Fix EasyCLA outage dev

[lukaszgryglicki]

Fixes prod outage (which is already reverted, but we want to retry porting py->go) (dev)

[coderabbitai]

Walkthrough

This PR refactors GitHub organization approval checking to use public org membership instead of per-org API calls, strengthens DynamoDB type safety by operating on typed AttributeValue maps directly, and updates the dependency audit allowlist for new high-severity advisories.

Changes

GitHub Organization Approval Refactoring

Layer / File(s)	Summary
Public Orgs API cla-backend-go/github/github_org.go	New ListUserPublicOrgs function paginated-retrieves a user's publicly visible GitHub org logins with input validation.
Approval Service Logic cla-backend-go/signatures/service.go	Refactors UserIsApproved to fetch user's public orgs once and case-insensitively match against approval list; introduces listUserPublicOrgs variable for test stubbing; errors are logged and treated as no-match rather than propagated.
Approval Tests cla-backend-go/signatures/service_test.go	Adds TestUserIsApproved_GithubOrgApprovalList covering case-insensitive matching, whitespace handling, empty scenarios, and API errors; adds TestListUserPublicOrgs_RejectsEmptyUser for input validation.

DynamoDB AttributeValue Type Safety

Layer / File(s)	Summary
String Normalization Utility cla-backend-legacy/internal/api/handlers.go	New normalizeProjectStringFields helper rewrites numeric-typed DynamoDB attributes to string type for specified field names.
Project Handler Refactoring cla-backend-legacy/internal/api/handlers.go	PostProjectV1 builds typed AttributeValue map directly; PutProjectV1 mutates items in-place with normalization to heal stale numeric-typed fields before updates.
OAuth User Handler Refactoring cla-backend-legacy/internal/api/github_oauth.go	githubGetOrCreateUser constructs and mutates typed DynamoDB AttributeValue maps directly, eliminating generic-map round-trips while preserving legacy response format.
Type Safety Tests cla-backend-legacy/internal/api/handlers_project_test.go	Tests verify normalization rewrites N→S for named fields, preserves existing types, ignores unknown keys, and that handlers produce string-typed fields directly.

Dependency Audit Allowlist

Layer / File(s)	Summary
Audit Configuration .yarn-audit-allowlist.json	Extends allowlist with new high-severity advisory IDs and adds security review notes for basic-ftp, axios, and simple-git vulnerabilities.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Fix EasyCLA outage dev' is vague and generic, using the phrase 'outage' without specifying what aspect of the codebase is being fixed.	Use a more specific title that describes the actual changes, such as 'Port GitHub org approval logic from Python to Go' or 'Update DynamoDB type handling in CLA backends'.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description mentions fixing a production outage and porting from Python to Go, which aligns with the changeset's refactoring of approval logic and DynamoDB handling across Go and legacy backend services.
Docstring Coverage	✅ Passed	Docstring coverage is 85.71% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch unicron-fix-easycla-outage-devel

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.1)

level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain main module or its selected dependencies"

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR retries the Python→Go parity fixes that previously caused a production outage by (1) preventing DynamoDB attribute-type corruption from numeric-string coercion and (2) restoring GitHub org-based approval checks to use the public-orgs endpoint the OAuth bot can access.

Changes:

• Avoid store.InterfaceMapToItem numeric-string coercion by building/updating DynamoDB types.AttributeValue maps directly (and healing previously-corrupted project records on PUT).
• Fix CCLA GitHub org approval by listing a user’s public orgs (GET /users/<user>/orgs) instead of querying org memberships (403 for the bot), and add unit tests via a stub hook.
• Extend the Yarn audit allowlist with additional advisory IDs and notes.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
cla-backend-legacy/internal/api/handlers.go	Builds/patches DynamoDB AV maps directly for project create/update and normalizes stale numeric-typed string fields.
cla-backend-legacy/internal/api/handlers_project_test.go	Adds unit tests for project AV normalization/healing logic.
cla-backend-legacy/internal/api/github_oauth.go	Stops round-tripping user items through InterfaceMapToItem to avoid numeric-string coercion; preserves prior JSON “wire shape” for user_github_id.
cla-backend-go/signatures/service.go	Replaces org-membership checks with public-org listing for GitHub org approval and adds a test stub hook.
cla-backend-go/signatures/service_test.go	Adds regression tests for GitHub org approval behavior and guards ListUserPublicOrgs empty-input handling.
cla-backend-go/github/github_org.go	Introduces ListUserPublicOrgs helper wrapping GET /users/<user>/orgs with pagination and input validation.
.yarn-audit-allowlist.json	Allowlists additional Yarn audit advisories with explanatory notes.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.yarn-audit-allowlist.json (1)

29-35: Allowlist debt is growing rapidly across axios and basic-ftp — consider scheduling a dependency refresh.

After this PR, the allowlist contains 5 basic-ftp advisories (1116289, 1116454, 1116478, 1117083, 1117726) and 5 axios advisories (1116365, 1116473, 1117575, 1117590, 1117592). The axios prototype-pollution gadget chain (1117590) is particularly impactful: when Object.prototype has been polluted by any co-dependency, an attacker can silently intercept and modify every JSON response or fully hijack the underlying HTTP transport, gaining access to request credentials, headers, and body.

Each individual deferral was reasonable in isolation, but the accumulation now means the audit scanner is effectively suppressed for two critical transitive dependencies. Consider opening a dedicated tracking issue for a backend yarn.lock dependency refresh targeting at minimum simple-git >= 3.32.0 and the latest patched axios and basic-ftp versions, with a hard expiry date.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.yarn-audit-allowlist.json around lines 29 - 35, Create a dedicated tracking
issue to schedule a backend dependency refresh targeting simple-git >= 3.32.0
and the latest patched axios and basic-ftp releases, reference the specific
advisory IDs listed (basic-ftp: 1116289, 1116454, 1116478, 1117083, 1117726;
axios: 1116365, 1116473, 1117575, 1117590, 1117592; simple-git: 1117673), assign
an owner, set a hard expiry date for removing these temporary allowlist entries,
and include steps to update yarn.lock, run CI/tests, and then remove or tighten
entries in .yarn-audit-allowlist.json once patches are verified.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.yarn-audit-allowlist.json:
- Line 34: Update the allowlist entry for key "1117673" to stop silently
bypassing the simple-git RCE advisory: replace the current free-form note with a
factual entry that names the CVE IDs (CVE-2026-6951 / CVE-2026-28291), records
the patched version constraint (>= 3.32.0), and includes an explicit tracking
ticket reference (e.g., tracking ticket `#XXXX`) so the upgrade is not forgotten;
edit the value for "1117673" in .yarn-audit-allowlist.json (the existing
"1117673" entry) to contain those items and a brief justification for a
temporary allowlist if the upgrade cannot be applied in this PR.

In `@cla-backend-legacy/internal/api/handlers_project_test.go`:
- Around line 67-86: The test
TestPutProjectV1_BuildsStringTypesForDigitOnlyValues contains a tautological
first block that constructs AttributeValueMemberS directly and should be removed
or replaced; either delete the direct construction/assertion (lines creating
`item` with &types.AttributeValueMemberS and the subsequent asserts) and instead
invoke the handler or the shared item-builder used by PostProjectV1/PutProjectV1
to produce an item from a digit-only input and assert those produced attributes
are AttributeValueMemberS, or if a handler-level call isn't feasible, rename the
test to reflect it only verifies normalization (e.g. referencing
normalizeProjectStringFields) and keep only the meaningful stale-record rewrite
assertions; ensure you reference
TestPutProjectV1_BuildsStringTypesForDigitOnlyValues,
normalizeProjectStringFields, and the handler/builder
(PostProjectV1/PutProjectV1 or shared builder) when making the change.

---

Nitpick comments:
In @.yarn-audit-allowlist.json:
- Around line 29-35: Create a dedicated tracking issue to schedule a backend
dependency refresh targeting simple-git >= 3.32.0 and the latest patched axios
and basic-ftp releases, reference the specific advisory IDs listed (basic-ftp:
1116289, 1116454, 1116478, 1117083, 1117726; axios: 1116365, 1116473, 1117575,
1117590, 1117592; simple-git: 1117673), assign an owner, set a hard expiry date
for removing these temporary allowlist entries, and include steps to update
yarn.lock, run CI/tests, and then remove or tighten entries in
.yarn-audit-allowlist.json once patches are verified.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0e23cb12-98e7-4299-b5ba-45c8732e47b6

📥 Commits

Reviewing files that changed from the base of the PR and between 96e6104 and 5de79b3.

📒 Files selected for processing (7)

• .yarn-audit-allowlist.json
• cla-backend-go/github/github_org.go
• cla-backend-go/signatures/service.go
• cla-backend-go/signatures/service_test.go
• cla-backend-legacy/internal/api/github_oauth.go
• cla-backend-legacy/internal/api/handlers.go
• cla-backend-legacy/internal/api/handlers_project_test.go