fix client-side flags override issue

[eeisegn]

• Stop client-side flags overriding server-side flags if set
• Provide explicit configuration to allow such overrides

Summary by CodeRabbit

• New Release

  • Added changelog entry for version 1.6.5 (2026-03-26).

• Bug Fixes

  • Server-side scanning flags no longer get overridden by client-supplied flags by default; client overrides require an explicit new configuration option (disabled by default).

• Tests

  • Added tests validating flag precedence and override behavior across multiple scanning scenarios.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e5d1f340-2987-4141-b4b4-24852e7ba93d

📥 Commits

Reviewing files that changed from the base of the PR and between cc122f6 and 63d7bdd.

📒 Files selected for processing (1)

• CHANGELOG.md

✅ Files skipped from review due to trivial changes (1)

• CHANGELOG.md

---

📝 Walkthrough

Walkthrough

Adds a server-side AllowFlagsOverride setting controlling whether client-provided scan flags can override server ScanFlags. When disabled (default), request flags are cleared and a warning is emitted. Changes touch changelog, production config, server defaults, scanning request logic, and tests.

Changes

Cohort / File(s)	Summary
Changelog & Prod Config CHANGELOG.md, config/app-config-prod.json	Added v1.6.5 changelog entry; added Scanning.AllowFlagsOverride = false to production config.
Server Configuration pkg/config/server_config.go	Added Scanning.AllowFlagsOverride bool to ServerConfig (env: SCAN_ALLOW_FLAGS_OVERRIDE) and set default false.
Scanning Service Logic pkg/service/scanning_service.go	getConfigFromRequest now evaluates AllowFlagsOverride and ScanFlags; if overrides are disallowed and server ScanFlags > 0, request flags are cleared with a warning; if allowed, request flags are used (debug logged).
Tests pkg/service/scanning_service_test.go	Added TestScanFlags, a table-driven test covering combinations of server ScanFlags, AllowFlagsOverride, and optional request flags header.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant ScanningService as "Scanning Service"
    participant ServerConfig as "Server Config"
    participant Scanner as "Scanner/Engine"

    Client->>ScanningService: POST /scan (file + optional flags header)
    ScanningService->>ServerConfig: Read ScanFlags & AllowFlagsOverride
    alt AllowFlagsOverride == false and ServerConfig.ScanFlags > 0 and flags present
        ScanningService-->>Client: Emit warning (flags ignored)
        ScanningService->>ScanningService: Clear request flags
    else AllowFlagsOverride == true and flags present
        ScanningService-->>Client: Debug log (using request flags)
    end
    ScanningService->>Scanner: Start scan with resolved flags + file
    Scanner-->>ScanningService: Return scan result
    ScanningService-->>Client: HTTP 200 + result

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I nudged a flag, set false by default,
Clients waved options, the server kept the vault.
A warning I whispered when rules stayed tight,
Tests hopped in circles to prove what's right.
Carrots, code, and cozy bytes. 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix client-side flags override issue' directly and clearly summarizes the main change: preventing client-side flags from overriding server-side flags, which is the primary objective of the PR.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/DO-312-update-flags-override

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

pkg/service/scanning_service_test.go (1)

670-673: Variable shadowing reduces clarity.

The variables fieldName (line 670) and file (line 673) shadow outer-scope variables with the same names. While this works correctly, it could cause confusion during maintenance.

♻️ Suggested fix to avoid shadowing

 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			myConfig.Scanning.ScanFlags = test.serverFlags
 			myConfig.Scanning.AllowFlagsOverride = test.allowFlagsOverride
 			myConfig.Scanning.ScanBinary = binary
-			filePath := file
-			fieldName := fieldName
+			filePath := file       // use outer `file` directly or rename
 			postBody := new(bytes.Buffer)
 			mw := multipart.NewWriter(postBody)
-			file, err := os.Open(filePath)
+			wfpFile, err := os.Open(filePath)
 			if err != nil {
 				t.Fatal(err)
 			}
-			writer, err := mw.CreateFormFile(fieldName, filePath)
+			writer, err := mw.CreateFormFile(fieldName, filePath)  // use outer fieldName directly
 			if err != nil {
 				t.Fatal(err)
 			}
-			if _, err = io.Copy(writer, file); err != nil {
+			if _, err = io.Copy(writer, wfpFile); err != nil {
 				t.Fatal(err)
 			}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/service/scanning_service_test.go` around lines 670 - 673, The test
currently shadows outer-scope variables by re-declaring fieldName and file with
:= inside the multipart setup; update the block in scanning_service_test.go
(around the multipart writer setup) to avoid shadowing by either using
assignment (fieldName = fieldNameVal; openedFile, err = os.Open(filePath)) or
renaming the locals (e.g., localFieldName and openedFile) and replacing uses of
fieldName and file in that scope; ensure you still check and handle err after
opening the file and close the openedFile when done.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/service/scanning_service_test.go`:
- Around line 670-673: The test currently shadows outer-scope variables by
re-declaring fieldName and file with := inside the multipart setup; update the
block in scanning_service_test.go (around the multipart writer setup) to avoid
shadowing by either using assignment (fieldName = fieldNameVal; openedFile, err
= os.Open(filePath)) or renaming the locals (e.g., localFieldName and
openedFile) and replacing uses of fieldName and file in that scope; ensure you
still check and handle err after opening the file and close the openedFile when
done.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a560e008-1512-42f6-9d7e-f24862bfef78

📥 Commits

Reviewing files that changed from the base of the PR and between 6a6f886 and 06dc8d5.

📒 Files selected for processing (5)

• CHANGELOG.md
• config/app-config-prod.json
• pkg/config/server_config.go
• pkg/service/scanning_service.go
• pkg/service/scanning_service_test.go

[agustingroh]

should the test excercises 'getConfigFromRequest' and check the override behaviour instead of the asserting http.StatusOK?

Example:

tests := []struct {
    name               string
    serverFlags        int
    allowFlagsOverride bool
    clientFlags        string
    want               int
    wantFlags          string // flags actually used in the scan
}{
    {
        name:               "Scanning - server flags only",
        serverFlags:        1248,
        allowFlagsOverride: false,
        clientFlags:        "256",
        want:               http.StatusOK,
        wantFlags:          "1248",
    },
....

`
    for _, test := range tests {
        t.Run(test.name, func(t *testing.T) {
            myConfig.Scanning.ScanFlags = test.serverFlags
            myConfig.Scanning.AllowFlagsOverride = test.allowFlagsOverride

            req := httptest.NewRequest(http.MethodPost, "/scan/direct", nil)
            req.Header.Set("flags", test.clientFlags)

            apiService := NewAPIService(myConfig)
            cfg, err := apiService.getConfigFromRequest(req, logger)

            assert.NoError(t, err)
            assert.Equal(t, test.wantFlags, cfg.Flags)
        })
    }`

[eeisegn]

yes. will implement that

[agustingroh]

Please update the release date