provisioning/schemas/lib/keeper_policy.ncl

# schemas/lib/keeper_policy.ncl — Keeper auto-sign policy schema (ADR-038)
#
# Declarative-only closed shape parsed by the keeper-daemon Rust matcher.
# Policy files (policy-<workspace>/policy.ncl) MUST conform to PolicyDef and
# MUST NOT contain Nickel function definitions or imports beyond this schema.
# Constraint: policy-files-are-declarative-only (ADR-038).
#
# Usage:
#   let kp = import "schemas/lib/keeper_policy.ncl" in
#   { policy | kp.PolicyDef = { auto_sign = [...], require_manual = [...] } }

# Op type wildcard contract — superset of ops_contract.ncl OpsType that also accepts "*"
let OpTypeOrAny =
  std.contract.custom (
    fun label =>
      fun value =>
        let valid = ["deploy", "scale", "restart", "secret_update", "drain", "*"] in
        if std.array.any (fun x => x == value) valid then
          'Ok value
        else
          'Error {
            message = "Invalid op_type '%{value}'.\nValid values: deploy | scale | restart | secret_update | drain | *"
          }
  )
in

# A single match rule — all fields are glob patterns applied by the Rust matcher.
# Absent / defaulted-to-"*" field means "match any value for this dimension".
# The matcher evaluates rules top-to-bottom; first matching rule wins.
let _MatchRule = {
  op_type         | OpTypeOrAny   | doc "Op type this rule applies to; '*' matches any op type" | default = "*",
  image_patterns  | Array String  | doc "Glob patterns matched against OCI image reference in the op payload (deploy ops only)" | default = ["*"],
  target_patterns | Array String  | doc "Glob patterns matched against the op target name (e.g., 'staging-*', 'vapora')" | default = ["*"],
  scope_patterns  | Array String  | doc "Glob patterns matched against JWT scope entries (<op_type>:<target_pattern>)" | default = ["*"],
} in

# Top-level policy file schema. Evaluation order: auto_sign rules checked first (top-to-bottom),
# then require_manual. If no rule matches, the op is held pending for manual review.
let _PolicyDef = {
  version        | Number        | doc "Schema version — keeper-daemon rejects files with unknown versions" | default = 1,
  auto_sign      | Array _MatchRule | doc "Rules for operations the keeper-daemon may sign automatically" | default = [],
  require_manual | Array _MatchRule | doc "Rules for operations that must be signed interactively via keeper-cli" | default = [],
} in

{
  OpTypeOrAny = OpTypeOrAny,
  MatchRule   = _MatchRule,
  PolicyDef   = _PolicyDef,

  make_policy | not_exported = fun data => data | _PolicyDef,
}
docs: update README and CHANGELOG for nickel branch (2026-05-12) 2026-05-12 02:23:01 +01:00			`# schemas/lib/keeper_policy.ncl — Keeper auto-sign policy schema (ADR-038)`
			`#`
			`# Declarative-only closed shape parsed by the keeper-daemon Rust matcher.`
			`# Policy files (policy-<workspace>/policy.ncl) MUST conform to PolicyDef and`
			`# MUST NOT contain Nickel function definitions or imports beyond this schema.`
			`# Constraint: policy-files-are-declarative-only (ADR-038).`
			`#`
			`# Usage:`
			`# let kp = import "schemas/lib/keeper_policy.ncl" in`
			`# { policy \| kp.PolicyDef = { auto_sign = [...], require_manual = [...] } }`

			`# Op type wildcard contract — superset of ops_contract.ncl OpsType that also accepts "*"`
			`let OpTypeOrAny =`
			`std.contract.custom (`
			`fun label =>`
			`fun value =>`
			`let valid = ["deploy", "scale", "restart", "secret_update", "drain", "*"] in`
			`if std.array.any (fun x => x == value) valid then`
			`'Ok value`
			`else`
			`'Error {`
			`message = "Invalid op_type '%{value}'.\nValid values: deploy \| scale \| restart \| secret_update \| drain \| *"`
			`}`
			`)`
			`in`

			`# A single match rule — all fields are glob patterns applied by the Rust matcher.`
			`# Absent / defaulted-to-"*" field means "match any value for this dimension".`
			`# The matcher evaluates rules top-to-bottom; first matching rule wins.`
			`let _MatchRule = {`
			`op_type \| OpTypeOrAny \| doc "Op type this rule applies to; '' matches any op type" \| default = "",`
			`image_patterns \| Array String \| doc "Glob patterns matched against OCI image reference in the op payload (deploy ops only)" \| default = ["*"],`
			`target_patterns \| Array String \| doc "Glob patterns matched against the op target name (e.g., 'staging-', 'vapora')" \| default = [""],`
			`scope_patterns \| Array String \| doc "Glob patterns matched against JWT scope entries (<op_type>:<target_pattern>)" \| default = ["*"],`
			`} in`

			`# Top-level policy file schema. Evaluation order: auto_sign rules checked first (top-to-bottom),`
			`# then require_manual. If no rule matches, the op is held pending for manual review.`
			`let _PolicyDef = {`
			`version \| Number \| doc "Schema version — keeper-daemon rejects files with unknown versions" \| default = 1,`
			`auto_sign \| Array _MatchRule \| doc "Rules for operations the keeper-daemon may sign automatically" \| default = [],`
			`require_manual \| Array _MatchRule \| doc "Rules for operations that must be signed interactively via keeper-cli" \| default = [],`
			`} in`

			`{`
			`OpTypeOrAny = OpTypeOrAny,`
			`MatchRule = _MatchRule,`
			`PolicyDef = _PolicyDef,`

			`make_policy \| not_exported = fun data => data \| _PolicyDef,`
			`}`