provisioning/schemas/lib/manifest_plan.ncl

{
  ManifestAction = std.enum.TagOrString,

  StepHook = {
    action | ManifestAction,
    params | { _ | String } | default = {},
    delay  | Number         | default = 0,
  },

  ManifestEntry = {
    file           | String           | optional,
    action         | ManifestAction   | default = 'apply,
    skip_if_exists | Bool             | default = false,
    delay          | Number           | default = 0,
    params         | { _ | String }   | default = {},
    pre            | Array StepHook   | default = [],
    post           | Array StepHook   | default = [],
  },

  _ManifestPlanSafe = std.contract.custom (fun label value =>
    let base = value | {
      init    | Array ManifestEntry | default = [],
      update  | Array ManifestEntry | default = [],
      delete  | Array ManifestEntry | default = [],
      restart | Array ManifestEntry | default = [],
    } in
    let protected = ["namespace", "pvc"] in
    let is_destructive = fun a =>
      a == 'delete || a == "delete" || a == 'recreate || a == "recreate"
    in
    let violations = fun op steps =>
      steps
      |> std.array.filter (fun e =>
          std.record.has_field "file" e
          && std.array.elem e.file protected
          && is_destructive e.action
        )
      |> std.array.map (fun e => "%{op}:%{e.file}")
    in
    let all_violations =
      violations "update"  base.update
      @ violations "delete"  base.delete
      @ violations "restart" base.restart
    in
    if std.array.length all_violations > 0 then
      let msg = std.string.join ", " all_violations in
      'Error { message = "ManifestPlan: protected resources cannot use delete/recreate — [%{msg}]" }
    else
      'Ok base
  ),

  ManifestPlan = _ManifestPlanSafe,
}
docs: update README and CHANGELOG for nickel branch (2026-05-12) 2026-05-12 02:23:01 +01:00			`{`
			`ManifestAction = std.enum.TagOrString,`

			`StepHook = {`
			`action \| ManifestAction,`
			`params \| { _ \| String } \| default = {},`
			`delay \| Number \| default = 0,`
			`},`

			`ManifestEntry = {`
			`file \| String \| optional,`
			`action \| ManifestAction \| default = 'apply,`
			`skip_if_exists \| Bool \| default = false,`
			`delay \| Number \| default = 0,`
			`params \| { _ \| String } \| default = {},`
			`pre \| Array StepHook \| default = [],`
			`post \| Array StepHook \| default = [],`
			`},`

			`_ManifestPlanSafe = std.contract.custom (fun label value =>`
			`let base = value \| {`
			`init \| Array ManifestEntry \| default = [],`
			`update \| Array ManifestEntry \| default = [],`
			`delete \| Array ManifestEntry \| default = [],`
			`restart \| Array ManifestEntry \| default = [],`
			`} in`
			`let protected = ["namespace", "pvc"] in`
			`let is_destructive = fun a =>`
			`a == 'delete \|\| a == "delete" \|\| a == 'recreate \|\| a == "recreate"`
			`in`
			`let violations = fun op steps =>`
			`steps`
			`\|> std.array.filter (fun e =>`
			`std.record.has_field "file" e`
			`&& std.array.elem e.file protected`
			`&& is_destructive e.action`
			`)`
			`\|> std.array.map (fun e => "%{op}:%{e.file}")`
			`in`
			`let all_violations =`
			`violations "update" base.update`
			`@ violations "delete" base.delete`
			`@ violations "restart" base.restart`
			`in`
			`if std.array.length all_violations > 0 then`
			`let msg = std.string.join ", " all_violations in`
			`'Error { message = "ManifestPlan: protected resources cannot use delete/recreate — [%{msg}]" }`
			`else`
			`'Ok base`
			`),`

			`ManifestPlan = _ManifestPlanSafe,`
			`}`