feat(SharedBlueprints): put global blueprint proposals behind FF - AB…

[as-flow]

…-908

Summary by CodeRabbit

• Chores
  • Implemented feature flag control for the global blueprint proposal functionality, allowing the "Propose as global blueprint" option to be conditionally displayed based on feature enablement status.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request adds feature flag gating for the "Propose as global blueprint" option in the deployment settings panel. A new computed property checks for the "global_blueprint_proposals" feature flag and conditionally renders the relevant UI element.

Changes

Cohort / File(s)	Summary
BuilderSettings UI Component src/ui/src/builder/settings/BuilderSettingsDeploySharedBlueprint.vue	Introduces computed property isGlobalBlueprintProposalsEnabled that checks wf.featureFlags for "global_blueprint_proposals". Conditionally hides/shows the "Propose as global blueprint" option via v-if directive based on flag presence.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• writer/writer-framework#1244: Implements the global blueprint proposal feature and its corresponding UI, form fields, and deployment API integration that this PR now gates behind a feature flag.

Suggested reviewers

• madeindjs

Poem

🐰 A flag in the feature, a switch for the gate,
Global blueprints now pause, they patiently wait,
When the moment is right and the flag comes to play,
The proposals will bloom in their glorious way! ✨

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: putting global blueprint proposals behind a feature flag in the SharedBlueprints feature.
Linked Issues check	✅ Passed	The code changes successfully implement the core objective of AB-908 by introducing a feature flag check (isGlobalBlueprintProposalsEnabled) that gates the global blueprint proposal option.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the feature flag implementation for global blueprint proposals, with no unrelated modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat-AB-908

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pullrequest]

HackerOne Code Security Review

🟢 Scan Complete: 1 Issue(s)
🟢 Validation Complete: Any Issues detected were validated by one of our engineers. None were determined to require immediate action.

Here's how the code changes were interpreted and info about the tools used for scanning.

📖 Summary of Changes

The changes involve adding a computed property to conditionally render a global blueprint option in the BuilderSettingsDeploySharedBlueprint Vue component. The new property checks feature flags to determine whether the global blueprint option should be displayed, implementing a dynamic visibility control for the UI element.

File	Summary
src/ui/src/builder/settings/BuilderSettingsDeploySharedBlueprint.vue	Added a new computed property isGlobalBlueprintProposalsEnabled to conditionally render the global blueprint option based on feature flags, and added a v-if directive to the global option div to control its visibility.

ℹ️ Issues Detected

NOTE: These may not require action!

Below are unvalidated results from the Analysis Tools that ran during the latest scan for transparency. We investigate each of these for accuracy and relevance before surfacing them as a potential problem.

How will I know if something is a problem?
When validation completes, any concerns that warrant attention prior to merge will be posted as inline comments. These will show up in 2 ways:

• Expert review (most cases): Issues will be posted by experts who manually reviewed and validated them. These are real HackerOne engineers (not bots) reviewing through an integrated IDE-like tool. You can communicate with them like any other reviewer. They'll stay assigned and get notified with commit & comment updates.
• Automatically: In cases where our validation checks have highest confidence the problem is legitimate and urgent. These will include a description of contextual reasoning why & actionable next steps.

File & Line	Issue
src/ui/src/builder/settings/BuilderSettingsDeploySharedBlueprint.vue Line 86	The code introduces a feature flag check for global blueprint proposals, but doesn't validate the feature flag value before using it. If wf.featureFlags.value is manipulated by an attacker to be an array-like object with a malicious includes method, it could lead to unexpected behavior or privilege escalation by enabling features that should be disabled.

🧰 Analysis tools

• [ ✅ ] HackerOne AI Code Analysis
• [ ✅ ] HackerOne AI Code Validation
• [ ✅ ] semgrep
• [ ✅ ] bandit

⏱️ Latest scan covered changes up to commit 0a8134d (latest)

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/ui/src/builder/settings/BuilderSettingsDeploySharedBlueprint.vue (1)

31-43: Add feature flag re-check in handleDeploy before proposing as global blueprint.

Line 151 checks form.value.proposeAsGlobal without re-validating the feature flag. If the feature flag is disabled mid-session after the user checks the "Propose as global blueprint" checkbox, the global proposal would still attempt even though the feature flag is now off. Add a defensive check:

-		if (form.value.proposeAsGlobal) {
+		if (form.value.proposeAsGlobal && isGlobalBlueprintProposalsEnabled.value) {
 			// Propose as global blueprint via GitHub PR
 			const result = await writerApi.proposeSharedBlueprintGlobal({

🧹 Nitpick comments (1)

src/ui/src/builder/settings/BuilderSettingsDeploySharedBlueprint.vue (1)

84-88: Consider watching feature flag changes to reset form state.

While the current implementation is functional, consider adding a watcher to reset form.value.proposeAsGlobal to false if the feature flag is disabled during an active session. This would prevent any state inconsistencies if the flag changes while the modal is open.

🔎 Optional enhancement to watch feature flag changes

Add a watcher after the existing watch on isOpen:

 // Initialize form when modal opens
 watch(isOpen, (newValue) => {
 	if (newValue) {
 		resetForm();
 	}
 });
+
+// Reset proposeAsGlobal if feature flag is disabled mid-session
+watch(isGlobalBlueprintProposalsEnabled, (newValue) => {
+	if (!newValue && form.value.proposeAsGlobal) {
+		form.value.proposeAsGlobal = false;
+	}
+});

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 5bf4782 and 0a8134d.

📒 Files selected for processing (1)

• src/ui/src/builder/settings/BuilderSettingsDeploySharedBlueprint.vue

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: build (3.9)
• GitHub Check: build (3.12)
• GitHub Check: build (3.10)
• GitHub Check: build (3.13)
• GitHub Check: build (3.11)
• GitHub Check: tests (chromium)
• GitHub Check: tests (firefox)
• GitHub Check: tests (webkit)

🔇 Additional comments (1)

src/ui/src/builder/settings/BuilderSettingsDeploySharedBlueprint.vue (1)

84-88: LGTM!

The feature flag check is implemented correctly with proper defensive programming. The Array.isArray check handles edge cases where featureFlags might be undefined or null.

[pullrequest]

✅ Graham C reviewed all the included code changes and associated automation findings and determined that there were no immediately actionable security flaws. Note that they will continue to be notified of any new commits or comments and follow up as needed throughout the duration of this pull request's lifecycle.

Graham C

---

Reviewed with ❤️ by PullRequest