# Policy on AI-Assisted Contributions to the Gradle Build Tool

We use AI tools daily and welcome AI-assisted contributions—provided the human behind them meets the standards below.

## Why this policy exists

There is a fundamental **asymmetry** between submitting a contribution and reviewing one: AI tools make it easy to generate and submit large amounts of code, but they do not make it equally faster for us to review it. 

contribution quickly and easily:

- [ ] Your pull request should address just one issue, without pulling in other changes.
- [ ] Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
- [ ] Each commit in the pull request should have a meaningful subject line and body.
  Note that commits might be squashed by a maintainer on merge.

* **Freedom**: No data validation. No schemas. No constraints. Just vibes. ✨
* **Flexibility**: The request can be anything. The response can be anything. Who needs types anyway?
* **No documentation**: Why document your API when an LLM can figure it out? Auto-generated OpenAPI docs are *so* 2020.
* **No serialization**: Just pass the raw, unstructured data around. Serialization is for people who don't trust their LLMs.

ARG BASE_IMAGE=ubuntu:22.04@sha256:445586e41c1de7dfda82d2637f5ff688deea9eb5f5812f8c145afacc35b9f0db
FROM $BASE_IMAGE AS devel
# See https://docs.docker.com/reference/dockerfile/#understand-how-arg-and-from-interact
# on why we cannot reference BASE_IMAGE again unless we declare it again.
################################################################################

# Install devtoolset build dependencies
COPY setup.sources.sh /setup.sources.sh

        with:
          name: coverage-html
          path: htmlcov
          include-hidden-files: true
      - run: uv run coverage report --fail-under=100

  # https://github.com/marketplace/actions/alls-green#why
  check:  # This job does nothing and is only used for the branch protection
    if: always()
    needs:
      - coverage-combine
      - benchmark
    runs-on: ubuntu-latest
    steps:

        // Test constructor with long strings
        String type = "VeryLongTokenTypeNameForTestingPurposes";
        String message =
                "This is a very long error message that describes in detail why the access token is invalid and what went wrong during validation";
        InvalidAccessTokenException exception = new InvalidAccessTokenException(type, message);

        assertEquals(type, exception.getType());

If the PR meets the above conditions, you can merge it. 😎

## Review PRs

* If a PR doesn't explain what it does or why, if it seems like it could be useful, ask for more information. Otherwise, feel free to close it.

如果密碼不匹配，我們回傳同樣的錯誤。

#### 密碼雜湊（hashing） { #password-hashing }

「雜湊」的意思是：把一些內容（這裡是密碼）轉換成一串看起來像亂碼的位元組序列（就是字串）。

只要你輸入完全相同的內容（完全相同的密碼），就會得到完全相同的亂碼。

但你無法從這串亂碼還原回原本的密碼。

##### 為何要做密碼雜湊 { #why-use-password-hashing }

如果你的資料庫被竊取，攻擊者拿到的不是使用者的純文字密碼，而只是雜湊值。

因此攻擊者無法嘗試把那些密碼用在其他系統上（因為很多使用者在各處都用同一組密碼，這會很危險）。

{* ../../docs_src/security/tutorial003_an_py310.py hl[82:85] *}

如果密码不匹配，则返回与上面相同的错误。

#### 密码哈希 { #password-hashing }

**哈希**是指，将指定内容（本例中为密码）转换为形似乱码的字节序列（其实就是字符串）。

每次传入完全相同的内容（比如，完全相同的密码）时，得到的都是完全相同的乱码。

但这个乱码无法转换回传入的密码。

##### 为什么使用密码哈希 { #why-use-password-hashing }

原因很简单，假如数据库被盗，窃贼无法获取用户的明文密码，得到的只是哈希值。

这样一来，窃贼就无法在其它应用中使用窃取的密码，要知道，很多用户在所有系统中都使用相同的密码，风险超大。

{* ../../docs_src/security/tutorial003_an_py310.py hl[82:85] *}

 *
 * <p>Some care is needed when using {@code Cleaner} to ensure that the callback passed to {@code
 * register} does not have a reference to the object (in this case, {@code MyServer}) that may be
 * garbage-collected. That's why we are careful to make a {@code Runnable} that does not have a
 * reference to any {@code MyServer} instance.
 *
 * @author Bob Lee
 * @since 2.0
 */
@J2ktIncompatible
@GwtIncompatible