@evolith/core-domain 1.0.0 → 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/domain/services/default-workflow-definition.js +1 -1
- package/dist/domain/services/default-workflow-definition.js.map +1 -1
- package/package.json +2 -1
- package/rulesets/README.es.md +170 -0
- package/rulesets/README.md +170 -0
- package/rulesets/acl/README.es.md +41 -0
- package/rulesets/acl/README.md +41 -0
- package/rulesets/acl/anti-corruption-layer.rules.es.json +99 -0
- package/rulesets/acl/anti-corruption-layer.rules.json +99 -0
- package/rulesets/adr/ADR_COVERAGE.es.md +133 -0
- package/rulesets/adr/ADR_COVERAGE.md +133 -0
- package/rulesets/adr/README.es.md +17 -0
- package/rulesets/adr/README.md +17 -0
- package/rulesets/adr/adr-0002-hexagonal-architecture.rules.json +103 -0
- package/rulesets/adr/adr-0005-cicd-quality-gates.rules.json +102 -0
- package/rulesets/adr/adr-0010-multi-tenancy.rules.json +129 -0
- package/rulesets/adr/adr-0018-testing-pyramid.rules.json +115 -0
- package/rulesets/adr/adr-0032-protocol-selection.rules.json +134 -0
- package/rulesets/adr/adr-0040-multi-runtime.rules.json +131 -0
- package/rulesets/adr/adr-0050-gitflow-branching.rules.json +176 -0
- package/rulesets/adr/generated/adr-0001-monorepo-orchestration-principle.rules.json +29 -0
- package/rulesets/adr/generated/adr-0006-microservices-transition-via-sidecar-pattern.rules.json +29 -0
- package/rulesets/adr/generated/adr-0009-strict-dependency-pinning-and-automated-vulnerability-manage.rules.json +29 -0
- package/rulesets/adr/generated/adr-0011-fault-tolerance-and-resiliency-patterns.rules.json +29 -0
- package/rulesets/adr/generated/adr-0013-cloud-infrastructure-topology-and-disaster-recovery-dr.rules.json +28 -0
- package/rulesets/adr/generated/adr-0014-multi-layer-distributed-caching-strategy.rules.json +29 -0
- package/rulesets/adr/generated/adr-0015-event-driven-architecture-eda-for-intra-domain-communication.rules.json +29 -0
- package/rulesets/adr/generated/adr-0016-immutable-business-audit-trail-and-change-tracking.rules.json +29 -0
- package/rulesets/adr/generated/adr-0017-feature-flagging-strategy-for-progressive-delivery.rules.json +28 -0
- package/rulesets/adr/generated/adr-0019-tactical-design-patterns-for-future-proofing.rules.json +29 -0
- package/rulesets/adr/generated/adr-0020-identity-provider-abstraction-strategy.rules.json +28 -0
- package/rulesets/adr/generated/adr-0024-centralized-configuration-feature-platform.rules.json +28 -0
- package/rulesets/adr/generated/adr-0025-feature-flag-provider-abstraction-strategy.rules.json +29 -0
- package/rulesets/adr/generated/adr-0028-self-hosted-open-source-hybrid-infrastructure.rules.json +29 -0
- package/rulesets/adr/generated/adr-0030-two-tier-distributed-gateway-model.rules.json +28 -0
- package/rulesets/adr/generated/adr-0031-schema-per-bounded-context-and-domain-event-catalog.rules.json +29 -0
- package/rulesets/adr/generated/adr-0033-transactional-outbox-pattern-for-async-messaging.rules.json +28 -0
- package/rulesets/adr/generated/adr-0034-cqrs-pattern-application-matrix.rules.json +29 -0
- package/rulesets/adr/generated/adr-0035-distributed-saga-pattern-implementation-strategy.rules.json +29 -0
- package/rulesets/adr/generated/adr-0036-message-bus-delivery-flow-control-strategy.rules.json +29 -0
- package/rulesets/adr/generated/adr-0037-enterprise-performance-concurrency-chaos-verification-strate.rules.json +28 -0
- package/rulesets/adr/generated/adr-0039-deployment-topology-abstraction-environment-switcher.rules.json +29 -0
- package/rulesets/adr/generated/adr-0041-dual-engine-policy-evaluation-native-opa.rules.json +28 -0
- package/rulesets/adr/generated/adr-0044-configurable-security-persistence-strategy-agnosticism-vs-na.rules.json +29 -0
- package/rulesets/adr/generated/adr-0045-microservice-extraction-readiness-criteria.rules.json +29 -0
- package/rulesets/adr/generated/adr-0046-unified-traceability-via-w3c-tracecontext.rules.json +29 -0
- package/rulesets/adr/generated/adr-0047-progressive-architecture-evolution-framework-modular-monolit.rules.json +29 -0
- package/rulesets/adr/generated/adr-0048-enterprise-taxonomy-standardization-and-reference-layout.rules.json +28 -0
- package/rulesets/adr/generated/adr-0049-naming-semantics-clean-code-policy-e2e-and-global.rules.json +29 -0
- package/rulesets/adr/generated/adr-0051-enterprise-database-engine-selection-strategy.rules.json +29 -0
- package/rulesets/adr/generated/adr-0052-unit-testing-isolation-strategy-mocks-vs-stubs.rules.json +29 -0
- package/rulesets/adr/generated/adr-0053-integration-and-e2e-testing-strategy.rules.json +29 -0
- package/rulesets/adr/generated/adr-0054-database-design-and-normalization-standards.rules.json +29 -0
- package/rulesets/adr/generated/adr-0055-microfrontends-architecture-strategy.rules.json +28 -0
- package/rulesets/adr/generated/adr-0056-enterprise-naming-design-conventions-multi-language-multi-pl.rules.json +29 -0
- package/rulesets/adr/generated/adr-0057-architecture-intelligence-catalog.rules.json +27 -0
- package/rulesets/adr/generated/adr-0058-ai-consumable-architecture-knowledge.rules.json +27 -0
- package/rulesets/adr/generated/adr-0067-modular-monolith-persistence-boundaries.rules.json +28 -0
- package/rulesets/adr/generated/adr-0068-documentation-release-gitflow.rules.json +29 -0
- package/rulesets/adr/generated/adr-0069-ai-agent-context-protocol-integration.rules.json +28 -0
- package/rulesets/adr/generated/adr-0070-lean-root-repository-taxonomy.rules.json +29 -0
- package/rulesets/adr/generated/adr-0071-domain-layer-base-class-and-inheritance-strategy.rules.json +29 -0
- package/rulesets/adr/generated/adr-0072-utc-date-storage-browser-timezone-detection-and-language-res.rules.json +29 -0
- package/rulesets/adr/generated/adr-0073-unified-cli-mcp-output-contract-and-gate-evidence-schema.rules.json +29 -0
- package/rulesets/adr/generated/adr-0074-evolith-core-api-native-exposure-layer.rules.json +29 -0
- package/rulesets/adr/generated/adr-0075-core-api-authentication-strategy.rules.json +28 -0
- package/rulesets/adr/generated/adr-0076-domain-oriented-microservice-architecture-doma.rules.json +28 -0
- package/rulesets/adr/generated/adr-0077-masstransit-v9-commercial-pivot-stay-on-v8-monitor-opentrans.rules.json +28 -0
- package/rulesets/adr/generated/adr-0078-domain-financial-separation-governance.rules.json +29 -0
- package/rulesets/adr/generated/adr-0079-multi-topology-reference-corpus-and-topology-manifest-contra.rules.json +29 -0
- package/rulesets/adr/generated/adr-0080-remote-repository-reference-contract.rules.json +29 -0
- package/rulesets/adr/generated/adr-0081-agentic-ai-sandbox-isolation-boundary.rules.json +29 -0
- package/rulesets/adr/generated/adr-0082-agentic-ai-prompt-context-and-tool-trust-boundary.rules.json +28 -0
- package/rulesets/adr/generated/adr-0083-agentic-ai-action-authorization-and-audit.rules.json +29 -0
- package/rulesets/adr/generated/adr-0084-data-mesh-and-data-as-a-product.rules.json +29 -0
- package/rulesets/adr/generated/adr-0085-agnostic-opa-wasm-distribution-architecture.rules.json +28 -0
- package/rulesets/adr/generated/adr-0086-agentic-ai-telemetry-cost-control-standard.rules.json +27 -0
- package/rulesets/adr/generated/adr-0087-attribute-based-access-control-abac-for-agentic-tool-executi.rules.json +29 -0
- package/rulesets/adr/generated/adr-0088-sovereign-identity-for-agentic-ai.rules.json +29 -0
- package/rulesets/adr/generated/adr-0089-event-driven-agentic-workflow-pattern.rules.json +28 -0
- package/rulesets/adr/generated/adr-0090-rag-knowledge-governance-standard.rules.json +29 -0
- package/rulesets/adr/generated/adr-0091-workload-identity-token-rotation-standard.rules.json +29 -0
- package/rulesets/adr/generated/adr-0092-agent-infinite-loop-prevention-and-circuit-breaker-rules.rules.json +29 -0
- package/rulesets/adr/generated/adr-0093-concurrency-control-and-resource-locking-standard-for-mcp-to.rules.json +29 -0
- package/rulesets/adr/generated/adr-0094-multi-agent-handoff-and-task-delegation-standards.rules.json +29 -0
- package/rulesets/adr/generated/adr-0095-serverless-architecture-governance.rules.json +29 -0
- package/rulesets/adr/generated/adr-0096-edge-computing-architecture-governance.rules.json +29 -0
- package/rulesets/adr/generated/adr-0097-knowledge-lifecycle-governance-standard.rules.json +29 -0
- package/rulesets/adr/generated/adr-0098-rest-uri-versioning-and-deprecation-policy.rules.json +29 -0
- package/rulesets/adr/generated/adr-0099-opa-bundle-distribution-via-s3-minio.rules.json +27 -0
- package/rulesets/adr/generated/adr-ai-augmented-0001-harness-engineering-for-ai-augmented-development.rules.json +29 -0
- package/rulesets/adr/generated/adr-ai-augmented-0002-mcp-integration-protocol-for-agent-tool-invocation.rules.json +29 -0
- package/rulesets/adr/generated/adr-ai-augmented-0003-model-selection-governance-for-ai-augmented-workflows.rules.json +29 -0
- package/rulesets/adr/generated/adr-ai-augmented-0004-agents-md-as-mandatory-repository-artifact.rules.json +29 -0
- package/rulesets/adr/generated/adr-ai-augmented-0005-human-in-the-loop-policy-for-autonomous-agent-operations.rules.json +29 -0
- package/rulesets/adr/generated/adr-android-0042-canonical-android-native-mobile-architecture.rules.json +29 -0
- package/rulesets/adr/generated/adr-dotnet-0041-canonical-net-c-backend-architecture.rules.json +29 -0
- package/rulesets/adr/generated/adr-dotnet-0060-net-multi-tenancy-dual-layer-strategy-ef-core-sql-server.rules.json +29 -0
- package/rulesets/adr/generated/adr-dotnet-0061-transactional-event-lifecycle-in-ef-core.rules.json +28 -0
- package/rulesets/adr/generated/adr-dotnet-0062-net-immutable-audit-trail-via-ddl-triggers-delta-capture.rules.json +29 -0
- package/rulesets/adr/generated/adr-dotnet-0063-b2b-request-idempotency-middleware-in-asp-net-core.rules.json +28 -0
- package/rulesets/adr/generated/adr-dotnet-0064-net-request-scope-observability-context-propagation.rules.json +29 -0
- package/rulesets/adr/generated/adr-dotnet-0065-net-pii-safe-structured-logging-pipeline-serilog.rules.json +29 -0
- package/rulesets/adr/generated/adr-dotnet-0066-net-lightweight-http-idempotency-via-imemorycache-idistribut.rules.json +28 -0
- package/rulesets/adr/generated/adr-dotnet-0069-net-grpc-service-setup-protobuf-contracts.rules.json +29 -0
- package/rulesets/adr/generated/adr-dotnet-0070-net-api-endpoint-strategy.rules.json +29 -0
- package/rulesets/adr/generated/adr-dotnet-0071-net-data-access-strategy-ef-core-as-default-orm-dapper-for-o.rules.json +27 -0
- package/rulesets/adr/generated/adr-dotnet-0072-net-aop-cross-cutting-concern-strategy-dispatchproxy-over-pi.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0003-strict-typescript-standards.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0004-frontend-offline-resilience.rules.json +28 -0
- package/rulesets/adr/generated/adr-nodejs-0007-observability-with-opentelemetry-loki-and-jaeger.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0008-progressive-multi-module-evolution-with-api-gateway-and-bff-.rules.json +28 -0
- package/rulesets/adr/generated/adr-nodejs-0012-advanced-authorization-rbac-abac-strategy.rules.json +28 -0
- package/rulesets/adr/generated/adr-nodejs-0021-high-performance-authentication-graph-compilation.rules.json +28 -0
- package/rulesets/adr/generated/adr-nodejs-0022-contextual-authentication-and-pluggable-output-projections.rules.json +28 -0
- package/rulesets/adr/generated/adr-nodejs-0023-centralized-authorization-core-strategy.rules.json +28 -0
- package/rulesets/adr/generated/adr-nodejs-0026-adaptive-mfa-and-passwordless-platform.rules.json +28 -0
- package/rulesets/adr/generated/adr-nodejs-0027-dual-protocol-api-strategy-rest-grpc.rules.json +28 -0
- package/rulesets/adr/generated/adr-nodejs-0029-adoption-of-tactical-ddd-primitives-library.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0038-enterprise-error-handling-result-pattern-strategy.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0043-data-access-and-orm-strategy-for-node-js.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0044-frontend-clean-architecture-layer-boundaries-react.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0045-frontend-state-management-zustand-tanstack-query-dual-strate.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0046-prohibition-of-raw-technical-identifiers-in-user-interfaces.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0047-actionable-user-error-contract-and-correlated-diagnostics.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0048-feature-flag-system-scope-and-structured-criteria-model.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0074-monorepo-orchestration-with-nx.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0075-application-gateway-bff-with-nestjs.rules.json +29 -0
- package/rulesets/architecture/README.es.md +21 -0
- package/rulesets/architecture/README.md +21 -0
- package/rulesets/architecture/opa/progressive-axis.rego +50 -0
- package/rulesets/cli/README.es.md +17 -0
- package/rulesets/cli/README.md +17 -0
- package/rulesets/cli/core-parity.rules.json +61 -0
- package/rulesets/cli/release-readiness.rules.json +77 -0
- package/rulesets/compliance-baseline/README.es.md +26 -0
- package/rulesets/compliance-baseline/README.md +26 -0
- package/rulesets/compliance-baseline/compliance-baseline.rules.json +81 -0
- package/rulesets/contracts/README.es.md +19 -0
- package/rulesets/contracts/README.md +19 -0
- package/rulesets/contracts/evolith-machine-contracts.json +29 -0
- package/rulesets/contracts/fixtures/gate-evidence.success.json +10 -0
- package/rulesets/contracts/fixtures/output-envelope.success.json +23 -0
- package/rulesets/cross-cutting/README.es.md +14 -0
- package/rulesets/cross-cutting/README.md +14 -0
- package/rulesets/cross-cutting/compliance-baseline.rules.json +81 -0
- package/rulesets/cross-cutting/definition-of-done.rules.json +135 -0
- package/rulesets/cross-cutting/engineering-manifesto.rules.json +145 -0
- package/rulesets/cross-cutting/repository-taxonomy.rules.json +172 -0
- package/rulesets/definition-of-done/README.es.md +26 -0
- package/rulesets/definition-of-done/README.md +26 -0
- package/rulesets/definition-of-done/definition-of-done.rules.json +135 -0
- package/rulesets/engineering-manifesto/README.es.md +26 -0
- package/rulesets/engineering-manifesto/README.md +26 -0
- package/rulesets/engineering-manifesto/engineering-manifesto.rules.json +145 -0
- package/rulesets/evidence/README.es.md +12 -0
- package/rulesets/evidence/README.md +12 -0
- package/rulesets/evidence/evidence-manifest.rules.json +48 -0
- package/rulesets/executive-scorecards/executive-scorecards.rules.es.json +213 -0
- package/rulesets/executive-scorecards/executive-scorecards.rules.json +213 -0
- package/rulesets/governance/README.es.md +13 -0
- package/rulesets/governance/README.md +13 -0
- package/rulesets/governance/abac-mcp-access.rules.es.json +41 -0
- package/rulesets/governance/abac-mcp-access.rules.json +41 -0
- package/rulesets/governance/executive-scorecards.rules.es.json +213 -0
- package/rulesets/governance/executive-scorecards.rules.json +213 -0
- package/rulesets/governance/inheritance.rules.json +115 -0
- package/rulesets/governance/knowledge-intake.rules.json +18 -0
- package/rulesets/governance/open-core-boundary.rules.es.json +148 -0
- package/rulesets/governance/open-core-boundary.rules.json +148 -0
- package/rulesets/governance/satellite-contracts.rules.json +183 -0
- package/rulesets/infrastructure/helm-enforcement.rules.json +21 -0
- package/rulesets/infrastructure/opa/helm-enforcement.rego +25 -0
- package/rulesets/infrastructure/opa/helm-enforcement.test.rego +31 -0
- package/rulesets/infrastructure/opa/opa-sidecar-bundle.rego +115 -0
- package/rulesets/infrastructure/opa/opa-sidecar-bundle.test.rego +66 -0
- package/rulesets/infrastructure/opa-sidecar-bundle.rules.json +18 -0
- package/rulesets/mcp/README.es.md +12 -0
- package/rulesets/mcp/README.md +12 -0
- package/rulesets/mcp/protocol-compliance.rules.json +57 -0
- package/rulesets/observability/README.es.md +12 -0
- package/rulesets/observability/README.md +12 -0
- package/rulesets/observability/telemetry-evidence.rules.json +48 -0
- package/rulesets/opa/README.es.md +22 -0
- package/rulesets/opa/README.md +22 -0
- package/rulesets/opa/abac-mcp-tool-access.rego +122 -0
- package/rulesets/opa/abac-mcp-tool-access.test.rego +33 -0
- package/rulesets/opa/anti-corruption-layer.rego +39 -0
- package/rulesets/opa/anti-corruption-layer.test.rego +118 -0
- package/rulesets/opa/ci-cd.rego +41 -0
- package/rulesets/opa/ci-cd.test.rego +23 -0
- package/rulesets/opa/cicd-quality-gates.rego +29 -0
- package/rulesets/opa/cicd-quality-gates.test.rego +54 -0
- package/rulesets/opa/cli-core-parity.rego +17 -0
- package/rulesets/opa/cli-core-parity.test.rego +39 -0
- package/rulesets/opa/cli-readiness.rego +32 -0
- package/rulesets/opa/cli-readiness.test.rego +23 -0
- package/rulesets/opa/cli-release-readiness.rego +21 -0
- package/rulesets/opa/cli-release-readiness.test.rego +46 -0
- package/rulesets/opa/compliance-baseline.rego +95 -0
- package/rulesets/opa/compliance-baseline.test.rego +89 -0
- package/rulesets/opa/dod.rego +42 -0
- package/rulesets/opa/dod.test.rego +250 -0
- package/rulesets/opa/engineering-manifesto.rego +78 -0
- package/rulesets/opa/engineering-manifesto.test.rego +133 -0
- package/rulesets/opa/evidence.rego +64 -0
- package/rulesets/opa/evidence.test.rego +23 -0
- package/rulesets/opa/executive-scorecards.rego +41 -0
- package/rulesets/opa/executive-scorecards.test.rego +60 -0
- package/rulesets/opa/gitflow-branching.rego +41 -0
- package/rulesets/opa/gitflow-branching.test.rego +60 -0
- package/rulesets/opa/governance.rego +39 -0
- package/rulesets/opa/governance.test.rego +23 -0
- package/rulesets/opa/hexagonal-architecture.rego +33 -0
- package/rulesets/opa/hexagonal-architecture.test.rego +57 -0
- package/rulesets/opa/infrastructure/helm-enforcement.rego +33 -0
- package/rulesets/opa/infrastructure/opa-sidecar-bundle.rego +42 -0
- package/rulesets/opa/knowledge-intake.rego +98 -0
- package/rulesets/opa/knowledge-intake.test.rego +50 -0
- package/rulesets/opa/main.rego +147 -0
- package/rulesets/opa/main_test.rego +149 -0
- package/rulesets/opa/mcp.rego +61 -0
- package/rulesets/opa/mcp.test.rego +27 -0
- package/rulesets/opa/multi-runtime.rego +33 -0
- package/rulesets/opa/multi-runtime.test.rego +53 -0
- package/rulesets/opa/multi-tenancy.rego +33 -0
- package/rulesets/opa/multi-tenancy.test.rego +53 -0
- package/rulesets/opa/open-core-boundary.rego +33 -0
- package/rulesets/opa/open-core-boundary.test.rego +60 -0
- package/rulesets/opa/protocol-selection.rego +29 -0
- package/rulesets/opa/protocol-selection.test.rego +46 -0
- package/rulesets/opa/rbac/gate-role-enforcement.rego +112 -0
- package/rulesets/opa/repository-taxonomy.rego +98 -0
- package/rulesets/opa/repository-taxonomy.test.rego +91 -0
- package/rulesets/opa/satellite-contracts.rego +42 -0
- package/rulesets/opa/satellite-contracts.test.rego +70 -0
- package/rulesets/opa/schemas/abac-mcp-tool-access.input.schema.json +21 -0
- package/rulesets/opa/schemas/anti-corruption-layer.input.schema.json +25 -0
- package/rulesets/opa/schemas/ci-cd.input.schema.json +27 -0
- package/rulesets/opa/schemas/cicd-quality-gates.input.schema.json +33 -0
- package/rulesets/opa/schemas/cli-core-parity.input.schema.json +30 -0
- package/rulesets/opa/schemas/cli-readiness.input.schema.json +28 -0
- package/rulesets/opa/schemas/cli-release-readiness.input.schema.json +26 -0
- package/rulesets/opa/schemas/compliance-baseline.input.schema.json +25 -0
- package/rulesets/opa/schemas/dod.input.schema.json +38 -0
- package/rulesets/opa/schemas/engineering-manifesto.input.schema.json +24 -0
- package/rulesets/opa/schemas/evidence.input.schema.json +35 -0
- package/rulesets/opa/schemas/executive-scorecards.input.schema.json +36 -0
- package/rulesets/opa/schemas/gitflow-branching.input.schema.json +36 -0
- package/rulesets/opa/schemas/governance.input.schema.json +19 -0
- package/rulesets/opa/schemas/hexagonal-architecture.input.schema.json +46 -0
- package/rulesets/opa/schemas/knowledge-intake.input.schema.json +57 -0
- package/rulesets/opa/schemas/mcp.input.schema.json +38 -0
- package/rulesets/opa/schemas/multi-runtime.input.schema.json +27 -0
- package/rulesets/opa/schemas/multi-tenancy.input.schema.json +27 -0
- package/rulesets/opa/schemas/open-core-boundary.input.schema.json +36 -0
- package/rulesets/opa/schemas/protocol-selection.input.schema.json +26 -0
- package/rulesets/opa/schemas/repository-taxonomy.input.schema.json +18 -0
- package/rulesets/opa/schemas/satellite-contracts.input.schema.json +38 -0
- package/rulesets/opa/schemas/taxonomy.input.schema.json +27 -0
- package/rulesets/opa/schemas/testing-pyramid.input.schema.json +42 -0
- package/rulesets/opa/schemas/version-pinning.input.schema.json +39 -0
- package/rulesets/opa/sdlc/coverage.rego +49 -0
- package/rulesets/opa/sdlc/coverage.test.rego +29 -0
- package/rulesets/opa/sdlc/pyramid-distribution.rego +31 -0
- package/rulesets/opa/sdlc/pyramid-distribution.test.rego +33 -0
- package/rulesets/opa/taxonomy.rego +51 -0
- package/rulesets/opa/taxonomy.test.rego +28 -0
- package/rulesets/opa/telemetry-evidence.rego +102 -0
- package/rulesets/opa/testing-pyramid.rego +49 -0
- package/rulesets/opa/testing-pyramid.test.rego +81 -0
- package/rulesets/opa/version-pinning.rego +99 -0
- package/rulesets/opa/version-pinning.test.rego +28 -0
- package/rulesets/phase-gates/README.es.md +28 -0
- package/rulesets/phase-gates/README.md +28 -0
- package/rulesets/phase-gates/phase-gates.rules.json +297 -0
- package/rulesets/quality-thresholds/README.es.md +28 -0
- package/rulesets/quality-thresholds/README.md +28 -0
- package/rulesets/quality-thresholds/quality-thresholds.rules.json +96 -0
- package/rulesets/repository-taxonomy/README.es.md +26 -0
- package/rulesets/repository-taxonomy/README.md +26 -0
- package/rulesets/repository-taxonomy/repository-taxonomy.rules.json +172 -0
- package/rulesets/satellite-contracts/README.es.md +27 -0
- package/rulesets/satellite-contracts/README.md +27 -0
- package/rulesets/satellite-contracts/satellite-contracts.rules.json +183 -0
- package/rulesets/schema/README.es.md +39 -0
- package/rulesets/schema/README.md +39 -0
- package/rulesets/schema/adr.schema.json +138 -0
- package/rulesets/schema/agile-backlog.schema.json +91 -0
- package/rulesets/schema/ballpark-estimation.schema.json +109 -0
- package/rulesets/schema/build-vs-compose.schema.json +98 -0
- package/rulesets/schema/cli-impact-analysis.schema.json +114 -0
- package/rulesets/schema/discovery-canvas.schema.json +92 -0
- package/rulesets/schema/evolith-user-story.schema.json +105 -0
- package/rulesets/schema/evolith-yaml.schema.json +191 -0
- package/rulesets/schema/functional-story.schema.json +111 -0
- package/rulesets/schema/gate-evidence.schema.json +85 -0
- package/rulesets/schema/integration-evidence.schema.json +47 -0
- package/rulesets/schema/knowledge-intake.schema.json +67 -0
- package/rulesets/schema/knowledge-projection.schema.json +24 -0
- package/rulesets/schema/maturity-evidence.schema.json +59 -0
- package/rulesets/schema/observability-validation.schema.json +85 -0
- package/rulesets/schema/on-call-handoff.schema.json +91 -0
- package/rulesets/schema/output-envelope.schema.json +102 -0
- package/rulesets/schema/prd.schema.json +117 -0
- package/rulesets/schema/release-notes.schema.json +138 -0
- package/rulesets/schema/rollback-rehearsal.schema.json +73 -0
- package/rulesets/schema/ruleset-sdlc.schema.json +59 -0
- package/rulesets/schema/ruleset-standard.schema.json +73 -0
- package/rulesets/schema/security-scan-report.schema.json +79 -0
- package/rulesets/schema/source-registry.schema.json +51 -0
- package/rulesets/schema/technical-feasibility.schema.json +66 -0
- package/rulesets/schema/technical-story.schema.json +112 -0
- package/rulesets/schema/test-summary-report.schema.json +158 -0
- package/rulesets/schema/topology-composition.schema.json +43 -0
- package/rulesets/schema/topology-manifest.schema.json +421 -0
- package/rulesets/sdlc/README.es.md +12 -0
- package/rulesets/sdlc/README.md +12 -0
- package/rulesets/sdlc/default-workflow.yaml +73 -0
- package/rulesets/sdlc/dependency-pinning.rules.json +183 -0
- package/rulesets/sdlc/phase-gates.rules.json +297 -0
- package/rulesets/sdlc/quality-thresholds.rules.json +96 -0
- package/rulesets/topologies/README.es.md +42 -0
- package/rulesets/topologies/README.md +42 -0
- package/rulesets/topologies/agentic-ai/README.es.md +142 -0
- package/rulesets/topologies/agentic-ai/README.md +142 -0
- package/rulesets/topologies/agentic-ai/adoption.es.md +37 -0
- package/rulesets/topologies/agentic-ai/adoption.md +37 -0
- package/rulesets/topologies/agentic-ai/agent.config.schema.json +100 -0
- package/rulesets/topologies/agentic-ai/agentic-ai.rego +46 -0
- package/rulesets/topologies/agentic-ai/agentic-ai.rules.json +109 -0
- package/rulesets/topologies/agentic-ai/agentic-ai.test.rego +68 -0
- package/rulesets/topologies/agentic-ai/agentic-ai.wasm +0 -0
- package/rulesets/topologies/agentic-ai/cli/cli-flows.es.md +35 -0
- package/rulesets/topologies/agentic-ai/cli/cli-flows.md +45 -0
- package/rulesets/topologies/agentic-ai/evidence.es.md +25 -0
- package/rulesets/topologies/agentic-ai/evidence.md +25 -0
- package/rulesets/topologies/agentic-ai/evolution.es.md +26 -0
- package/rulesets/topologies/agentic-ai/evolution.md +26 -0
- package/rulesets/topologies/agentic-ai/fixtures/invalid-agent.config.json +48 -0
- package/rulesets/topologies/agentic-ai/fixtures/valid-agent.config.json +48 -0
- package/rulesets/topologies/agentic-ai/maturity.es.md +33 -0
- package/rulesets/topologies/agentic-ai/maturity.md +33 -0
- package/rulesets/topologies/agentic-ai/mcp/mcp-manifest.json +100 -0
- package/rulesets/topologies/agentic-ai/openapi/openapi.yaml +187 -0
- package/rulesets/topologies/agentic-ai/operations.es.md +32 -0
- package/rulesets/topologies/agentic-ai/operations.md +32 -0
- package/rulesets/topologies/agentic-ai/parity-fixtures/compliant.json +18 -0
- package/rulesets/topologies/agentic-ai/parity-fixtures/violation.json +22 -0
- package/rulesets/topologies/agentic-ai/patterns.es.md +32 -0
- package/rulesets/topologies/agentic-ai/patterns.md +32 -0
- package/rulesets/topologies/agentic-ai/resilience.es.md +26 -0
- package/rulesets/topologies/agentic-ai/resilience.md +26 -0
- package/rulesets/topologies/agentic-ai/runbooks.es.md +48 -0
- package/rulesets/topologies/agentic-ai/runbooks.md +48 -0
- package/rulesets/topologies/agentic-ai/security.es.md +26 -0
- package/rulesets/topologies/agentic-ai/security.md +26 -0
- package/rulesets/topologies/agentic-ai/topology.manifest.json +127 -0
- package/rulesets/topologies/data-mesh/README.es.md +69 -0
- package/rulesets/topologies/data-mesh/README.md +69 -0
- package/rulesets/topologies/data-mesh/adoption.es.md +95 -0
- package/rulesets/topologies/data-mesh/adoption.md +95 -0
- package/rulesets/topologies/data-mesh/cli/cli-flows.es.md +41 -0
- package/rulesets/topologies/data-mesh/cli/cli-flows.md +53 -0
- package/rulesets/topologies/data-mesh/data-mesh.rego +11 -0
- package/rulesets/topologies/data-mesh/data-mesh.rules.json +100 -0
- package/rulesets/topologies/data-mesh/data-mesh.test.rego +107 -0
- package/rulesets/topologies/data-mesh/data-mesh.wasm +0 -0
- package/rulesets/topologies/data-mesh/evidence.es.md +111 -0
- package/rulesets/topologies/data-mesh/evidence.md +111 -0
- package/rulesets/topologies/data-mesh/evolution.es.md +67 -0
- package/rulesets/topologies/data-mesh/evolution.md +67 -0
- package/rulesets/topologies/data-mesh/fixtures/invalid.topology.config.json +12 -0
- package/rulesets/topologies/data-mesh/fixtures/valid.topology.config.json +12 -0
- package/rulesets/topologies/data-mesh/maturity.es.md +36 -0
- package/rulesets/topologies/data-mesh/maturity.md +36 -0
- package/rulesets/topologies/data-mesh/mcp/mcp-manifest.json +68 -0
- package/rulesets/topologies/data-mesh/openapi/openapi.yaml +186 -0
- package/rulesets/topologies/data-mesh/operations.es.md +63 -0
- package/rulesets/topologies/data-mesh/operations.md +63 -0
- package/rulesets/topologies/data-mesh/parity-fixtures/compliant.json +18 -0
- package/rulesets/topologies/data-mesh/parity-fixtures/violation.json +21 -0
- package/rulesets/topologies/data-mesh/patterns.es.md +67 -0
- package/rulesets/topologies/data-mesh/patterns.md +67 -0
- package/rulesets/topologies/data-mesh/resilience.es.md +64 -0
- package/rulesets/topologies/data-mesh/resilience.md +64 -0
- package/rulesets/topologies/data-mesh/runbooks.es.md +147 -0
- package/rulesets/topologies/data-mesh/runbooks.md +147 -0
- package/rulesets/topologies/data-mesh/security.es.md +66 -0
- package/rulesets/topologies/data-mesh/security.md +66 -0
- package/rulesets/topologies/data-mesh/topology.config.schema.json +30 -0
- package/rulesets/topologies/data-mesh/topology.manifest.json +107 -0
- package/rulesets/topologies/edge-computing/README.es.md +81 -0
- package/rulesets/topologies/edge-computing/README.md +81 -0
- package/rulesets/topologies/edge-computing/adoption.es.md +268 -0
- package/rulesets/topologies/edge-computing/adoption.md +268 -0
- package/rulesets/topologies/edge-computing/cli/cli-flows.es.md +41 -0
- package/rulesets/topologies/edge-computing/cli/cli-flows.md +53 -0
- package/rulesets/topologies/edge-computing/edge-computing.rego +41 -0
- package/rulesets/topologies/edge-computing/edge-computing.rules.json +50 -0
- package/rulesets/topologies/edge-computing/edge-computing.test.rego +33 -0
- package/rulesets/topologies/edge-computing/edge-computing.wasm +0 -0
- package/rulesets/topologies/edge-computing/evidence.es.md +263 -0
- package/rulesets/topologies/edge-computing/evidence.md +263 -0
- package/rulesets/topologies/edge-computing/evolution.es.md +257 -0
- package/rulesets/topologies/edge-computing/evolution.md +257 -0
- package/rulesets/topologies/edge-computing/fixtures/invalid.topology.config.json +6 -0
- package/rulesets/topologies/edge-computing/fixtures/valid.topology.config.json +6 -0
- package/rulesets/topologies/edge-computing/maturity.es.md +36 -0
- package/rulesets/topologies/edge-computing/maturity.md +36 -0
- package/rulesets/topologies/edge-computing/mcp/mcp-manifest.json +72 -0
- package/rulesets/topologies/edge-computing/openapi/openapi.yaml +187 -0
- package/rulesets/topologies/edge-computing/operations.es.md +148 -0
- package/rulesets/topologies/edge-computing/operations.md +148 -0
- package/rulesets/topologies/edge-computing/parity-fixtures/compliant.json +12 -0
- package/rulesets/topologies/edge-computing/parity-fixtures/violation.json +13 -0
- package/rulesets/topologies/edge-computing/patterns.es.md +291 -0
- package/rulesets/topologies/edge-computing/patterns.md +290 -0
- package/rulesets/topologies/edge-computing/resilience.es.md +232 -0
- package/rulesets/topologies/edge-computing/resilience.md +229 -0
- package/rulesets/topologies/edge-computing/runbooks.es.md +405 -0
- package/rulesets/topologies/edge-computing/runbooks.md +405 -0
- package/rulesets/topologies/edge-computing/security.es.md +218 -0
- package/rulesets/topologies/edge-computing/security.md +218 -0
- package/rulesets/topologies/edge-computing/topology.config.schema.json +13 -0
- package/rulesets/topologies/edge-computing/topology.manifest.json +113 -0
- package/rulesets/topologies/event-driven/README.es.md +71 -0
- package/rulesets/topologies/event-driven/README.md +71 -0
- package/rulesets/topologies/event-driven/adoption.es.md +67 -0
- package/rulesets/topologies/event-driven/adoption.md +67 -0
- package/rulesets/topologies/event-driven/cli/cli-flows.es.md +41 -0
- package/rulesets/topologies/event-driven/cli/cli-flows.md +53 -0
- package/rulesets/topologies/event-driven/event-driven.rego +11 -0
- package/rulesets/topologies/event-driven/event-driven.rules.json +100 -0
- package/rulesets/topologies/event-driven/event-driven.test.rego +107 -0
- package/rulesets/topologies/event-driven/event-driven.wasm +0 -0
- package/rulesets/topologies/event-driven/evidence.es.md +69 -0
- package/rulesets/topologies/event-driven/evidence.md +69 -0
- package/rulesets/topologies/event-driven/evolution.es.md +59 -0
- package/rulesets/topologies/event-driven/evolution.md +59 -0
- package/rulesets/topologies/event-driven/fixtures/invalid.topology.config.json +12 -0
- package/rulesets/topologies/event-driven/fixtures/valid.topology.config.json +12 -0
- package/rulesets/topologies/event-driven/maturity.es.md +36 -0
- package/rulesets/topologies/event-driven/maturity.md +36 -0
- package/rulesets/topologies/event-driven/mcp/mcp-manifest.json +68 -0
- package/rulesets/topologies/event-driven/openapi/openapi.yaml +186 -0
- package/rulesets/topologies/event-driven/operations.es.md +67 -0
- package/rulesets/topologies/event-driven/operations.md +67 -0
- package/rulesets/topologies/event-driven/parity-fixtures/compliant.json +18 -0
- package/rulesets/topologies/event-driven/parity-fixtures/violation.json +21 -0
- package/rulesets/topologies/event-driven/patterns.es.md +68 -0
- package/rulesets/topologies/event-driven/patterns.md +68 -0
- package/rulesets/topologies/event-driven/resilience.es.md +65 -0
- package/rulesets/topologies/event-driven/resilience.md +65 -0
- package/rulesets/topologies/event-driven/runbooks.es.md +79 -0
- package/rulesets/topologies/event-driven/runbooks.md +79 -0
- package/rulesets/topologies/event-driven/security.es.md +59 -0
- package/rulesets/topologies/event-driven/security.md +59 -0
- package/rulesets/topologies/event-driven/topology.config.schema.json +30 -0
- package/rulesets/topologies/event-driven/topology.manifest.json +109 -0
- package/rulesets/topologies/progressive-axis/distributed-modules/distributed-modules.rules.es.json +111 -0
- package/rulesets/topologies/progressive-axis/distributed-modules/distributed-modules.rules.json +111 -0
- package/rulesets/topologies/progressive-axis/microservices/microservices.rules.es.json +106 -0
- package/rulesets/topologies/progressive-axis/microservices/microservices.rules.json +106 -0
- package/rulesets/topologies/progressive-axis/modular-monolith/modular-monolith.rules.es.json +148 -0
- package/rulesets/topologies/progressive-axis/modular-monolith/modular-monolith.rules.json +148 -0
- package/rulesets/topologies/serverless/README.es.md +74 -0
- package/rulesets/topologies/serverless/README.md +74 -0
- package/rulesets/topologies/serverless/adoption.es.md +50 -0
- package/rulesets/topologies/serverless/adoption.md +50 -0
- package/rulesets/topologies/serverless/cli/cli-flows.es.md +41 -0
- package/rulesets/topologies/serverless/cli/cli-flows.md +53 -0
- package/rulesets/topologies/serverless/evidence.es.md +66 -0
- package/rulesets/topologies/serverless/evidence.md +66 -0
- package/rulesets/topologies/serverless/evolution.es.md +36 -0
- package/rulesets/topologies/serverless/evolution.md +36 -0
- package/rulesets/topologies/serverless/fixtures/invalid.topology.config.json +6 -0
- package/rulesets/topologies/serverless/fixtures/valid.topology.config.json +6 -0
- package/rulesets/topologies/serverless/maturity.es.md +36 -0
- package/rulesets/topologies/serverless/maturity.md +36 -0
- package/rulesets/topologies/serverless/mcp/mcp-manifest.json +72 -0
- package/rulesets/topologies/serverless/openapi/openapi.yaml +186 -0
- package/rulesets/topologies/serverless/operations.es.md +36 -0
- package/rulesets/topologies/serverless/operations.md +36 -0
- package/rulesets/topologies/serverless/parity-fixtures/compliant.json +13 -0
- package/rulesets/topologies/serverless/parity-fixtures/violation.json +15 -0
- package/rulesets/topologies/serverless/patterns.es.md +36 -0
- package/rulesets/topologies/serverless/patterns.md +36 -0
- package/rulesets/topologies/serverless/resilience.es.md +36 -0
- package/rulesets/topologies/serverless/resilience.md +36 -0
- package/rulesets/topologies/serverless/runbooks.es.md +68 -0
- package/rulesets/topologies/serverless/runbooks.md +68 -0
- package/rulesets/topologies/serverless/security.es.md +36 -0
- package/rulesets/topologies/serverless/security.md +36 -0
- package/rulesets/topologies/serverless/serverless.rego +32 -0
- package/rulesets/topologies/serverless/serverless.rules.json +33 -0
- package/rulesets/topologies/serverless/serverless.test.rego +28 -0
- package/rulesets/topologies/serverless/serverless.wasm +0 -0
- package/rulesets/topologies/serverless/topology.config.schema.json +28 -0
- package/rulesets/topologies/serverless/topology.manifest.json +114 -0
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
# OPA Policies and Input Schemas
|
|
2
|
+
|
|
3
|
+
This directory contains the core Open Policy Agent (OPA) `.rego` policies used for architecture and governance validation in the Evolith platform.
|
|
4
|
+
|
|
5
|
+
Every OPA policy defines a formal contract for its input, backed by a versioned JSON Schema.
|
|
6
|
+
|
|
7
|
+
## OPA Policies and Schemas
|
|
8
|
+
|
|
9
|
+
| Policy File | Test File | Input JSON Schema | Description |
|
|
10
|
+
|---|---|---|---|
|
|
11
|
+
| [governance.rego](./governance.rego) | [governance.test.rego](./governance.test.rego) | [governance.input.schema.json](./schemas/governance.input.schema.json) | Verifies satellite inheritance boundaries and mandatory decisions. |
|
|
12
|
+
| [mcp.rego](./mcp.rego) | [mcp.test.rego](./mcp.test.rego) | [mcp.input.schema.json](./schemas/mcp.input.schema.json) | Verifies Model Context Protocol (MCP) compliance and smoke testing evidence. |
|
|
13
|
+
| [version-pinning.rego](./version-pinning.rego) | [version-pinning.test.rego](./version-pinning.test.rego) | [version-pinning.input.schema.json](./schemas/version-pinning.input.schema.json) | Enforces strict package dependency pinning rules. |
|
|
14
|
+
| [cli-readiness.rego](./cli-readiness.rego) | [cli-readiness.test.rego](./cli-readiness.test.rego) | [cli-readiness.input.schema.json](./schemas/cli-readiness.input.schema.json) | Validates Smart CLI compilation, documentation, and lock file readiness. |
|
|
15
|
+
| [knowledge-intake.rego](./knowledge-intake.rego) | [knowledge-intake.test.rego](./knowledge-intake.test.rego) | [knowledge-intake.input.schema.json](./schemas/knowledge-intake.input.schema.json) | Governs the intake lifecycle, review status, and topology matching of external knowledge. |
|
|
16
|
+
| [taxonomy.rego](./taxonomy.rego) | [taxonomy.test.rego](./taxonomy.test.rego) | [taxonomy.input.schema.json](./schemas/taxonomy.input.schema.json) | Validates repository directory taxonomy, ADR file names, and bilingual pairs. |
|
|
17
|
+
| [ci-cd.rego](./ci-cd.rego) | [ci-cd.test.rego](./ci-cd.test.rego) | [ci-cd.input.schema.json](./schemas/ci-cd.input.schema.json) | Asserts that dependency scanning, workflow scripts, and dependency updates are present. |
|
|
18
|
+
| [evidence.rego](./evidence.rego) | [evidence.test.rego](./evidence.test.rego) | [evidence.input.schema.json](./schemas/evidence.input.schema.json) | Validates the schema, retention periods, and ownership of gate evidence artifacts. |
|
|
19
|
+
| [abac-mcp-tool-access.rego](./abac-mcp-tool-access.rego) | [abac-mcp-tool-access.test.rego](./abac-mcp-tool-access.test.rego) | [abac-mcp-tool-access.input.schema.json](./schemas/abac-mcp-tool-access.input.schema.json) | Restricts Model Context Protocol (MCP) tool execution by role, action, and environment. |
|
|
20
|
+
|
|
21
|
+
---
|
|
22
|
+
[Back to Rulesets Hub](../README.md)
|
|
@@ -0,0 +1,122 @@
|
|
|
1
|
+
# ABAC Policy for Agentic MCP Tool Execution
|
|
2
|
+
# Reference implementation for ADR-0087
|
|
3
|
+
# Dual-Engine Parity: This policy mirrors the TypeScript ABAC evaluator
|
|
4
|
+
#
|
|
5
|
+
# Input schema:
|
|
6
|
+
# {
|
|
7
|
+
# "user": { "id": string, "roles": [string], "tenant": string },
|
|
8
|
+
# "tool_name": string,
|
|
9
|
+
# "resource_domain": string,
|
|
10
|
+
# "environment": string
|
|
11
|
+
# }
|
|
12
|
+
|
|
13
|
+
package evolith.abac
|
|
14
|
+
|
|
15
|
+
import rego.v1
|
|
16
|
+
|
|
17
|
+
# ---------------------------------------------------------------------------
|
|
18
|
+
# Role hierarchy
|
|
19
|
+
# ---------------------------------------------------------------------------
|
|
20
|
+
read_only_roles := {"viewer", "auditor"}
|
|
21
|
+
developer_roles := {"developer", "qa"}
|
|
22
|
+
operator_roles := {"operator", "sre"}
|
|
23
|
+
architect_roles := {"architect", "admin"}
|
|
24
|
+
|
|
25
|
+
# ---------------------------------------------------------------------------
|
|
26
|
+
# Tool classification
|
|
27
|
+
# ---------------------------------------------------------------------------
|
|
28
|
+
read_tools := {
|
|
29
|
+
"evolith-ping",
|
|
30
|
+
"evolith-echo",
|
|
31
|
+
"evolith-read-gap-tracking",
|
|
32
|
+
"evolith-read-file",
|
|
33
|
+
"evolith-list-dir",
|
|
34
|
+
"evolith-gate-evaluate",
|
|
35
|
+
"evolith-gate-status"
|
|
36
|
+
}
|
|
37
|
+
|
|
38
|
+
write_tools := {
|
|
39
|
+
"evolith-write-file",
|
|
40
|
+
"evolith-replace-file",
|
|
41
|
+
"evolith-run-command"
|
|
42
|
+
}
|
|
43
|
+
|
|
44
|
+
deploy_tools := {
|
|
45
|
+
"evolith-deploy",
|
|
46
|
+
"evolith-merge-branch",
|
|
47
|
+
"evolith-publish-release"
|
|
48
|
+
}
|
|
49
|
+
|
|
50
|
+
# ---------------------------------------------------------------------------
|
|
51
|
+
# Helper: check if the user holds at least one of the allowed roles
|
|
52
|
+
# ---------------------------------------------------------------------------
|
|
53
|
+
user_has_role(allowed_roles) if {
|
|
54
|
+
role := input.user.roles[_]
|
|
55
|
+
allowed_roles[role]
|
|
56
|
+
}
|
|
57
|
+
|
|
58
|
+
# ---------------------------------------------------------------------------
|
|
59
|
+
# ABAC decision rules
|
|
60
|
+
# ---------------------------------------------------------------------------
|
|
61
|
+
|
|
62
|
+
# Allow read tools for ALL authenticated users
|
|
63
|
+
allow if {
|
|
64
|
+
read_tools[input.tool_name]
|
|
65
|
+
count(input.user.roles) > 0
|
|
66
|
+
}
|
|
67
|
+
|
|
68
|
+
# Allow write tools for operator and architect roles
|
|
69
|
+
allow if {
|
|
70
|
+
write_tools[input.tool_name]
|
|
71
|
+
user_has_role(operator_roles | architect_roles)
|
|
72
|
+
}
|
|
73
|
+
|
|
74
|
+
# Allow write tools in non-production environments for developers
|
|
75
|
+
allow if {
|
|
76
|
+
write_tools[input.tool_name]
|
|
77
|
+
user_has_role(developer_roles)
|
|
78
|
+
input.environment != "production"
|
|
79
|
+
}
|
|
80
|
+
|
|
81
|
+
# Allow deploy tools ONLY for architects and operators
|
|
82
|
+
allow if {
|
|
83
|
+
deploy_tools[input.tool_name]
|
|
84
|
+
user_has_role(architect_roles | operator_roles)
|
|
85
|
+
}
|
|
86
|
+
|
|
87
|
+
# Block ALL deploy tools in production unless user is architect
|
|
88
|
+
deny if {
|
|
89
|
+
deploy_tools[input.tool_name]
|
|
90
|
+
input.environment == "production"
|
|
91
|
+
not user_has_role(architect_roles)
|
|
92
|
+
}
|
|
93
|
+
|
|
94
|
+
# ---------------------------------------------------------------------------
|
|
95
|
+
# Violations: deny overrides allow
|
|
96
|
+
# ---------------------------------------------------------------------------
|
|
97
|
+
|
|
98
|
+
violations contains {"id": "ABAC-01", "message": msg} if {
|
|
99
|
+
deny
|
|
100
|
+
msg := sprintf(
|
|
101
|
+
"Tool '%v' explicitly denied for user '%v' with roles %v in environment '%v'",
|
|
102
|
+
[input.tool_name, input.user.id, input.user.roles, input.environment]
|
|
103
|
+
)
|
|
104
|
+
}
|
|
105
|
+
|
|
106
|
+
violations contains {"id": "ABAC-01", "message": msg} if {
|
|
107
|
+
not allow
|
|
108
|
+
msg := sprintf(
|
|
109
|
+
"Tool '%v' not allowed for user '%v' with roles %v in environment '%v'",
|
|
110
|
+
[input.tool_name, input.user.id, input.user.roles, input.environment]
|
|
111
|
+
)
|
|
112
|
+
}
|
|
113
|
+
|
|
114
|
+
violations contains {"id": "ABAC-02", "message": "No roles present on user context; all tool calls denied"} if {
|
|
115
|
+
count(input.user.roles) == 0
|
|
116
|
+
}
|
|
117
|
+
|
|
118
|
+
violations contains {"id": "ABAC-03", "message": "Unknown tool requested; not in any known classification"} if {
|
|
119
|
+
not read_tools[input.tool_name]
|
|
120
|
+
not write_tools[input.tool_name]
|
|
121
|
+
not deploy_tools[input.tool_name]
|
|
122
|
+
}
|
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
package evolith.abac_test
|
|
2
|
+
|
|
3
|
+
import data.evolith.abac
|
|
4
|
+
|
|
5
|
+
test_architect_can_deploy_in_production {
|
|
6
|
+
violations := abac.violations with input as {"user": {"id": "arch-1", "roles": ["architect"], "tenant": "evolith"}, "tool_name": "evolith-deploy", "resource_domain": "core", "environment": "production"}
|
|
7
|
+
count(violations) == 0
|
|
8
|
+
}
|
|
9
|
+
|
|
10
|
+
test_viewer_cannot_write {
|
|
11
|
+
violations := abac.violations with input as {"user": {"id": "viewer-1", "roles": ["viewer"], "tenant": "evolith"}, "tool_name": "evolith-write-file", "resource_domain": "core", "environment": "production"}
|
|
12
|
+
violations[_].id == "ABAC-01"
|
|
13
|
+
}
|
|
14
|
+
|
|
15
|
+
test_empty_roles_is_rejected {
|
|
16
|
+
violations := abac.violations with input as {"user": {"id": "anon", "roles": [], "tenant": "evolith"}, "tool_name": "evolith-ping", "resource_domain": "core", "environment": "production"}
|
|
17
|
+
violations[_].id == "ABAC-02"
|
|
18
|
+
}
|
|
19
|
+
|
|
20
|
+
test_unknown_tool_is_rejected {
|
|
21
|
+
violations := abac.violations with input as {"user": {"id": "arch-1", "roles": ["architect"], "tenant": "evolith"}, "tool_name": "evolith-unknown-tool", "resource_domain": "core", "environment": "production"}
|
|
22
|
+
violations[_].id == "ABAC-03"
|
|
23
|
+
}
|
|
24
|
+
|
|
25
|
+
test_developer_can_write_in_non_production {
|
|
26
|
+
violations := abac.violations with input as {"user": {"id": "dev-1", "roles": ["developer"], "tenant": "evolith"}, "tool_name": "evolith-write-file", "resource_domain": "core", "environment": "staging"}
|
|
27
|
+
count(violations) == 0
|
|
28
|
+
}
|
|
29
|
+
|
|
30
|
+
test_operator_cannot_deploy_in_production {
|
|
31
|
+
violations := abac.violations with input as {"user": {"id": "op-1", "roles": ["operator"], "tenant": "evolith"}, "tool_name": "evolith-deploy", "resource_domain": "core", "environment": "production"}
|
|
32
|
+
violations[_].id == "ABAC-01"
|
|
33
|
+
}
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
package evolith.acl
|
|
2
|
+
|
|
3
|
+
violations[{"id": "ACL-01", "message": "Adapter must pass schema validation before ingestion"}] {
|
|
4
|
+
not input.adapter.schemaValidated
|
|
5
|
+
}
|
|
6
|
+
|
|
7
|
+
violations[{"id": "ACL-02", "message": "Adapter transformations must be traceable to original source"}] {
|
|
8
|
+
not input.adapter.transformationTraceable
|
|
9
|
+
}
|
|
10
|
+
|
|
11
|
+
violations[{"id": "ACL-03", "message": "Adapter must not perform silent normalization of external data"}] {
|
|
12
|
+
input.adapter.silentNormalization
|
|
13
|
+
}
|
|
14
|
+
|
|
15
|
+
violations[{"id": "ACL-04", "message": "Adapter must declare coreCompatibilityVersion"}] {
|
|
16
|
+
not input.adapter.coreCompatibilityVersion
|
|
17
|
+
}
|
|
18
|
+
|
|
19
|
+
violations[{"id": "ACL-04", "message": "Adapter coreCompatibilityVersion must be a non-empty string"}] {
|
|
20
|
+
val := input.adapter.coreCompatibilityVersion
|
|
21
|
+
not is_string(val)
|
|
22
|
+
}
|
|
23
|
+
|
|
24
|
+
violations[{"id": "ACL-04", "message": "Adapter coreCompatibilityVersion must be a non-empty string"}] {
|
|
25
|
+
val := input.adapter.coreCompatibilityVersion
|
|
26
|
+
is_string(val)
|
|
27
|
+
count(val) == 0
|
|
28
|
+
}
|
|
29
|
+
|
|
30
|
+
violations[{"id": "ACL-05", "message": "Adapter must not expose raw external domain objects to Core — all external types must be mapped to Core domain types before crossing the boundary"}] {
|
|
31
|
+
input.adapter.exposesRawExternalTypes
|
|
32
|
+
}
|
|
33
|
+
|
|
34
|
+
violations[{"id": "ACL-06", "message": "ACL adapter must be located in 'adapter' or 'infrastructure' path, not domain"}] {
|
|
35
|
+
loc := lower(input.adapter.location)
|
|
36
|
+
not contains(loc, "/adapter")
|
|
37
|
+
not contains(loc, "/adapters")
|
|
38
|
+
not contains(loc, "/infrastructure")
|
|
39
|
+
}
|
|
@@ -0,0 +1,118 @@
|
|
|
1
|
+
package evolith.acl_test
|
|
2
|
+
|
|
3
|
+
import data.evolith.acl
|
|
4
|
+
|
|
5
|
+
test_compliant_adapter_has_no_violations {
|
|
6
|
+
violations := acl.violations with input as {
|
|
7
|
+
"adapter": {
|
|
8
|
+
"schemaValidated": true,
|
|
9
|
+
"transformationTraceable": true,
|
|
10
|
+
"silentNormalization": false,
|
|
11
|
+
"coreCompatibilityVersion": "1.0.0",
|
|
12
|
+
"location": "src/Infrastructure/Adapters/jira-adapter.ts"
|
|
13
|
+
}
|
|
14
|
+
}
|
|
15
|
+
count(violations) == 0
|
|
16
|
+
}
|
|
17
|
+
|
|
18
|
+
test_schema_not_validated_is_violation {
|
|
19
|
+
violations := acl.violations with input as {
|
|
20
|
+
"adapter": {
|
|
21
|
+
"schemaValidated": false,
|
|
22
|
+
"transformationTraceable": true,
|
|
23
|
+
"silentNormalization": false,
|
|
24
|
+
"coreCompatibilityVersion": "1.0.0",
|
|
25
|
+
"location": "src/Infrastructure/Adapters/jira-adapter.ts"
|
|
26
|
+
}
|
|
27
|
+
}
|
|
28
|
+
violations[_].id == "ACL-01"
|
|
29
|
+
}
|
|
30
|
+
|
|
31
|
+
test_transformation_not_traceable_is_violation {
|
|
32
|
+
violations := acl.violations with input as {
|
|
33
|
+
"adapter": {
|
|
34
|
+
"schemaValidated": true,
|
|
35
|
+
"transformationTraceable": false,
|
|
36
|
+
"silentNormalization": false,
|
|
37
|
+
"coreCompatibilityVersion": "1.0.0",
|
|
38
|
+
"location": "src/Infrastructure/Adapters/jira-adapter.ts"
|
|
39
|
+
}
|
|
40
|
+
}
|
|
41
|
+
violations[_].id == "ACL-02"
|
|
42
|
+
}
|
|
43
|
+
|
|
44
|
+
test_silent_normalization_is_violation {
|
|
45
|
+
violations := acl.violations with input as {
|
|
46
|
+
"adapter": {
|
|
47
|
+
"schemaValidated": true,
|
|
48
|
+
"transformationTraceable": true,
|
|
49
|
+
"silentNormalization": true,
|
|
50
|
+
"coreCompatibilityVersion": "1.0.0",
|
|
51
|
+
"location": "src/Infrastructure/Adapters/jira-adapter.ts"
|
|
52
|
+
}
|
|
53
|
+
}
|
|
54
|
+
violations[_].id == "ACL-03"
|
|
55
|
+
}
|
|
56
|
+
|
|
57
|
+
test_missing_core_compatibility_version_is_violation {
|
|
58
|
+
violations := acl.violations with input as {
|
|
59
|
+
"adapter": {
|
|
60
|
+
"schemaValidated": true,
|
|
61
|
+
"transformationTraceable": true,
|
|
62
|
+
"silentNormalization": false,
|
|
63
|
+
"location": "src/Infrastructure/Adapters/jira-adapter.ts"
|
|
64
|
+
}
|
|
65
|
+
}
|
|
66
|
+
violations[_].id == "ACL-04"
|
|
67
|
+
}
|
|
68
|
+
|
|
69
|
+
test_empty_core_compatibility_version_is_violation {
|
|
70
|
+
violations := acl.violations with input as {
|
|
71
|
+
"adapter": {
|
|
72
|
+
"schemaValidated": true,
|
|
73
|
+
"transformationTraceable": true,
|
|
74
|
+
"silentNormalization": false,
|
|
75
|
+
"coreCompatibilityVersion": "",
|
|
76
|
+
"location": "src/Infrastructure/Adapters/jira-adapter.ts"
|
|
77
|
+
}
|
|
78
|
+
}
|
|
79
|
+
violations[_].id == "ACL-04"
|
|
80
|
+
}
|
|
81
|
+
|
|
82
|
+
test_adapter_in_domain_path_is_violation {
|
|
83
|
+
violations := acl.violations with input as {
|
|
84
|
+
"adapter": {
|
|
85
|
+
"schemaValidated": true,
|
|
86
|
+
"transformationTraceable": true,
|
|
87
|
+
"silentNormalization": false,
|
|
88
|
+
"coreCompatibilityVersion": "1.0.0",
|
|
89
|
+
"location": "src/Domain/jira-adapter.ts"
|
|
90
|
+
}
|
|
91
|
+
}
|
|
92
|
+
violations[_].id == "ACL-06"
|
|
93
|
+
}
|
|
94
|
+
|
|
95
|
+
test_adapter_in_infrastructure_path_is_not_violation {
|
|
96
|
+
violations := acl.violations with input as {
|
|
97
|
+
"adapter": {
|
|
98
|
+
"schemaValidated": true,
|
|
99
|
+
"transformationTraceable": true,
|
|
100
|
+
"silentNormalization": false,
|
|
101
|
+
"coreCompatibilityVersion": "1.0.0",
|
|
102
|
+
"location": "src/Infrastructure/Adapters/jira-adapter.ts"
|
|
103
|
+
}
|
|
104
|
+
}
|
|
105
|
+
count(violations) == 0
|
|
106
|
+
}
|
|
107
|
+
|
|
108
|
+
test_all_violations_detected {
|
|
109
|
+
violations := acl.violations with input as {
|
|
110
|
+
"adapter": {
|
|
111
|
+
"schemaValidated": false,
|
|
112
|
+
"transformationTraceable": false,
|
|
113
|
+
"silentNormalization": true,
|
|
114
|
+
"location": "src/Domain/jira-adapter.ts"
|
|
115
|
+
}
|
|
116
|
+
}
|
|
117
|
+
count(violations) >= 4
|
|
118
|
+
}
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
package evolith.ci_cd
|
|
2
|
+
|
|
3
|
+
violations[{"id": "DEP-04", "message": "package-lock.json not found at project or workspace root"}] {
|
|
4
|
+
not input.satellite.hasPackageLock
|
|
5
|
+
not input.core.hasPackageLock
|
|
6
|
+
}
|
|
7
|
+
|
|
8
|
+
workflows_with_ci := [name | content := input.satellite.workflows[name]; contains(content, "npm ci")]
|
|
9
|
+
violations[{"id": "DEP-05", "message": "No .github/workflows directory found"}] {
|
|
10
|
+
count(input.satellite.workflows) == 0
|
|
11
|
+
}
|
|
12
|
+
|
|
13
|
+
violations[{"id": "DEP-05", "message": "CI workflow does not use \"npm ci\""}] {
|
|
14
|
+
count(input.satellite.workflows) > 0
|
|
15
|
+
count(workflows_with_ci) == 0
|
|
16
|
+
}
|
|
17
|
+
|
|
18
|
+
workflows_with_audit := [name | content := input.satellite.workflows[name]; contains(content, "npm audit")]
|
|
19
|
+
violations[{"id": "DEP-06", "message": "No .github/workflows directory found"}] {
|
|
20
|
+
count(input.satellite.workflows) == 0
|
|
21
|
+
}
|
|
22
|
+
|
|
23
|
+
violations[{"id": "DEP-06", "message": "CI workflow does not run \"npm audit\""}] {
|
|
24
|
+
count(input.satellite.workflows) > 0
|
|
25
|
+
count(workflows_with_audit) == 0
|
|
26
|
+
}
|
|
27
|
+
|
|
28
|
+
violations[{"id": "DEP-07", "message": "No .github/workflows directory found"}] {
|
|
29
|
+
count(input.satellite.workflows) == 0
|
|
30
|
+
}
|
|
31
|
+
|
|
32
|
+
violations[{"id": "DEP-07", "message": "CI workflow does not run \"npm audit\""}] {
|
|
33
|
+
count(input.satellite.workflows) > 0
|
|
34
|
+
count(workflows_with_audit) == 0
|
|
35
|
+
}
|
|
36
|
+
|
|
37
|
+
violations[{"id": "DEP-09", "message": "No .github/dependabot.yml or .renovaterc.json found"}] {
|
|
38
|
+
not input.satellite.hasDependabot
|
|
39
|
+
not input.satellite.hasRenovate
|
|
40
|
+
not input.core.hasDependabot
|
|
41
|
+
}
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
package evolith.ci_cd_test
|
|
2
|
+
|
|
3
|
+
import data.evolith.ci_cd
|
|
4
|
+
|
|
5
|
+
test_ci_compliant_project_has_no_violations {
|
|
6
|
+
violations := ci_cd.violations with input as {"satellite": {"hasPackageLock": true, "workflows": {"ci.yml": "npm ci\ntests", "audit.yml": "npm audit"}, "hasDependabot": true}, "core": {"hasPackageLock": true}}
|
|
7
|
+
count(violations) == 0
|
|
8
|
+
}
|
|
9
|
+
|
|
10
|
+
test_missing_package_lock_is_rejected {
|
|
11
|
+
violations := ci_cd.violations with input as {"satellite": {"hasPackageLock": false, "workflows": {}, "hasDependabot": false}, "core": {"hasPackageLock": false}}
|
|
12
|
+
violations[_].id == "DEP-04"
|
|
13
|
+
}
|
|
14
|
+
|
|
15
|
+
test_missing_npm_ci_in_workflow_is_rejected {
|
|
16
|
+
violations := ci_cd.violations with input as {"satellite": {"hasPackageLock": true, "workflows": {"ci.yml": "npm install"}, "hasDependabot": true}, "core": {"hasPackageLock": true}}
|
|
17
|
+
violations[_].id == "DEP-05"
|
|
18
|
+
}
|
|
19
|
+
|
|
20
|
+
test_missing_dependabot_is_rejected {
|
|
21
|
+
violations := ci_cd.violations with input as {"satellite": {"hasPackageLock": true, "workflows": {"ci.yml": "npm ci"}, "hasDependabot": false, "hasRenovate": false}, "core": {"hasPackageLock": true, "hasDependabot": false}}
|
|
22
|
+
violations[_].id == "DEP-09"
|
|
23
|
+
}
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
package evolith.cicd_quality_gates
|
|
2
|
+
|
|
3
|
+
violations[{"id": "CICD-01", "message": "CodeQL static analysis not configured in CI pipeline"}] {
|
|
4
|
+
not input.satellite.ci.hasCodeql
|
|
5
|
+
}
|
|
6
|
+
|
|
7
|
+
violations[{"id": "CICD-02", "message": "Dependency vulnerability audit not configured in CI pipeline"}] {
|
|
8
|
+
not input.satellite.ci.hasDependencyAudit
|
|
9
|
+
}
|
|
10
|
+
|
|
11
|
+
violations[{"id": "CICD-03", "message": "Secret detection not enabled on repository"}] {
|
|
12
|
+
not input.satellite.ci.hasSecretDetection
|
|
13
|
+
}
|
|
14
|
+
|
|
15
|
+
violations[{"id": "CICD-04", "message": "Not all quality gates are required before merge"}] {
|
|
16
|
+
not input.satellite.ci.gatesRequiredBeforeMerge
|
|
17
|
+
}
|
|
18
|
+
|
|
19
|
+
violations[{"id": "CICD-05", "message": "Security findings without documented justification or accepted risk — all findings must have a linked justification or resolution ticket"}] {
|
|
20
|
+
input.satellite.findings.hasUnjustifiedSecurityFindings
|
|
21
|
+
}
|
|
22
|
+
|
|
23
|
+
violations[{"id": "CICD-06", "message": "Critical findings SLA (24h) not tracked in issue tracker"}] {
|
|
24
|
+
input.satellite.findings.criticalAgeHours > 24
|
|
25
|
+
}
|
|
26
|
+
|
|
27
|
+
violations[{"id": "CICD-07", "message": "High findings SLA (72h) not tracked in issue tracker"}] {
|
|
28
|
+
input.satellite.findings.highAgeHours > 72
|
|
29
|
+
}
|
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
package evolith.cicd_quality_gates_test
|
|
2
|
+
|
|
3
|
+
import data.evolith.cicd_quality_gates
|
|
4
|
+
|
|
5
|
+
compliant_input := {"satellite": {
|
|
6
|
+
"ci": {
|
|
7
|
+
"hasCodeql": true,
|
|
8
|
+
"hasDependencyAudit": true,
|
|
9
|
+
"hasSecretDetection": true,
|
|
10
|
+
"gatesRequiredBeforeMerge": true,
|
|
11
|
+
},
|
|
12
|
+
"findings": {"criticalAgeHours": 12, "highAgeHours": 48},
|
|
13
|
+
}}
|
|
14
|
+
|
|
15
|
+
test_compliant_ci_cd_gates_has_no_violations {
|
|
16
|
+
violations := cicd_quality_gates.violations with input as compliant_input
|
|
17
|
+
count(violations) == 0
|
|
18
|
+
}
|
|
19
|
+
|
|
20
|
+
test_missing_codeql_is_rejected {
|
|
21
|
+
i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/ci/hasCodeql", "value": false}])
|
|
22
|
+
violations := cicd_quality_gates.violations with input as i
|
|
23
|
+
violations[_].id == "CICD-01"
|
|
24
|
+
}
|
|
25
|
+
|
|
26
|
+
test_missing_dependency_audit_is_rejected {
|
|
27
|
+
i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/ci/hasDependencyAudit", "value": false}])
|
|
28
|
+
violations := cicd_quality_gates.violations with input as i
|
|
29
|
+
violations[_].id == "CICD-02"
|
|
30
|
+
}
|
|
31
|
+
|
|
32
|
+
test_missing_secret_detection_is_rejected {
|
|
33
|
+
i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/ci/hasSecretDetection", "value": false}])
|
|
34
|
+
violations := cicd_quality_gates.violations with input as i
|
|
35
|
+
violations[_].id == "CICD-03"
|
|
36
|
+
}
|
|
37
|
+
|
|
38
|
+
test_gates_not_required_before_merge_is_rejected {
|
|
39
|
+
i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/ci/gatesRequiredBeforeMerge", "value": false}])
|
|
40
|
+
violations := cicd_quality_gates.violations with input as i
|
|
41
|
+
violations[_].id == "CICD-04"
|
|
42
|
+
}
|
|
43
|
+
|
|
44
|
+
test_critical_sla_breach_is_rejected {
|
|
45
|
+
i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/findings/criticalAgeHours", "value": 48}])
|
|
46
|
+
violations := cicd_quality_gates.violations with input as i
|
|
47
|
+
violations[_].id == "CICD-06"
|
|
48
|
+
}
|
|
49
|
+
|
|
50
|
+
test_high_sla_breach_is_rejected {
|
|
51
|
+
i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/findings/highAgeHours", "value": 100}])
|
|
52
|
+
violations := cicd_quality_gates.violations with input as i
|
|
53
|
+
violations[_].id == "CICD-07"
|
|
54
|
+
}
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
package evolith.cli_core_parity
|
|
2
|
+
|
|
3
|
+
violations[{"id": "CLI-PAR-01", "message": "Executable Core rule missing parity record (CLI status, MCP status, test status, evidence status)"}] {
|
|
4
|
+
input.satellite.coreParity.ruleWithoutParityRecord
|
|
5
|
+
}
|
|
6
|
+
|
|
7
|
+
violations[{"id": "CLI-PAR-02", "message": "CLI and MCP implement divergent business logic for same capability"}] {
|
|
8
|
+
input.satellite.coreParity.divergentValidationLogic
|
|
9
|
+
}
|
|
10
|
+
|
|
11
|
+
violations[{"id": "CLI-PAR-03", "message": "CLI and MCP return inconsistent results for same validation request"}] {
|
|
12
|
+
input.satellite.coreParity.inconsistentResults
|
|
13
|
+
}
|
|
14
|
+
|
|
15
|
+
violations[{"id": "CLI-PAR-04", "message": "Parity gap not documented with owner, priority, and planned closure date"}] {
|
|
16
|
+
input.satellite.coreParity.undocumentedParityGap
|
|
17
|
+
}
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
package evolith.cli_core_parity_test
|
|
2
|
+
|
|
3
|
+
import data.evolith.cli_core_parity
|
|
4
|
+
|
|
5
|
+
compliant_input := {"satellite": {"coreParity": {
|
|
6
|
+
"ruleWithoutParityRecord": false,
|
|
7
|
+
"divergentValidationLogic": false,
|
|
8
|
+
"inconsistentResults": false,
|
|
9
|
+
"undocumentedParityGap": false,
|
|
10
|
+
}}}
|
|
11
|
+
|
|
12
|
+
test_compliant_core_parity_has_no_violations {
|
|
13
|
+
violations := cli_core_parity.violations with input as compliant_input
|
|
14
|
+
count(violations) == 0
|
|
15
|
+
}
|
|
16
|
+
|
|
17
|
+
test_rule_without_parity_record_is_rejected {
|
|
18
|
+
i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/coreParity/ruleWithoutParityRecord", "value": true}])
|
|
19
|
+
violations := cli_core_parity.violations with input as i
|
|
20
|
+
violations[_].id == "CLI-PAR-01"
|
|
21
|
+
}
|
|
22
|
+
|
|
23
|
+
test_divergent_logic_is_rejected {
|
|
24
|
+
i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/coreParity/divergentValidationLogic", "value": true}])
|
|
25
|
+
violations := cli_core_parity.violations with input as i
|
|
26
|
+
violations[_].id == "CLI-PAR-02"
|
|
27
|
+
}
|
|
28
|
+
|
|
29
|
+
test_inconsistent_results_is_rejected {
|
|
30
|
+
i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/coreParity/inconsistentResults", "value": true}])
|
|
31
|
+
violations := cli_core_parity.violations with input as i
|
|
32
|
+
violations[_].id == "CLI-PAR-03"
|
|
33
|
+
}
|
|
34
|
+
|
|
35
|
+
test_undocumented_parity_gap_is_rejected {
|
|
36
|
+
i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/coreParity/undocumentedParityGap", "value": true}])
|
|
37
|
+
violations := cli_core_parity.violations with input as i
|
|
38
|
+
violations[_].id == "CLI-PAR-04"
|
|
39
|
+
}
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
package evolith.cli_readiness
|
|
2
|
+
|
|
3
|
+
violations[{"id": "CLI-RR-01", "message": "dist/main.js not found — run npm run build in sdk/cli"}] {
|
|
4
|
+
not input.core.cli.hasMainJs
|
|
5
|
+
}
|
|
6
|
+
|
|
7
|
+
violations[{"id": "CLI-RR-02", "message": "No compiled spec files in dist/ — run npm test to confirm"}] {
|
|
8
|
+
not input.core.cli.hasTests
|
|
9
|
+
}
|
|
10
|
+
|
|
11
|
+
violations[{"id": "CLI-RR-03", "message": "package-lock.json not found"}] {
|
|
12
|
+
not input.core.hasPackageLock
|
|
13
|
+
not input.core.cli.hasPackageLock
|
|
14
|
+
}
|
|
15
|
+
|
|
16
|
+
violations[{"id": "CLI-RR-04", "message": "No MCP smoke evidence found in .harness/evidence/"}] {
|
|
17
|
+
smoke_keys := [k | input.core.evidence[k]; contains(k, "mcp")]
|
|
18
|
+
count(smoke_keys) == 0
|
|
19
|
+
}
|
|
20
|
+
|
|
21
|
+
violations[{"id": "CLI-RR-04", "message": sprintf("MCP smoke evidence status: %v", [status])}] {
|
|
22
|
+
smoke_keys := [k | input.core.evidence[k]; contains(k, "mcp")]
|
|
23
|
+
count(smoke_keys) > 0
|
|
24
|
+
smoke := input.core.evidence[smoke_keys[0]]
|
|
25
|
+
status := smoke.status
|
|
26
|
+
status != "passed"
|
|
27
|
+
}
|
|
28
|
+
|
|
29
|
+
violations[{"id": "CLI-RR-05", "message": "CLI missing README.md or ARCHITECTURE.md"}] {
|
|
30
|
+
not input.core.cli.hasReadme
|
|
31
|
+
not input.core.cli.hasArchitectureMd
|
|
32
|
+
}
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
package evolith.cli_readiness_test
|
|
2
|
+
|
|
3
|
+
import data.evolith.cli_readiness
|
|
4
|
+
|
|
5
|
+
test_cli_ready_has_no_violations {
|
|
6
|
+
violations := cli_readiness.violations with input as {"core": {"cli": {"hasMainJs": true, "hasTests": true, "hasPackageLock": true, "hasReadme": true, "hasArchitectureMd": true}, "hasPackageLock": true, "evidence": {"mcp-smoke.json": {"status": "passed"}}}}
|
|
7
|
+
count(violations) == 0
|
|
8
|
+
}
|
|
9
|
+
|
|
10
|
+
test_missing_main_js_is_rejected {
|
|
11
|
+
violations := cli_readiness.violations with input as {"core": {"cli": {"hasMainJs": false, "hasTests": false, "hasPackageLock": false, "hasReadme": false, "hasArchitectureMd": false}, "hasPackageLock": false, "evidence": {}}}
|
|
12
|
+
violations[_].id == "CLI-RR-01"
|
|
13
|
+
}
|
|
14
|
+
|
|
15
|
+
test_missing_mcp_evidence_is_rejected {
|
|
16
|
+
violations := cli_readiness.violations with input as {"core": {"cli": {"hasMainJs": true, "hasTests": true, "hasPackageLock": true, "hasReadme": true, "hasArchitectureMd": true}, "hasPackageLock": true, "evidence": {}}}
|
|
17
|
+
violations[_].id == "CLI-RR-04"
|
|
18
|
+
}
|
|
19
|
+
|
|
20
|
+
test_missing_readme_is_rejected {
|
|
21
|
+
violations := cli_readiness.violations with input as {"core": {"cli": {"hasMainJs": true, "hasTests": true, "hasPackageLock": true, "hasReadme": false, "hasArchitectureMd": false}, "hasPackageLock": true, "evidence": {"mcp-smoke.json": {"status": "passed"}}}}
|
|
22
|
+
violations[_].id == "CLI-RR-05"
|
|
23
|
+
}
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
package evolith.cli_release_readiness
|
|
2
|
+
|
|
3
|
+
violations[{"id": "CLI-RR-01", "message": "TypeScript build does not pass — npm run build must exit 0 before release"}] {
|
|
4
|
+
not input.satellite.releaseReadiness.buildPasses
|
|
5
|
+
}
|
|
6
|
+
|
|
7
|
+
violations[{"id": "CLI-RR-02", "message": "Unit and integration tests do not pass — npm test must exit 0 before release"}] {
|
|
8
|
+
not input.satellite.releaseReadiness.testsPass
|
|
9
|
+
}
|
|
10
|
+
|
|
11
|
+
violations[{"id": "CLI-RR-03", "message": "Dependency graph not reproducible — package-lock.json missing or transitive dependencies broken"}] {
|
|
12
|
+
not input.satellite.releaseReadiness.lockFilePresent
|
|
13
|
+
}
|
|
14
|
+
|
|
15
|
+
violations[{"id": "CLI-RR-04", "message": "MCP smoke test does not pass — initialize and tools/list must respond over release transport"}] {
|
|
16
|
+
not input.satellite.releaseReadiness.mcpSmokePasses
|
|
17
|
+
}
|
|
18
|
+
|
|
19
|
+
violations[{"id": "CLI-RR-05", "message": "Release documentation does not match implementation — README exists but describes outdated state"}] {
|
|
20
|
+
not input.satellite.releaseReadiness.readmeExists
|
|
21
|
+
}
|