feat: unify validation process with RBAC support and enhance validator functionality

sehwan505 · sehwan505 · commit 0368043f7338 · 2025-11-17T00:17:45.000+09:00
diff --git a/internal/cmd/validate.go b/internal/cmd/validate.go
@@ -106,12 +106,14 @@ func runValidate(cmd *cobra.Command, args []string) error {
 
 	fmt.Printf("Found %d changed file(s)\n", len(changes))
 
-	// Create validator
-	v := validator.NewLLMValidator(llmClient, &policy)
+	// Create unified validator that handles all engines + RBAC
+	v := validator.NewValidator(&policy, true) // verbose=true for CLI
+	v.SetLLMClient(llmClient)
+	defer v.Close()
 
 	// Validate changes
 	ctx := context.Background()
-	result, err := v.Validate(ctx, changes)
+	result, err := v.ValidateChanges(ctx, changes)
 	if err != nil {
 		return fmt.Errorf("validation failed: %w", err)
 	}
diff --git a/internal/git/repo.go b/internal/git/repo.go
@@ -54,3 +54,13 @@ func IsGitRepo() bool {
 	err := cmd.Run()
 	return err == nil
 }
+
+// GetCurrentUser returns the current git user name
+func GetCurrentUser() (string, error) {
+	cmd := exec.Command("git", "config", "--get", "user.name")
+	output, err := cmd.Output()
+	if err != nil {
+		return "", fmt.Errorf("failed to get git user.name: %w", err)
+	}
+	return strings.TrimSpace(string(output)), nil
+}
diff --git a/internal/mcp/server.go b/internal/mcp/server.go
@@ -15,6 +15,7 @@ import (
 	"github.com/DevSymphony/sym-cli/internal/git"
 	"github.com/DevSymphony/sym-cli/internal/llm"
 	"github.com/DevSymphony/sym-cli/internal/policy"
+	"github.com/DevSymphony/sym-cli/internal/roles"
 	"github.com/DevSymphony/sym-cli/internal/validator"
 	"github.com/DevSymphony/sym-cli/pkg/schema"
 	sdkmcp "github.com/modelcontextprotocol/go-sdk/mcp"
@@ -446,9 +447,16 @@ func (s *Server) handleQueryConventions(params map[string]interface{}) (interfac
 			}
 			textContent += "\n"
 		}
-		textContent += "\n✓ Next Step: Implement your code following these conventions. After completion, MUST call validate_code to verify compliance."
 	}
 
+	// Add RBAC information if available
+	rbacInfo := s.getRBACInfo()
+	if rbacInfo != "" {
+		textContent += "\n\n" + rbacInfo
+	}
+
+	textContent += "\n✓ Next Step: Implement your code following these conventions. After completion, MUST call validate_code to verify compliance."
+
 	// Return MCP-compliant response with content array
 	return map[string]interface{}{
 		"content": []map[string]interface{}{
@@ -635,11 +643,15 @@ func (s *Server) handleValidateCode(params map[string]interface{}) (interface{},
 	}
 
 	llmClient := llm.NewClient(apiKey)
-	llmValidator := validator.NewLLMValidator(llmClient, validationPolicy)
 
-	// Validate git changes
+	// Create unified validator that handles all engines + RBAC
+	v := validator.NewValidator(validationPolicy, false) // verbose=false for MCP
+	v.SetLLMClient(llmClient)
+	defer v.Close()
+
+	// Validate git changes using unified validator
 	ctx := context.Background()
-	result, err := llmValidator.Validate(ctx, changes)
+	result, err := v.ValidateChanges(ctx, changes)
 	if err != nil {
 		return nil, &RPCError{
 			Code:    -32000,
@@ -904,3 +916,70 @@ func (s *Server) needsConversion(codePolicyPath string) bool {
 func (s *Server) convertUserPolicy(userPolicyPath, codePolicyPath string) error {
 	return ConvertPolicyWithLLM(userPolicyPath, codePolicyPath)
 }
+
+// getRBACInfo returns RBAC information for the current user
+func (s *Server) getRBACInfo() string {
+	// Try to get current user
+	username, err := git.GetCurrentUser()
+	if err != nil {
+		// Not in a git environment or user not configured
+		return ""
+	}
+
+	// Get user's role
+	userRole, err := roles.GetUserRole(username)
+	if err != nil {
+		// Roles not configured
+		return ""
+	}
+
+	if userRole == "none" {
+		return fmt.Sprintf("⚠️  RBAC: User '%s' has no assigned role. You may not have permission to modify files.", username)
+	}
+
+	// Load user policy to get RBAC details
+	userPolicy, err := roles.LoadUserPolicyFromRepo()
+	if err != nil {
+		// User policy not available
+		return fmt.Sprintf("🔐 RBAC: Current user '%s' has role '%s'", username, userRole)
+	}
+
+	// Check if RBAC is defined
+	if userPolicy.RBAC == nil || userPolicy.RBAC.Roles == nil {
+		return fmt.Sprintf("🔐 RBAC: Current user '%s' has role '%s' (no restrictions defined)", username, userRole)
+	}
+
+	// Get role configuration
+	roleConfig, exists := userPolicy.RBAC.Roles[userRole]
+	if !exists {
+		return fmt.Sprintf("⚠️  RBAC: User '%s' has role '%s', but role is not defined in policy", username, userRole)
+	}
+
+	// Build RBAC info message
+	var rbacMsg strings.Builder
+	rbacMsg.WriteString("🔐 RBAC Information:\n")
+	rbacMsg.WriteString(fmt.Sprintf("   User: %s\n", username))
+	rbacMsg.WriteString(fmt.Sprintf("   Role: %s\n", userRole))
+
+	if len(roleConfig.AllowWrite) > 0 {
+		rbacMsg.WriteString(fmt.Sprintf("   Allowed paths: %s\n", strings.Join(roleConfig.AllowWrite, ", ")))
+	} else {
+		rbacMsg.WriteString("   Allowed paths: All files (no restrictions)\n")
+	}
+
+	if len(roleConfig.DenyWrite) > 0 {
+		rbacMsg.WriteString(fmt.Sprintf("   Denied paths: %s\n", strings.Join(roleConfig.DenyWrite, ", ")))
+	}
+
+	if roleConfig.CanEditPolicy {
+		rbacMsg.WriteString("   Can edit policy: Yes\n")
+	}
+
+	if roleConfig.CanEditRoles {
+		rbacMsg.WriteString("   Can edit roles: Yes\n")
+	}
+
+	rbacMsg.WriteString("\n⚠️  Note: Modifications to denied paths will be blocked during validation.")
+
+	return rbacMsg.String()
+}
diff --git a/internal/validator/llm_validator.go b/internal/validator/llm_validator.go
@@ -69,7 +69,7 @@ func (v *LLMValidator) Validate(ctx context.Context, changes []GitChange) (*Vali
 		for _, rule := range llmRules {
 			result.Checked++
 
-			violation, err := v.checkRule(ctx, change, addedLines, rule)
+			violation, err := v.CheckRule(ctx, change, addedLines, rule)
 			if err != nil {
 				// Log error but continue
 				fmt.Printf("Warning: failed to check rule %s: %v\n", rule.ID, err)
@@ -106,8 +106,9 @@ func (v *LLMValidator) filterLLMRules() []schema.PolicyRule {
 	return llmRules
 }
 
-// checkRule checks if code violates a specific rule using LLM
-func (v *LLMValidator) checkRule(ctx context.Context, change GitChange, addedLines []string, rule schema.PolicyRule) (*Violation, error) {
+// CheckRule checks if code violates a specific rule using LLM
+// This is the single source of truth for LLM-based validation logic
+func (v *LLMValidator) CheckRule(ctx context.Context, change GitChange, addedLines []string, rule schema.PolicyRule) (*Violation, error) {
 	// Build prompt for LLM
 	systemPrompt := `You are a code reviewer. Check if the code changes violate the given coding convention.
 
diff --git a/internal/validator/validator.go b/internal/validator/validator.go
