feat: grant core + grants schema + validation (#117)#123
Merged
Conversation
- checkGrants: default arm so a future Grantable wired into grant.For without a switch resolver fails loudly instead of skipping validation - globalHasResources: count PKI resources (a global PKI-only slice with no providers block must still fail the guard) - checkGrants: skip field-publication checks for an unresolved target so a wrong resource name yields one clear error, not a misleading cascade - checkGrants: reject an output template that interpolates no field (a dropped-brace typo would otherwise validate as a constant) - extract reservedEnvNameErrs shared by the environment.yaml and grant-output checks; fix the doc comment that overstated the reserved MTLS_* namespace
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Part of #117. Foundational slice of ADR-0025 (the Grant capability), landing in dependency order ahead of the two provider slices.
What this slice ships (slice A — grant core + schema + validation)
No provider behavior yet — this is the abstraction, the manifest schema, and the credential-free
inforge validatepass.internal/grant— theGrantableinterface (Grant(...)stub + credential-freeFieldNames(perm) (values, files)),Permission(ro|rw),Fields/FileMaterial, thegrant.For(type)lookup, and the{FIELD}template machinery (ParseTemplate/Template.{Fields,HasLiteral,Interpolate}).Databasepublishes value fields{USER,PASSWORD,HOST,PORT,DBNAME};PKIResourcepublishes file fields{CERT}(verify/ro) and{CERT,KEY}(issue/rw).FieldNamesis credential- and instance-independent, so validation is real and testable without pulling in pgx or the PKI generate command — theGrant(...)bodies are clearly-marked stubs for slices B/C.grants:added to the service manifest (ServiceSpec+schemas/service.json): a list of{resource: <type>/<name>, permission: ro|rw, outputs: map[ENV]=template}, sitting withpki:/ingress:.types.PKIResourceSpec+schemas/pkiresource.json+ loader/validate enumeration forregional|global/pki/<name>/manifest.yaml(root-only, scope from folder). This is the one refinement to the proposed A/B/C split (confirmed before coding): slice A'spki/*grant-validation bullets (target-exists, root-only, cross-region) require the validator to resolve PKI-resource folders, so the declarative type lands here. Thepki.enc.yamlsidecar,inforge pki generate, and the Grant/projection behavior stay in slice C.inforge validate—checkGrantsimplements every ADR "Validation" bullet credential-free: target resolves to a supported Grantable of the right shape; permission ∈ {ro,rw}; every{FIELD}is published for that permission; a file field must stand alone; output env names avoid reservedINFORGE_*/MTLS_*(reusingmeshcert.DescriptorFiles()) and don't collide withenvironment.yamlkeys or each other across grants. Cross-region boundary falls out of target resolution (shared regional set +global/prefix), mirroringref:. PluscheckPKIResourcerejects a non-root-only PKI resource.The bootstrapper is untouched (the point of the value/file field-kind split). Grants are not wired into deploy in this slice.
Follow-on slices
NeonRole+ro/rwPostgres GRANTs over a CGO-free pgx owner connection; removesDatabaseOutputs.ConnectionURL(breaking — migratesref:database/*.connectionUrlconsumers).pki.enc.yamlsidecar,inforge pki generate, theverify/issuefile-field Grant + file-output projection.Tests / gates
internal/grant(template parse/interpolate, field names,For, permission) andvalidate.checkGrants/checkPKIResource(all error paths + valid cases incl. global targets); theokvalidate fixture gains a regional PKI resource and grants on theapiservice to exercise the end-to-end path.go build ./...,go test -race ./...,golangci-lint run ./...all clean.Docs:
internal/CONTEXT.mdglossary (Grant/Grantable/PKI resource/Field/Output) already merged with ADR-0025;AGENTS.mdgains a Grants section.