resolution and Wheel Packaging

Layer / File(s)	Summary
Defaults path resolution and wheel source mapping src/enclave/reconcile/cli.py, pyproject.toml	defaults_path() now resolves from Path(__file__).resolve().parent.parent / defaults / filename, with a fallback to enclave_pkg.parent.parent / defaults / filename, replacing the old pkg_root/parent-based layout. pyproject.toml adds "defaults" = "enclave/defaults" to tool.hatch.build.targets.wheel.sources so those files are included in the wheel.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🔍 The defaults once wandered through shadowed pkg_root lanes,
Lost in the delta between editable and installed chains.
Now __file__ anchors the path with a watchful eye,
A fallback stands guard should the primary path run dry.
The wheel sealed the bargain — enclave/defaults aboard,
No missing file shall slip past unchecked or ignored. 🛡️

🚥 Pre-merge checks | ✅ 10 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: moving default YAML files into the enclave package structure within the wheel distribution.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
No-Hardcoded-Secrets	✅ Passed	No hardcoded secrets detected in PR changes. pyproject.toml adds only wheel mapping config; cli.py updates path resolution logic; defaults YAML files contain only operator/platform version metadata.
No-Weak-Crypto	✅ Passed	PR modifies packaging config and file path resolution only. No weak cryptographic algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or unsafe secret comparisons...
No-Injection-Vectors	✅ Passed	No injection vectors detected. YAML parsing uses safe_load() exclusively; defaults_path() receives only hardcoded string literals; no shell=True, os.system, eval, exec, pickle.loads, or other dange...
Container-Privileges	✅ Passed	PR modifies only Python packaging config (pyproject.toml) and source code (cli.py); no container/K8s manifests with privileged configurations present.
No-Sensitive-Data-In-Logs	✅ Passed	PR introduces no new logging statements and no code exposing passwords, tokens, API keys, PII, session IDs, hostnames, or customer data. Error messages expose only filesystem paths to config files...
Ai-Attribution	✅ Passed	Commit message includes proper Red Hat attribution: "Assisted-by: Claude Code noreply@anthropic.com" trailer. AI tool usage is correctly disclosed without misuse of Co-Authored-By.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch enclave-cli-files

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/enclave/reconcile/cli.py`:
- Around line 15-22: The defaults_path function concatenates the filename
parameter directly into a filesystem path without validation, which could allow
path traversal attacks if the function is called with untrusted input in the
future. Add a validation check at the beginning of the defaults_path function
that rejects any filename containing forward slashes (/), backslashes (\), or
double dots (..) by raising a ValueError with a descriptive error message. This
defensive measure should occur before the path is constructed.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: b253dc16-b303-4d25-b224-3f5fe32a6a1a

📥 Commits

Reviewing files that changed from the base of the PR and between a84e812 and 3401db7.

📒 Files selected for processing (2)

• pyproject.toml
• src/enclave/reconcile/cli.py