@evolith/core-domain 1.0.0 → 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/domain/services/default-workflow-definition.js +1 -1
- package/dist/domain/services/default-workflow-definition.js.map +1 -1
- package/package.json +2 -1
- package/rulesets/README.es.md +170 -0
- package/rulesets/README.md +170 -0
- package/rulesets/acl/README.es.md +41 -0
- package/rulesets/acl/README.md +41 -0
- package/rulesets/acl/anti-corruption-layer.rules.es.json +99 -0
- package/rulesets/acl/anti-corruption-layer.rules.json +99 -0
- package/rulesets/adr/ADR_COVERAGE.es.md +133 -0
- package/rulesets/adr/ADR_COVERAGE.md +133 -0
- package/rulesets/adr/README.es.md +17 -0
- package/rulesets/adr/README.md +17 -0
- package/rulesets/adr/adr-0002-hexagonal-architecture.rules.json +103 -0
- package/rulesets/adr/adr-0005-cicd-quality-gates.rules.json +102 -0
- package/rulesets/adr/adr-0010-multi-tenancy.rules.json +129 -0
- package/rulesets/adr/adr-0018-testing-pyramid.rules.json +115 -0
- package/rulesets/adr/adr-0032-protocol-selection.rules.json +134 -0
- package/rulesets/adr/adr-0040-multi-runtime.rules.json +131 -0
- package/rulesets/adr/adr-0050-gitflow-branching.rules.json +176 -0
- package/rulesets/adr/generated/adr-0001-monorepo-orchestration-principle.rules.json +29 -0
- package/rulesets/adr/generated/adr-0006-microservices-transition-via-sidecar-pattern.rules.json +29 -0
- package/rulesets/adr/generated/adr-0009-strict-dependency-pinning-and-automated-vulnerability-manage.rules.json +29 -0
- package/rulesets/adr/generated/adr-0011-fault-tolerance-and-resiliency-patterns.rules.json +29 -0
- package/rulesets/adr/generated/adr-0013-cloud-infrastructure-topology-and-disaster-recovery-dr.rules.json +28 -0
- package/rulesets/adr/generated/adr-0014-multi-layer-distributed-caching-strategy.rules.json +29 -0
- package/rulesets/adr/generated/adr-0015-event-driven-architecture-eda-for-intra-domain-communication.rules.json +29 -0
- package/rulesets/adr/generated/adr-0016-immutable-business-audit-trail-and-change-tracking.rules.json +29 -0
- package/rulesets/adr/generated/adr-0017-feature-flagging-strategy-for-progressive-delivery.rules.json +28 -0
- package/rulesets/adr/generated/adr-0019-tactical-design-patterns-for-future-proofing.rules.json +29 -0
- package/rulesets/adr/generated/adr-0020-identity-provider-abstraction-strategy.rules.json +28 -0
- package/rulesets/adr/generated/adr-0024-centralized-configuration-feature-platform.rules.json +28 -0
- package/rulesets/adr/generated/adr-0025-feature-flag-provider-abstraction-strategy.rules.json +29 -0
- package/rulesets/adr/generated/adr-0028-self-hosted-open-source-hybrid-infrastructure.rules.json +29 -0
- package/rulesets/adr/generated/adr-0030-two-tier-distributed-gateway-model.rules.json +28 -0
- package/rulesets/adr/generated/adr-0031-schema-per-bounded-context-and-domain-event-catalog.rules.json +29 -0
- package/rulesets/adr/generated/adr-0033-transactional-outbox-pattern-for-async-messaging.rules.json +28 -0
- package/rulesets/adr/generated/adr-0034-cqrs-pattern-application-matrix.rules.json +29 -0
- package/rulesets/adr/generated/adr-0035-distributed-saga-pattern-implementation-strategy.rules.json +29 -0
- package/rulesets/adr/generated/adr-0036-message-bus-delivery-flow-control-strategy.rules.json +29 -0
- package/rulesets/adr/generated/adr-0037-enterprise-performance-concurrency-chaos-verification-strate.rules.json +28 -0
- package/rulesets/adr/generated/adr-0039-deployment-topology-abstraction-environment-switcher.rules.json +29 -0
- package/rulesets/adr/generated/adr-0041-dual-engine-policy-evaluation-native-opa.rules.json +28 -0
- package/rulesets/adr/generated/adr-0044-configurable-security-persistence-strategy-agnosticism-vs-na.rules.json +29 -0
- package/rulesets/adr/generated/adr-0045-microservice-extraction-readiness-criteria.rules.json +29 -0
- package/rulesets/adr/generated/adr-0046-unified-traceability-via-w3c-tracecontext.rules.json +29 -0
- package/rulesets/adr/generated/adr-0047-progressive-architecture-evolution-framework-modular-monolit.rules.json +29 -0
- package/rulesets/adr/generated/adr-0048-enterprise-taxonomy-standardization-and-reference-layout.rules.json +28 -0
- package/rulesets/adr/generated/adr-0049-naming-semantics-clean-code-policy-e2e-and-global.rules.json +29 -0
- package/rulesets/adr/generated/adr-0051-enterprise-database-engine-selection-strategy.rules.json +29 -0
- package/rulesets/adr/generated/adr-0052-unit-testing-isolation-strategy-mocks-vs-stubs.rules.json +29 -0
- package/rulesets/adr/generated/adr-0053-integration-and-e2e-testing-strategy.rules.json +29 -0
- package/rulesets/adr/generated/adr-0054-database-design-and-normalization-standards.rules.json +29 -0
- package/rulesets/adr/generated/adr-0055-microfrontends-architecture-strategy.rules.json +28 -0
- package/rulesets/adr/generated/adr-0056-enterprise-naming-design-conventions-multi-language-multi-pl.rules.json +29 -0
- package/rulesets/adr/generated/adr-0057-architecture-intelligence-catalog.rules.json +27 -0
- package/rulesets/adr/generated/adr-0058-ai-consumable-architecture-knowledge.rules.json +27 -0
- package/rulesets/adr/generated/adr-0067-modular-monolith-persistence-boundaries.rules.json +28 -0
- package/rulesets/adr/generated/adr-0068-documentation-release-gitflow.rules.json +29 -0
- package/rulesets/adr/generated/adr-0069-ai-agent-context-protocol-integration.rules.json +28 -0
- package/rulesets/adr/generated/adr-0070-lean-root-repository-taxonomy.rules.json +29 -0
- package/rulesets/adr/generated/adr-0071-domain-layer-base-class-and-inheritance-strategy.rules.json +29 -0
- package/rulesets/adr/generated/adr-0072-utc-date-storage-browser-timezone-detection-and-language-res.rules.json +29 -0
- package/rulesets/adr/generated/adr-0073-unified-cli-mcp-output-contract-and-gate-evidence-schema.rules.json +29 -0
- package/rulesets/adr/generated/adr-0074-evolith-core-api-native-exposure-layer.rules.json +29 -0
- package/rulesets/adr/generated/adr-0075-core-api-authentication-strategy.rules.json +28 -0
- package/rulesets/adr/generated/adr-0076-domain-oriented-microservice-architecture-doma.rules.json +28 -0
- package/rulesets/adr/generated/adr-0077-masstransit-v9-commercial-pivot-stay-on-v8-monitor-opentrans.rules.json +28 -0
- package/rulesets/adr/generated/adr-0078-domain-financial-separation-governance.rules.json +29 -0
- package/rulesets/adr/generated/adr-0079-multi-topology-reference-corpus-and-topology-manifest-contra.rules.json +29 -0
- package/rulesets/adr/generated/adr-0080-remote-repository-reference-contract.rules.json +29 -0
- package/rulesets/adr/generated/adr-0081-agentic-ai-sandbox-isolation-boundary.rules.json +29 -0
- package/rulesets/adr/generated/adr-0082-agentic-ai-prompt-context-and-tool-trust-boundary.rules.json +28 -0
- package/rulesets/adr/generated/adr-0083-agentic-ai-action-authorization-and-audit.rules.json +29 -0
- package/rulesets/adr/generated/adr-0084-data-mesh-and-data-as-a-product.rules.json +29 -0
- package/rulesets/adr/generated/adr-0085-agnostic-opa-wasm-distribution-architecture.rules.json +28 -0
- package/rulesets/adr/generated/adr-0086-agentic-ai-telemetry-cost-control-standard.rules.json +27 -0
- package/rulesets/adr/generated/adr-0087-attribute-based-access-control-abac-for-agentic-tool-executi.rules.json +29 -0
- package/rulesets/adr/generated/adr-0088-sovereign-identity-for-agentic-ai.rules.json +29 -0
- package/rulesets/adr/generated/adr-0089-event-driven-agentic-workflow-pattern.rules.json +28 -0
- package/rulesets/adr/generated/adr-0090-rag-knowledge-governance-standard.rules.json +29 -0
- package/rulesets/adr/generated/adr-0091-workload-identity-token-rotation-standard.rules.json +29 -0
- package/rulesets/adr/generated/adr-0092-agent-infinite-loop-prevention-and-circuit-breaker-rules.rules.json +29 -0
- package/rulesets/adr/generated/adr-0093-concurrency-control-and-resource-locking-standard-for-mcp-to.rules.json +29 -0
- package/rulesets/adr/generated/adr-0094-multi-agent-handoff-and-task-delegation-standards.rules.json +29 -0
- package/rulesets/adr/generated/adr-0095-serverless-architecture-governance.rules.json +29 -0
- package/rulesets/adr/generated/adr-0096-edge-computing-architecture-governance.rules.json +29 -0
- package/rulesets/adr/generated/adr-0097-knowledge-lifecycle-governance-standard.rules.json +29 -0
- package/rulesets/adr/generated/adr-0098-rest-uri-versioning-and-deprecation-policy.rules.json +29 -0
- package/rulesets/adr/generated/adr-0099-opa-bundle-distribution-via-s3-minio.rules.json +27 -0
- package/rulesets/adr/generated/adr-ai-augmented-0001-harness-engineering-for-ai-augmented-development.rules.json +29 -0
- package/rulesets/adr/generated/adr-ai-augmented-0002-mcp-integration-protocol-for-agent-tool-invocation.rules.json +29 -0
- package/rulesets/adr/generated/adr-ai-augmented-0003-model-selection-governance-for-ai-augmented-workflows.rules.json +29 -0
- package/rulesets/adr/generated/adr-ai-augmented-0004-agents-md-as-mandatory-repository-artifact.rules.json +29 -0
- package/rulesets/adr/generated/adr-ai-augmented-0005-human-in-the-loop-policy-for-autonomous-agent-operations.rules.json +29 -0
- package/rulesets/adr/generated/adr-android-0042-canonical-android-native-mobile-architecture.rules.json +29 -0
- package/rulesets/adr/generated/adr-dotnet-0041-canonical-net-c-backend-architecture.rules.json +29 -0
- package/rulesets/adr/generated/adr-dotnet-0060-net-multi-tenancy-dual-layer-strategy-ef-core-sql-server.rules.json +29 -0
- package/rulesets/adr/generated/adr-dotnet-0061-transactional-event-lifecycle-in-ef-core.rules.json +28 -0
- package/rulesets/adr/generated/adr-dotnet-0062-net-immutable-audit-trail-via-ddl-triggers-delta-capture.rules.json +29 -0
- package/rulesets/adr/generated/adr-dotnet-0063-b2b-request-idempotency-middleware-in-asp-net-core.rules.json +28 -0
- package/rulesets/adr/generated/adr-dotnet-0064-net-request-scope-observability-context-propagation.rules.json +29 -0
- package/rulesets/adr/generated/adr-dotnet-0065-net-pii-safe-structured-logging-pipeline-serilog.rules.json +29 -0
- package/rulesets/adr/generated/adr-dotnet-0066-net-lightweight-http-idempotency-via-imemorycache-idistribut.rules.json +28 -0
- package/rulesets/adr/generated/adr-dotnet-0069-net-grpc-service-setup-protobuf-contracts.rules.json +29 -0
- package/rulesets/adr/generated/adr-dotnet-0070-net-api-endpoint-strategy.rules.json +29 -0
- package/rulesets/adr/generated/adr-dotnet-0071-net-data-access-strategy-ef-core-as-default-orm-dapper-for-o.rules.json +27 -0
- package/rulesets/adr/generated/adr-dotnet-0072-net-aop-cross-cutting-concern-strategy-dispatchproxy-over-pi.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0003-strict-typescript-standards.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0004-frontend-offline-resilience.rules.json +28 -0
- package/rulesets/adr/generated/adr-nodejs-0007-observability-with-opentelemetry-loki-and-jaeger.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0008-progressive-multi-module-evolution-with-api-gateway-and-bff-.rules.json +28 -0
- package/rulesets/adr/generated/adr-nodejs-0012-advanced-authorization-rbac-abac-strategy.rules.json +28 -0
- package/rulesets/adr/generated/adr-nodejs-0021-high-performance-authentication-graph-compilation.rules.json +28 -0
- package/rulesets/adr/generated/adr-nodejs-0022-contextual-authentication-and-pluggable-output-projections.rules.json +28 -0
- package/rulesets/adr/generated/adr-nodejs-0023-centralized-authorization-core-strategy.rules.json +28 -0
- package/rulesets/adr/generated/adr-nodejs-0026-adaptive-mfa-and-passwordless-platform.rules.json +28 -0
- package/rulesets/adr/generated/adr-nodejs-0027-dual-protocol-api-strategy-rest-grpc.rules.json +28 -0
- package/rulesets/adr/generated/adr-nodejs-0029-adoption-of-tactical-ddd-primitives-library.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0038-enterprise-error-handling-result-pattern-strategy.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0043-data-access-and-orm-strategy-for-node-js.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0044-frontend-clean-architecture-layer-boundaries-react.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0045-frontend-state-management-zustand-tanstack-query-dual-strate.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0046-prohibition-of-raw-technical-identifiers-in-user-interfaces.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0047-actionable-user-error-contract-and-correlated-diagnostics.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0048-feature-flag-system-scope-and-structured-criteria-model.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0074-monorepo-orchestration-with-nx.rules.json +29 -0
- package/rulesets/adr/generated/adr-nodejs-0075-application-gateway-bff-with-nestjs.rules.json +29 -0
- package/rulesets/architecture/README.es.md +21 -0
- package/rulesets/architecture/README.md +21 -0
- package/rulesets/architecture/opa/progressive-axis.rego +50 -0
- package/rulesets/cli/README.es.md +17 -0
- package/rulesets/cli/README.md +17 -0
- package/rulesets/cli/core-parity.rules.json +61 -0
- package/rulesets/cli/release-readiness.rules.json +77 -0
- package/rulesets/compliance-baseline/README.es.md +26 -0
- package/rulesets/compliance-baseline/README.md +26 -0
- package/rulesets/compliance-baseline/compliance-baseline.rules.json +81 -0
- package/rulesets/contracts/README.es.md +19 -0
- package/rulesets/contracts/README.md +19 -0
- package/rulesets/contracts/evolith-machine-contracts.json +29 -0
- package/rulesets/contracts/fixtures/gate-evidence.success.json +10 -0
- package/rulesets/contracts/fixtures/output-envelope.success.json +23 -0
- package/rulesets/cross-cutting/README.es.md +14 -0
- package/rulesets/cross-cutting/README.md +14 -0
- package/rulesets/cross-cutting/compliance-baseline.rules.json +81 -0
- package/rulesets/cross-cutting/definition-of-done.rules.json +135 -0
- package/rulesets/cross-cutting/engineering-manifesto.rules.json +145 -0
- package/rulesets/cross-cutting/repository-taxonomy.rules.json +172 -0
- package/rulesets/definition-of-done/README.es.md +26 -0
- package/rulesets/definition-of-done/README.md +26 -0
- package/rulesets/definition-of-done/definition-of-done.rules.json +135 -0
- package/rulesets/engineering-manifesto/README.es.md +26 -0
- package/rulesets/engineering-manifesto/README.md +26 -0
- package/rulesets/engineering-manifesto/engineering-manifesto.rules.json +145 -0
- package/rulesets/evidence/README.es.md +12 -0
- package/rulesets/evidence/README.md +12 -0
- package/rulesets/evidence/evidence-manifest.rules.json +48 -0
- package/rulesets/executive-scorecards/executive-scorecards.rules.es.json +213 -0
- package/rulesets/executive-scorecards/executive-scorecards.rules.json +213 -0
- package/rulesets/governance/README.es.md +13 -0
- package/rulesets/governance/README.md +13 -0
- package/rulesets/governance/abac-mcp-access.rules.es.json +41 -0
- package/rulesets/governance/abac-mcp-access.rules.json +41 -0
- package/rulesets/governance/executive-scorecards.rules.es.json +213 -0
- package/rulesets/governance/executive-scorecards.rules.json +213 -0
- package/rulesets/governance/inheritance.rules.json +115 -0
- package/rulesets/governance/knowledge-intake.rules.json +18 -0
- package/rulesets/governance/open-core-boundary.rules.es.json +148 -0
- package/rulesets/governance/open-core-boundary.rules.json +148 -0
- package/rulesets/governance/satellite-contracts.rules.json +183 -0
- package/rulesets/infrastructure/helm-enforcement.rules.json +21 -0
- package/rulesets/infrastructure/opa/helm-enforcement.rego +25 -0
- package/rulesets/infrastructure/opa/helm-enforcement.test.rego +31 -0
- package/rulesets/infrastructure/opa/opa-sidecar-bundle.rego +115 -0
- package/rulesets/infrastructure/opa/opa-sidecar-bundle.test.rego +66 -0
- package/rulesets/infrastructure/opa-sidecar-bundle.rules.json +18 -0
- package/rulesets/mcp/README.es.md +12 -0
- package/rulesets/mcp/README.md +12 -0
- package/rulesets/mcp/protocol-compliance.rules.json +57 -0
- package/rulesets/observability/README.es.md +12 -0
- package/rulesets/observability/README.md +12 -0
- package/rulesets/observability/telemetry-evidence.rules.json +48 -0
- package/rulesets/opa/README.es.md +22 -0
- package/rulesets/opa/README.md +22 -0
- package/rulesets/opa/abac-mcp-tool-access.rego +122 -0
- package/rulesets/opa/abac-mcp-tool-access.test.rego +33 -0
- package/rulesets/opa/anti-corruption-layer.rego +39 -0
- package/rulesets/opa/anti-corruption-layer.test.rego +118 -0
- package/rulesets/opa/ci-cd.rego +41 -0
- package/rulesets/opa/ci-cd.test.rego +23 -0
- package/rulesets/opa/cicd-quality-gates.rego +29 -0
- package/rulesets/opa/cicd-quality-gates.test.rego +54 -0
- package/rulesets/opa/cli-core-parity.rego +17 -0
- package/rulesets/opa/cli-core-parity.test.rego +39 -0
- package/rulesets/opa/cli-readiness.rego +32 -0
- package/rulesets/opa/cli-readiness.test.rego +23 -0
- package/rulesets/opa/cli-release-readiness.rego +21 -0
- package/rulesets/opa/cli-release-readiness.test.rego +46 -0
- package/rulesets/opa/compliance-baseline.rego +95 -0
- package/rulesets/opa/compliance-baseline.test.rego +89 -0
- package/rulesets/opa/dod.rego +42 -0
- package/rulesets/opa/dod.test.rego +250 -0
- package/rulesets/opa/engineering-manifesto.rego +78 -0
- package/rulesets/opa/engineering-manifesto.test.rego +133 -0
- package/rulesets/opa/evidence.rego +64 -0
- package/rulesets/opa/evidence.test.rego +23 -0
- package/rulesets/opa/executive-scorecards.rego +41 -0
- package/rulesets/opa/executive-scorecards.test.rego +60 -0
- package/rulesets/opa/gitflow-branching.rego +41 -0
- package/rulesets/opa/gitflow-branching.test.rego +60 -0
- package/rulesets/opa/governance.rego +39 -0
- package/rulesets/opa/governance.test.rego +23 -0
- package/rulesets/opa/hexagonal-architecture.rego +33 -0
- package/rulesets/opa/hexagonal-architecture.test.rego +57 -0
- package/rulesets/opa/infrastructure/helm-enforcement.rego +33 -0
- package/rulesets/opa/infrastructure/opa-sidecar-bundle.rego +42 -0
- package/rulesets/opa/knowledge-intake.rego +98 -0
- package/rulesets/opa/knowledge-intake.test.rego +50 -0
- package/rulesets/opa/main.rego +147 -0
- package/rulesets/opa/main_test.rego +149 -0
- package/rulesets/opa/mcp.rego +61 -0
- package/rulesets/opa/mcp.test.rego +27 -0
- package/rulesets/opa/multi-runtime.rego +33 -0
- package/rulesets/opa/multi-runtime.test.rego +53 -0
- package/rulesets/opa/multi-tenancy.rego +33 -0
- package/rulesets/opa/multi-tenancy.test.rego +53 -0
- package/rulesets/opa/open-core-boundary.rego +33 -0
- package/rulesets/opa/open-core-boundary.test.rego +60 -0
- package/rulesets/opa/protocol-selection.rego +29 -0
- package/rulesets/opa/protocol-selection.test.rego +46 -0
- package/rulesets/opa/rbac/gate-role-enforcement.rego +112 -0
- package/rulesets/opa/repository-taxonomy.rego +98 -0
- package/rulesets/opa/repository-taxonomy.test.rego +91 -0
- package/rulesets/opa/satellite-contracts.rego +42 -0
- package/rulesets/opa/satellite-contracts.test.rego +70 -0
- package/rulesets/opa/schemas/abac-mcp-tool-access.input.schema.json +21 -0
- package/rulesets/opa/schemas/anti-corruption-layer.input.schema.json +25 -0
- package/rulesets/opa/schemas/ci-cd.input.schema.json +27 -0
- package/rulesets/opa/schemas/cicd-quality-gates.input.schema.json +33 -0
- package/rulesets/opa/schemas/cli-core-parity.input.schema.json +30 -0
- package/rulesets/opa/schemas/cli-readiness.input.schema.json +28 -0
- package/rulesets/opa/schemas/cli-release-readiness.input.schema.json +26 -0
- package/rulesets/opa/schemas/compliance-baseline.input.schema.json +25 -0
- package/rulesets/opa/schemas/dod.input.schema.json +38 -0
- package/rulesets/opa/schemas/engineering-manifesto.input.schema.json +24 -0
- package/rulesets/opa/schemas/evidence.input.schema.json +35 -0
- package/rulesets/opa/schemas/executive-scorecards.input.schema.json +36 -0
- package/rulesets/opa/schemas/gitflow-branching.input.schema.json +36 -0
- package/rulesets/opa/schemas/governance.input.schema.json +19 -0
- package/rulesets/opa/schemas/hexagonal-architecture.input.schema.json +46 -0
- package/rulesets/opa/schemas/knowledge-intake.input.schema.json +57 -0
- package/rulesets/opa/schemas/mcp.input.schema.json +38 -0
- package/rulesets/opa/schemas/multi-runtime.input.schema.json +27 -0
- package/rulesets/opa/schemas/multi-tenancy.input.schema.json +27 -0
- package/rulesets/opa/schemas/open-core-boundary.input.schema.json +36 -0
- package/rulesets/opa/schemas/protocol-selection.input.schema.json +26 -0
- package/rulesets/opa/schemas/repository-taxonomy.input.schema.json +18 -0
- package/rulesets/opa/schemas/satellite-contracts.input.schema.json +38 -0
- package/rulesets/opa/schemas/taxonomy.input.schema.json +27 -0
- package/rulesets/opa/schemas/testing-pyramid.input.schema.json +42 -0
- package/rulesets/opa/schemas/version-pinning.input.schema.json +39 -0
- package/rulesets/opa/sdlc/coverage.rego +49 -0
- package/rulesets/opa/sdlc/coverage.test.rego +29 -0
- package/rulesets/opa/sdlc/pyramid-distribution.rego +31 -0
- package/rulesets/opa/sdlc/pyramid-distribution.test.rego +33 -0
- package/rulesets/opa/taxonomy.rego +51 -0
- package/rulesets/opa/taxonomy.test.rego +28 -0
- package/rulesets/opa/telemetry-evidence.rego +102 -0
- package/rulesets/opa/testing-pyramid.rego +49 -0
- package/rulesets/opa/testing-pyramid.test.rego +81 -0
- package/rulesets/opa/version-pinning.rego +99 -0
- package/rulesets/opa/version-pinning.test.rego +28 -0
- package/rulesets/phase-gates/README.es.md +28 -0
- package/rulesets/phase-gates/README.md +28 -0
- package/rulesets/phase-gates/phase-gates.rules.json +297 -0
- package/rulesets/quality-thresholds/README.es.md +28 -0
- package/rulesets/quality-thresholds/README.md +28 -0
- package/rulesets/quality-thresholds/quality-thresholds.rules.json +96 -0
- package/rulesets/repository-taxonomy/README.es.md +26 -0
- package/rulesets/repository-taxonomy/README.md +26 -0
- package/rulesets/repository-taxonomy/repository-taxonomy.rules.json +172 -0
- package/rulesets/satellite-contracts/README.es.md +27 -0
- package/rulesets/satellite-contracts/README.md +27 -0
- package/rulesets/satellite-contracts/satellite-contracts.rules.json +183 -0
- package/rulesets/schema/README.es.md +39 -0
- package/rulesets/schema/README.md +39 -0
- package/rulesets/schema/adr.schema.json +138 -0
- package/rulesets/schema/agile-backlog.schema.json +91 -0
- package/rulesets/schema/ballpark-estimation.schema.json +109 -0
- package/rulesets/schema/build-vs-compose.schema.json +98 -0
- package/rulesets/schema/cli-impact-analysis.schema.json +114 -0
- package/rulesets/schema/discovery-canvas.schema.json +92 -0
- package/rulesets/schema/evolith-user-story.schema.json +105 -0
- package/rulesets/schema/evolith-yaml.schema.json +191 -0
- package/rulesets/schema/functional-story.schema.json +111 -0
- package/rulesets/schema/gate-evidence.schema.json +85 -0
- package/rulesets/schema/integration-evidence.schema.json +47 -0
- package/rulesets/schema/knowledge-intake.schema.json +67 -0
- package/rulesets/schema/knowledge-projection.schema.json +24 -0
- package/rulesets/schema/maturity-evidence.schema.json +59 -0
- package/rulesets/schema/observability-validation.schema.json +85 -0
- package/rulesets/schema/on-call-handoff.schema.json +91 -0
- package/rulesets/schema/output-envelope.schema.json +102 -0
- package/rulesets/schema/prd.schema.json +117 -0
- package/rulesets/schema/release-notes.schema.json +138 -0
- package/rulesets/schema/rollback-rehearsal.schema.json +73 -0
- package/rulesets/schema/ruleset-sdlc.schema.json +59 -0
- package/rulesets/schema/ruleset-standard.schema.json +73 -0
- package/rulesets/schema/security-scan-report.schema.json +79 -0
- package/rulesets/schema/source-registry.schema.json +51 -0
- package/rulesets/schema/technical-feasibility.schema.json +66 -0
- package/rulesets/schema/technical-story.schema.json +112 -0
- package/rulesets/schema/test-summary-report.schema.json +158 -0
- package/rulesets/schema/topology-composition.schema.json +43 -0
- package/rulesets/schema/topology-manifest.schema.json +421 -0
- package/rulesets/sdlc/README.es.md +12 -0
- package/rulesets/sdlc/README.md +12 -0
- package/rulesets/sdlc/default-workflow.yaml +73 -0
- package/rulesets/sdlc/dependency-pinning.rules.json +183 -0
- package/rulesets/sdlc/phase-gates.rules.json +297 -0
- package/rulesets/sdlc/quality-thresholds.rules.json +96 -0
- package/rulesets/topologies/README.es.md +42 -0
- package/rulesets/topologies/README.md +42 -0
- package/rulesets/topologies/agentic-ai/README.es.md +142 -0
- package/rulesets/topologies/agentic-ai/README.md +142 -0
- package/rulesets/topologies/agentic-ai/adoption.es.md +37 -0
- package/rulesets/topologies/agentic-ai/adoption.md +37 -0
- package/rulesets/topologies/agentic-ai/agent.config.schema.json +100 -0
- package/rulesets/topologies/agentic-ai/agentic-ai.rego +46 -0
- package/rulesets/topologies/agentic-ai/agentic-ai.rules.json +109 -0
- package/rulesets/topologies/agentic-ai/agentic-ai.test.rego +68 -0
- package/rulesets/topologies/agentic-ai/agentic-ai.wasm +0 -0
- package/rulesets/topologies/agentic-ai/cli/cli-flows.es.md +35 -0
- package/rulesets/topologies/agentic-ai/cli/cli-flows.md +45 -0
- package/rulesets/topologies/agentic-ai/evidence.es.md +25 -0
- package/rulesets/topologies/agentic-ai/evidence.md +25 -0
- package/rulesets/topologies/agentic-ai/evolution.es.md +26 -0
- package/rulesets/topologies/agentic-ai/evolution.md +26 -0
- package/rulesets/topologies/agentic-ai/fixtures/invalid-agent.config.json +48 -0
- package/rulesets/topologies/agentic-ai/fixtures/valid-agent.config.json +48 -0
- package/rulesets/topologies/agentic-ai/maturity.es.md +33 -0
- package/rulesets/topologies/agentic-ai/maturity.md +33 -0
- package/rulesets/topologies/agentic-ai/mcp/mcp-manifest.json +100 -0
- package/rulesets/topologies/agentic-ai/openapi/openapi.yaml +187 -0
- package/rulesets/topologies/agentic-ai/operations.es.md +32 -0
- package/rulesets/topologies/agentic-ai/operations.md +32 -0
- package/rulesets/topologies/agentic-ai/parity-fixtures/compliant.json +18 -0
- package/rulesets/topologies/agentic-ai/parity-fixtures/violation.json +22 -0
- package/rulesets/topologies/agentic-ai/patterns.es.md +32 -0
- package/rulesets/topologies/agentic-ai/patterns.md +32 -0
- package/rulesets/topologies/agentic-ai/resilience.es.md +26 -0
- package/rulesets/topologies/agentic-ai/resilience.md +26 -0
- package/rulesets/topologies/agentic-ai/runbooks.es.md +48 -0
- package/rulesets/topologies/agentic-ai/runbooks.md +48 -0
- package/rulesets/topologies/agentic-ai/security.es.md +26 -0
- package/rulesets/topologies/agentic-ai/security.md +26 -0
- package/rulesets/topologies/agentic-ai/topology.manifest.json +127 -0
- package/rulesets/topologies/data-mesh/README.es.md +69 -0
- package/rulesets/topologies/data-mesh/README.md +69 -0
- package/rulesets/topologies/data-mesh/adoption.es.md +95 -0
- package/rulesets/topologies/data-mesh/adoption.md +95 -0
- package/rulesets/topologies/data-mesh/cli/cli-flows.es.md +41 -0
- package/rulesets/topologies/data-mesh/cli/cli-flows.md +53 -0
- package/rulesets/topologies/data-mesh/data-mesh.rego +11 -0
- package/rulesets/topologies/data-mesh/data-mesh.rules.json +100 -0
- package/rulesets/topologies/data-mesh/data-mesh.test.rego +107 -0
- package/rulesets/topologies/data-mesh/data-mesh.wasm +0 -0
- package/rulesets/topologies/data-mesh/evidence.es.md +111 -0
- package/rulesets/topologies/data-mesh/evidence.md +111 -0
- package/rulesets/topologies/data-mesh/evolution.es.md +67 -0
- package/rulesets/topologies/data-mesh/evolution.md +67 -0
- package/rulesets/topologies/data-mesh/fixtures/invalid.topology.config.json +12 -0
- package/rulesets/topologies/data-mesh/fixtures/valid.topology.config.json +12 -0
- package/rulesets/topologies/data-mesh/maturity.es.md +36 -0
- package/rulesets/topologies/data-mesh/maturity.md +36 -0
- package/rulesets/topologies/data-mesh/mcp/mcp-manifest.json +68 -0
- package/rulesets/topologies/data-mesh/openapi/openapi.yaml +186 -0
- package/rulesets/topologies/data-mesh/operations.es.md +63 -0
- package/rulesets/topologies/data-mesh/operations.md +63 -0
- package/rulesets/topologies/data-mesh/parity-fixtures/compliant.json +18 -0
- package/rulesets/topologies/data-mesh/parity-fixtures/violation.json +21 -0
- package/rulesets/topologies/data-mesh/patterns.es.md +67 -0
- package/rulesets/topologies/data-mesh/patterns.md +67 -0
- package/rulesets/topologies/data-mesh/resilience.es.md +64 -0
- package/rulesets/topologies/data-mesh/resilience.md +64 -0
- package/rulesets/topologies/data-mesh/runbooks.es.md +147 -0
- package/rulesets/topologies/data-mesh/runbooks.md +147 -0
- package/rulesets/topologies/data-mesh/security.es.md +66 -0
- package/rulesets/topologies/data-mesh/security.md +66 -0
- package/rulesets/topologies/data-mesh/topology.config.schema.json +30 -0
- package/rulesets/topologies/data-mesh/topology.manifest.json +107 -0
- package/rulesets/topologies/edge-computing/README.es.md +81 -0
- package/rulesets/topologies/edge-computing/README.md +81 -0
- package/rulesets/topologies/edge-computing/adoption.es.md +268 -0
- package/rulesets/topologies/edge-computing/adoption.md +268 -0
- package/rulesets/topologies/edge-computing/cli/cli-flows.es.md +41 -0
- package/rulesets/topologies/edge-computing/cli/cli-flows.md +53 -0
- package/rulesets/topologies/edge-computing/edge-computing.rego +41 -0
- package/rulesets/topologies/edge-computing/edge-computing.rules.json +50 -0
- package/rulesets/topologies/edge-computing/edge-computing.test.rego +33 -0
- package/rulesets/topologies/edge-computing/edge-computing.wasm +0 -0
- package/rulesets/topologies/edge-computing/evidence.es.md +263 -0
- package/rulesets/topologies/edge-computing/evidence.md +263 -0
- package/rulesets/topologies/edge-computing/evolution.es.md +257 -0
- package/rulesets/topologies/edge-computing/evolution.md +257 -0
- package/rulesets/topologies/edge-computing/fixtures/invalid.topology.config.json +6 -0
- package/rulesets/topologies/edge-computing/fixtures/valid.topology.config.json +6 -0
- package/rulesets/topologies/edge-computing/maturity.es.md +36 -0
- package/rulesets/topologies/edge-computing/maturity.md +36 -0
- package/rulesets/topologies/edge-computing/mcp/mcp-manifest.json +72 -0
- package/rulesets/topologies/edge-computing/openapi/openapi.yaml +187 -0
- package/rulesets/topologies/edge-computing/operations.es.md +148 -0
- package/rulesets/topologies/edge-computing/operations.md +148 -0
- package/rulesets/topologies/edge-computing/parity-fixtures/compliant.json +12 -0
- package/rulesets/topologies/edge-computing/parity-fixtures/violation.json +13 -0
- package/rulesets/topologies/edge-computing/patterns.es.md +291 -0
- package/rulesets/topologies/edge-computing/patterns.md +290 -0
- package/rulesets/topologies/edge-computing/resilience.es.md +232 -0
- package/rulesets/topologies/edge-computing/resilience.md +229 -0
- package/rulesets/topologies/edge-computing/runbooks.es.md +405 -0
- package/rulesets/topologies/edge-computing/runbooks.md +405 -0
- package/rulesets/topologies/edge-computing/security.es.md +218 -0
- package/rulesets/topologies/edge-computing/security.md +218 -0
- package/rulesets/topologies/edge-computing/topology.config.schema.json +13 -0
- package/rulesets/topologies/edge-computing/topology.manifest.json +113 -0
- package/rulesets/topologies/event-driven/README.es.md +71 -0
- package/rulesets/topologies/event-driven/README.md +71 -0
- package/rulesets/topologies/event-driven/adoption.es.md +67 -0
- package/rulesets/topologies/event-driven/adoption.md +67 -0
- package/rulesets/topologies/event-driven/cli/cli-flows.es.md +41 -0
- package/rulesets/topologies/event-driven/cli/cli-flows.md +53 -0
- package/rulesets/topologies/event-driven/event-driven.rego +11 -0
- package/rulesets/topologies/event-driven/event-driven.rules.json +100 -0
- package/rulesets/topologies/event-driven/event-driven.test.rego +107 -0
- package/rulesets/topologies/event-driven/event-driven.wasm +0 -0
- package/rulesets/topologies/event-driven/evidence.es.md +69 -0
- package/rulesets/topologies/event-driven/evidence.md +69 -0
- package/rulesets/topologies/event-driven/evolution.es.md +59 -0
- package/rulesets/topologies/event-driven/evolution.md +59 -0
- package/rulesets/topologies/event-driven/fixtures/invalid.topology.config.json +12 -0
- package/rulesets/topologies/event-driven/fixtures/valid.topology.config.json +12 -0
- package/rulesets/topologies/event-driven/maturity.es.md +36 -0
- package/rulesets/topologies/event-driven/maturity.md +36 -0
- package/rulesets/topologies/event-driven/mcp/mcp-manifest.json +68 -0
- package/rulesets/topologies/event-driven/openapi/openapi.yaml +186 -0
- package/rulesets/topologies/event-driven/operations.es.md +67 -0
- package/rulesets/topologies/event-driven/operations.md +67 -0
- package/rulesets/topologies/event-driven/parity-fixtures/compliant.json +18 -0
- package/rulesets/topologies/event-driven/parity-fixtures/violation.json +21 -0
- package/rulesets/topologies/event-driven/patterns.es.md +68 -0
- package/rulesets/topologies/event-driven/patterns.md +68 -0
- package/rulesets/topologies/event-driven/resilience.es.md +65 -0
- package/rulesets/topologies/event-driven/resilience.md +65 -0
- package/rulesets/topologies/event-driven/runbooks.es.md +79 -0
- package/rulesets/topologies/event-driven/runbooks.md +79 -0
- package/rulesets/topologies/event-driven/security.es.md +59 -0
- package/rulesets/topologies/event-driven/security.md +59 -0
- package/rulesets/topologies/event-driven/topology.config.schema.json +30 -0
- package/rulesets/topologies/event-driven/topology.manifest.json +109 -0
- package/rulesets/topologies/progressive-axis/distributed-modules/distributed-modules.rules.es.json +111 -0
- package/rulesets/topologies/progressive-axis/distributed-modules/distributed-modules.rules.json +111 -0
- package/rulesets/topologies/progressive-axis/microservices/microservices.rules.es.json +106 -0
- package/rulesets/topologies/progressive-axis/microservices/microservices.rules.json +106 -0
- package/rulesets/topologies/progressive-axis/modular-monolith/modular-monolith.rules.es.json +148 -0
- package/rulesets/topologies/progressive-axis/modular-monolith/modular-monolith.rules.json +148 -0
- package/rulesets/topologies/serverless/README.es.md +74 -0
- package/rulesets/topologies/serverless/README.md +74 -0
- package/rulesets/topologies/serverless/adoption.es.md +50 -0
- package/rulesets/topologies/serverless/adoption.md +50 -0
- package/rulesets/topologies/serverless/cli/cli-flows.es.md +41 -0
- package/rulesets/topologies/serverless/cli/cli-flows.md +53 -0
- package/rulesets/topologies/serverless/evidence.es.md +66 -0
- package/rulesets/topologies/serverless/evidence.md +66 -0
- package/rulesets/topologies/serverless/evolution.es.md +36 -0
- package/rulesets/topologies/serverless/evolution.md +36 -0
- package/rulesets/topologies/serverless/fixtures/invalid.topology.config.json +6 -0
- package/rulesets/topologies/serverless/fixtures/valid.topology.config.json +6 -0
- package/rulesets/topologies/serverless/maturity.es.md +36 -0
- package/rulesets/topologies/serverless/maturity.md +36 -0
- package/rulesets/topologies/serverless/mcp/mcp-manifest.json +72 -0
- package/rulesets/topologies/serverless/openapi/openapi.yaml +186 -0
- package/rulesets/topologies/serverless/operations.es.md +36 -0
- package/rulesets/topologies/serverless/operations.md +36 -0
- package/rulesets/topologies/serverless/parity-fixtures/compliant.json +13 -0
- package/rulesets/topologies/serverless/parity-fixtures/violation.json +15 -0
- package/rulesets/topologies/serverless/patterns.es.md +36 -0
- package/rulesets/topologies/serverless/patterns.md +36 -0
- package/rulesets/topologies/serverless/resilience.es.md +36 -0
- package/rulesets/topologies/serverless/resilience.md +36 -0
- package/rulesets/topologies/serverless/runbooks.es.md +68 -0
- package/rulesets/topologies/serverless/runbooks.md +68 -0
- package/rulesets/topologies/serverless/security.es.md +36 -0
- package/rulesets/topologies/serverless/security.md +36 -0
- package/rulesets/topologies/serverless/serverless.rego +32 -0
- package/rulesets/topologies/serverless/serverless.rules.json +33 -0
- package/rulesets/topologies/serverless/serverless.test.rego +28 -0
- package/rulesets/topologies/serverless/serverless.wasm +0 -0
- package/rulesets/topologies/serverless/topology.config.schema.json +28 -0
- package/rulesets/topologies/serverless/topology.manifest.json +114 -0
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
package evolith.multi_tenancy_test
|
|
2
|
+
|
|
3
|
+
import data.evolith.multi_tenancy
|
|
4
|
+
|
|
5
|
+
compliant_input := {"satellite": {"multiTenancy": {
|
|
6
|
+
"applicationFiltering": true,
|
|
7
|
+
"databaseEnforcement": true,
|
|
8
|
+
"tenantContextPropagation": true,
|
|
9
|
+
"crossTenantAccess": false,
|
|
10
|
+
"schemaStrategyDefined": true,
|
|
11
|
+
"apiTenantValidation": true,
|
|
12
|
+
}}}
|
|
13
|
+
|
|
14
|
+
test_compliant_multi_tenancy_has_no_violations {
|
|
15
|
+
violations := multi_tenancy.violations with input as compliant_input
|
|
16
|
+
count(violations) == 0
|
|
17
|
+
}
|
|
18
|
+
|
|
19
|
+
test_missing_application_filtering_is_rejected {
|
|
20
|
+
i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/multiTenancy/applicationFiltering", "value": false}])
|
|
21
|
+
violations := multi_tenancy.violations with input as i
|
|
22
|
+
violations[_].id == "MTN-01"
|
|
23
|
+
}
|
|
24
|
+
|
|
25
|
+
test_missing_database_enforcement_is_rejected {
|
|
26
|
+
i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/multiTenancy/databaseEnforcement", "value": false}])
|
|
27
|
+
violations := multi_tenancy.violations with input as i
|
|
28
|
+
violations[_].id == "MTN-02"
|
|
29
|
+
}
|
|
30
|
+
|
|
31
|
+
test_missing_tenant_context_propagation_is_rejected {
|
|
32
|
+
i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/multiTenancy/tenantContextPropagation", "value": false}])
|
|
33
|
+
violations := multi_tenancy.violations with input as i
|
|
34
|
+
violations[_].id == "MTN-03"
|
|
35
|
+
}
|
|
36
|
+
|
|
37
|
+
test_cross_tenant_access_is_rejected {
|
|
38
|
+
i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/multiTenancy/crossTenantAccess", "value": true}])
|
|
39
|
+
violations := multi_tenancy.violations with input as i
|
|
40
|
+
violations[_].id == "MTN-04"
|
|
41
|
+
}
|
|
42
|
+
|
|
43
|
+
test_missing_schema_strategy_is_rejected {
|
|
44
|
+
i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/multiTenancy/schemaStrategyDefined", "value": false}])
|
|
45
|
+
violations := multi_tenancy.violations with input as i
|
|
46
|
+
violations[_].id == "MTN-05"
|
|
47
|
+
}
|
|
48
|
+
|
|
49
|
+
test_missing_api_tenant_validation_is_rejected {
|
|
50
|
+
i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/multiTenancy/apiTenantValidation", "value": false}])
|
|
51
|
+
violations := multi_tenancy.violations with input as i
|
|
52
|
+
violations[_].id == "MTN-08"
|
|
53
|
+
}
|
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
package evolith.open_core_boundary
|
|
2
|
+
|
|
3
|
+
violations[{"id": "OCB-01", "message": "Core rulesets/schemas reference commercial license, paid feature flag, or enterprise-only dependency"}] {
|
|
4
|
+
input.satellite.openCore.coreHasEnterpriseReferences
|
|
5
|
+
}
|
|
6
|
+
|
|
7
|
+
violations[{"id": "OCB-02", "message": "Enterprise-only artifact missing explicit 'availability: enterprise' metadata"}] {
|
|
8
|
+
input.satellite.openCore.enterpriseArtifactNotMarked
|
|
9
|
+
}
|
|
10
|
+
|
|
11
|
+
violations[{"id": "OCB-03", "message": "ACL implementation code found in Core — must be in Enterprise layer only"}] {
|
|
12
|
+
input.satellite.openCore.aclImplementationInCore
|
|
13
|
+
}
|
|
14
|
+
|
|
15
|
+
violations[{"id": "OCB-04", "message": "CLI/MCP implementation gated behind paid license — must remain fully open in Core"}] {
|
|
16
|
+
input.satellite.openCore.cliMcpGated
|
|
17
|
+
}
|
|
18
|
+
|
|
19
|
+
violations[{"id": "OCB-05", "message": "Tracker-specific concepts found in Core rulesets — Tracker features cannot penetrate Core"}] {
|
|
20
|
+
input.satellite.openCore.trackerConceptsInCore
|
|
21
|
+
}
|
|
22
|
+
|
|
23
|
+
violations[{"id": "OCB-06", "message": "Core reference corpus contains tiered access (premium/enterprise) — all standards must be equal"}] {
|
|
24
|
+
input.satellite.openCore.tieredAccessInCore
|
|
25
|
+
}
|
|
26
|
+
|
|
27
|
+
violations[{"id": "OCB-07", "message": "Enterprise feature promoted to Core without Architecture Board approval — promotion requires formal review and accepted ADR before Core inclusion"}] {
|
|
28
|
+
input.satellite.openCore.hasEnterprisePromotionWithoutApproval
|
|
29
|
+
}
|
|
30
|
+
|
|
31
|
+
violations[{"id": "OCB-08", "message": "Core rules require enterprise features to function — Core must be independently viable"}] {
|
|
32
|
+
input.satellite.openCore.coreRequiresEnterprise
|
|
33
|
+
}
|
|
@@ -0,0 +1,60 @@
|
|
|
1
|
+
package evolith.open_core_boundary_test
|
|
2
|
+
|
|
3
|
+
import data.evolith.open_core_boundary
|
|
4
|
+
|
|
5
|
+
compliant_input := {"satellite": {"openCore": {
|
|
6
|
+
"coreHasEnterpriseReferences": false,
|
|
7
|
+
"enterpriseArtifactNotMarked": false,
|
|
8
|
+
"aclImplementationInCore": false,
|
|
9
|
+
"cliMcpGated": false,
|
|
10
|
+
"trackerConceptsInCore": false,
|
|
11
|
+
"tieredAccessInCore": false,
|
|
12
|
+
"coreRequiresEnterprise": false,
|
|
13
|
+
}}}
|
|
14
|
+
|
|
15
|
+
test_compliant_open_core_has_no_violations {
|
|
16
|
+
violations := open_core_boundary.violations with input as compliant_input
|
|
17
|
+
count(violations) == 0
|
|
18
|
+
}
|
|
19
|
+
|
|
20
|
+
test_core_enterprise_references_is_rejected {
|
|
21
|
+
i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/openCore/coreHasEnterpriseReferences", "value": true}])
|
|
22
|
+
violations := open_core_boundary.violations with input as i
|
|
23
|
+
violations[_].id == "OCB-01"
|
|
24
|
+
}
|
|
25
|
+
|
|
26
|
+
test_enterprise_artifact_not_marked_is_rejected {
|
|
27
|
+
i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/openCore/enterpriseArtifactNotMarked", "value": true}])
|
|
28
|
+
violations := open_core_boundary.violations with input as i
|
|
29
|
+
violations[_].id == "OCB-02"
|
|
30
|
+
}
|
|
31
|
+
|
|
32
|
+
test_acl_in_core_is_rejected {
|
|
33
|
+
i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/openCore/aclImplementationInCore", "value": true}])
|
|
34
|
+
violations := open_core_boundary.violations with input as i
|
|
35
|
+
violations[_].id == "OCB-03"
|
|
36
|
+
}
|
|
37
|
+
|
|
38
|
+
test_cli_mcp_gated_is_rejected {
|
|
39
|
+
i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/openCore/cliMcpGated", "value": true}])
|
|
40
|
+
violations := open_core_boundary.violations with input as i
|
|
41
|
+
violations[_].id == "OCB-04"
|
|
42
|
+
}
|
|
43
|
+
|
|
44
|
+
test_tracker_concepts_in_core_is_rejected {
|
|
45
|
+
i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/openCore/trackerConceptsInCore", "value": true}])
|
|
46
|
+
violations := open_core_boundary.violations with input as i
|
|
47
|
+
violations[_].id == "OCB-05"
|
|
48
|
+
}
|
|
49
|
+
|
|
50
|
+
test_tiered_access_in_core_is_rejected {
|
|
51
|
+
i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/openCore/tieredAccessInCore", "value": true}])
|
|
52
|
+
violations := open_core_boundary.violations with input as i
|
|
53
|
+
violations[_].id == "OCB-06"
|
|
54
|
+
}
|
|
55
|
+
|
|
56
|
+
test_core_requires_enterprise_is_rejected {
|
|
57
|
+
i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/openCore/coreRequiresEnterprise", "value": true}])
|
|
58
|
+
violations := open_core_boundary.violations with input as i
|
|
59
|
+
violations[_].id == "OCB-08"
|
|
60
|
+
}
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
package evolith.protocol_selection
|
|
2
|
+
|
|
3
|
+
violations[{"id": "PROT-01", "message": "Internal service-to-service communication not using gRPC"}] {
|
|
4
|
+
input.satellite.protocol.internalServiceCallsNotGrpc
|
|
5
|
+
}
|
|
6
|
+
|
|
7
|
+
violations[{"id": "PROT-02", "message": "Public/external API not using REST"}] {
|
|
8
|
+
input.satellite.protocol.publicApiNotRest
|
|
9
|
+
}
|
|
10
|
+
|
|
11
|
+
violations[{"id": "PROT-04", "message": "GraphQL resolvers found in Core or Application layer — must be BFF only"}] {
|
|
12
|
+
input.satellite.protocol.graphqlInDomainLayer
|
|
13
|
+
}
|
|
14
|
+
|
|
15
|
+
violations[{"id": "PROT-05", "message": "Proto files not centralized in shared Contracts library"}] {
|
|
16
|
+
not input.satellite.protocol.protoCentralized
|
|
17
|
+
}
|
|
18
|
+
|
|
19
|
+
violations[{"id": "PROT-03", "message": "BFF must use REST as primary protocol. If GraphQL is used, it must be targeted only (not as general-purpose BFF API)"}] {
|
|
20
|
+
input.satellite.protocol.bffUsesGraphqlAsGeneral
|
|
21
|
+
}
|
|
22
|
+
|
|
23
|
+
violations[{"id": "PROT-06", "message": "File uploads and stream operations should prefer gRPC streaming over multipart REST — use gRPC for large binary payloads"}] {
|
|
24
|
+
input.satellite.protocol.fileUploadsNotGrpc
|
|
25
|
+
}
|
|
26
|
+
|
|
27
|
+
violations[{"id": "PROT-07", "message": "Breaking contract changes without version bump detected"}] {
|
|
28
|
+
input.satellite.protocol.breakingChangesWithoutVersionBump
|
|
29
|
+
}
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
package evolith.protocol_selection_test
|
|
2
|
+
|
|
3
|
+
import data.evolith.protocol_selection
|
|
4
|
+
|
|
5
|
+
compliant_input := {"satellite": {"protocol": {
|
|
6
|
+
"internalServiceCallsNotGrpc": false,
|
|
7
|
+
"publicApiNotRest": false,
|
|
8
|
+
"graphqlInDomainLayer": false,
|
|
9
|
+
"protoCentralized": true,
|
|
10
|
+
"breakingChangesWithoutVersionBump": false,
|
|
11
|
+
}}}
|
|
12
|
+
|
|
13
|
+
test_compliant_protocol_selection_has_no_violations {
|
|
14
|
+
violations := protocol_selection.violations with input as compliant_input
|
|
15
|
+
count(violations) == 0
|
|
16
|
+
}
|
|
17
|
+
|
|
18
|
+
test_internal_not_grpc_is_rejected {
|
|
19
|
+
i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/protocol/internalServiceCallsNotGrpc", "value": true}])
|
|
20
|
+
violations := protocol_selection.violations with input as i
|
|
21
|
+
violations[_].id == "PROT-01"
|
|
22
|
+
}
|
|
23
|
+
|
|
24
|
+
test_public_api_not_rest_is_rejected {
|
|
25
|
+
i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/protocol/publicApiNotRest", "value": true}])
|
|
26
|
+
violations := protocol_selection.violations with input as i
|
|
27
|
+
violations[_].id == "PROT-02"
|
|
28
|
+
}
|
|
29
|
+
|
|
30
|
+
test_graphql_in_domain_layer_is_rejected {
|
|
31
|
+
i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/protocol/graphqlInDomainLayer", "value": true}])
|
|
32
|
+
violations := protocol_selection.violations with input as i
|
|
33
|
+
violations[_].id == "PROT-04"
|
|
34
|
+
}
|
|
35
|
+
|
|
36
|
+
test_proto_not_centralized_is_rejected {
|
|
37
|
+
i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/protocol/protoCentralized", "value": false}])
|
|
38
|
+
violations := protocol_selection.violations with input as i
|
|
39
|
+
violations[_].id == "PROT-05"
|
|
40
|
+
}
|
|
41
|
+
|
|
42
|
+
test_breaking_changes_without_version_bump_is_rejected {
|
|
43
|
+
i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/protocol/breakingChangesWithoutVersionBump", "value": true}])
|
|
44
|
+
violations := protocol_selection.violations with input as i
|
|
45
|
+
violations[_].id == "PROT-07"
|
|
46
|
+
}
|
|
@@ -0,0 +1,112 @@
|
|
|
1
|
+
package evolith.rbac.gate
|
|
2
|
+
|
|
3
|
+
import future.keywords.if
|
|
4
|
+
import future.keywords.contains
|
|
5
|
+
|
|
6
|
+
# ---------------------------------------------------------------------------
|
|
7
|
+
# GT-320 — Gate role enforcement
|
|
8
|
+
#
|
|
9
|
+
# Input schema:
|
|
10
|
+
# input.actor.roles array of role strings (e.g. ["product_owner"])
|
|
11
|
+
# input.gate.accountableRole string | null — required role to approve
|
|
12
|
+
# input.gate.waiverAuthority string | null — required role to waive
|
|
13
|
+
# input.action "approve" | "waive"
|
|
14
|
+
#
|
|
15
|
+
# Role hierarchy (mirrors ROLE_HIERARCHY in role.ts)
|
|
16
|
+
# ---------------------------------------------------------------------------
|
|
17
|
+
|
|
18
|
+
# admin and cto supersede every gate role
|
|
19
|
+
superseding_roles := {"admin", "cto"}
|
|
20
|
+
|
|
21
|
+
# Hierarchy expressed as: implied_by[required_role] = set of roles that satisfy it
|
|
22
|
+
implied_by := {
|
|
23
|
+
"product_owner": {"admin", "cto"},
|
|
24
|
+
"architect": {"admin", "cto"},
|
|
25
|
+
"tech_lead": {"admin", "cto", "architect"},
|
|
26
|
+
"qa_lead": {"admin", "cto"},
|
|
27
|
+
"devops_lead": {"admin", "cto"},
|
|
28
|
+
"developer": {"admin", "cto", "architect", "tech_lead"},
|
|
29
|
+
"qa_engineer": {"admin", "cto", "qa_lead"},
|
|
30
|
+
"devops_engineer": {"admin", "cto", "devops_lead"},
|
|
31
|
+
"security_engineer": {"admin", "cto"},
|
|
32
|
+
}
|
|
33
|
+
|
|
34
|
+
# Map human-readable gate labels to canonical role values (mirrors GATE_ROLE_MAP)
|
|
35
|
+
gate_role_map := {
|
|
36
|
+
"Product Owner": "product_owner",
|
|
37
|
+
"Software Architect": "architect",
|
|
38
|
+
"Tech Lead": "tech_lead",
|
|
39
|
+
"QA Lead": "qa_lead",
|
|
40
|
+
"DevOps Lead": "devops_lead",
|
|
41
|
+
}
|
|
42
|
+
|
|
43
|
+
# Resolve a gate label (or already-canonical string) to a canonical role string
|
|
44
|
+
canonical_role(label) := role if {
|
|
45
|
+
role := gate_role_map[label]
|
|
46
|
+
} else := label
|
|
47
|
+
|
|
48
|
+
# Returns true when actor_role satisfies required_role (direct or via hierarchy)
|
|
49
|
+
role_satisfies(actor_role, required) if { actor_role == required }
|
|
50
|
+
role_satisfies(actor_role, required) if { actor_role in implied_by[required] }
|
|
51
|
+
|
|
52
|
+
# ---------------------------------------------------------------------------
|
|
53
|
+
# default deny
|
|
54
|
+
# ---------------------------------------------------------------------------
|
|
55
|
+
|
|
56
|
+
default allow := false
|
|
57
|
+
|
|
58
|
+
# ---------------------------------------------------------------------------
|
|
59
|
+
# approve
|
|
60
|
+
# ---------------------------------------------------------------------------
|
|
61
|
+
|
|
62
|
+
# Open gate — no accountableRole set
|
|
63
|
+
allow if {
|
|
64
|
+
input.action == "approve"
|
|
65
|
+
not input.gate.accountableRole
|
|
66
|
+
}
|
|
67
|
+
|
|
68
|
+
allow if {
|
|
69
|
+
input.action == "approve"
|
|
70
|
+
input.gate.accountableRole != null
|
|
71
|
+
required := canonical_role(input.gate.accountableRole)
|
|
72
|
+
some actor_role in input.actor.roles
|
|
73
|
+
role_satisfies(actor_role, required)
|
|
74
|
+
}
|
|
75
|
+
|
|
76
|
+
# ---------------------------------------------------------------------------
|
|
77
|
+
# waive
|
|
78
|
+
# ---------------------------------------------------------------------------
|
|
79
|
+
|
|
80
|
+
# Open gate — no waiverAuthority set
|
|
81
|
+
allow if {
|
|
82
|
+
input.action == "waive"
|
|
83
|
+
not input.gate.waiverAuthority
|
|
84
|
+
}
|
|
85
|
+
|
|
86
|
+
allow if {
|
|
87
|
+
input.action == "waive"
|
|
88
|
+
input.gate.waiverAuthority != null
|
|
89
|
+
required := canonical_role(input.gate.waiverAuthority)
|
|
90
|
+
some actor_role in input.actor.roles
|
|
91
|
+
role_satisfies(actor_role, required)
|
|
92
|
+
}
|
|
93
|
+
|
|
94
|
+
# ---------------------------------------------------------------------------
|
|
95
|
+
# Violation detail (used by tests / audit logs)
|
|
96
|
+
# ---------------------------------------------------------------------------
|
|
97
|
+
|
|
98
|
+
deny_reason := reason if {
|
|
99
|
+
not allow
|
|
100
|
+
input.action == "approve"
|
|
101
|
+
reason := sprintf(
|
|
102
|
+
"actor roles [%s] do not satisfy accountableRole '%s' for action 'approve'",
|
|
103
|
+
[concat(", ", input.actor.roles), input.gate.accountableRole],
|
|
104
|
+
)
|
|
105
|
+
} else := reason if {
|
|
106
|
+
not allow
|
|
107
|
+
input.action == "waive"
|
|
108
|
+
reason := sprintf(
|
|
109
|
+
"actor roles [%s] do not satisfy waiverAuthority '%s' for action 'waive'",
|
|
110
|
+
[concat(", ", input.actor.roles), input.gate.waiverAuthority],
|
|
111
|
+
)
|
|
112
|
+
}
|
|
@@ -0,0 +1,98 @@
|
|
|
1
|
+
package evolith.repository_taxonomy
|
|
2
|
+
|
|
3
|
+
# ---------------------------------------------------------------------------
|
|
4
|
+
# TAX-01..04: Naming conventions (checked via source file analysis)
|
|
5
|
+
# TAX-05..08, TAX-11: Structural checks (already implemented below)
|
|
6
|
+
# TAX-09..10: Artifact placement checks
|
|
7
|
+
# ---------------------------------------------------------------------------
|
|
8
|
+
|
|
9
|
+
violations[{"id": "TAX-01", "message": msg}] {
|
|
10
|
+
file := input.repository.files[_]
|
|
11
|
+
name := split(file, "/")[count(split(file, "/")) - 1]
|
|
12
|
+
not endswith(name, ".md")
|
|
13
|
+
not endswith(name, ".json")
|
|
14
|
+
not endswith(name, ".yaml")
|
|
15
|
+
not endswith(name, ".yml")
|
|
16
|
+
not endswith(name, ".rego")
|
|
17
|
+
not endswith(name, ".ts")
|
|
18
|
+
not endswith(name, ".mjs")
|
|
19
|
+
not endswith(name, ".js")
|
|
20
|
+
regex.match(`[A-Z_\s]`, name)
|
|
21
|
+
msg := sprintf("File name does not use kebab-case: %v", [name])
|
|
22
|
+
}
|
|
23
|
+
|
|
24
|
+
violations[{"id": "TAX-02", "message": msg}] {
|
|
25
|
+
input.repository.naming.pascalCaseViolations > 0
|
|
26
|
+
msg := sprintf("Class/type names violate PascalCase convention (%d violations)", [input.repository.naming.pascalCaseViolations])
|
|
27
|
+
}
|
|
28
|
+
|
|
29
|
+
violations[{"id": "TAX-03", "message": msg}] {
|
|
30
|
+
input.repository.naming.camelCaseViolations > 0
|
|
31
|
+
msg := sprintf("Variable/function names violate camelCase convention (%d violations)", [input.repository.naming.camelCaseViolations])
|
|
32
|
+
}
|
|
33
|
+
|
|
34
|
+
violations[{"id": "TAX-04", "message": msg}] {
|
|
35
|
+
input.repository.naming.constantCaseViolations > 0
|
|
36
|
+
msg := sprintf("Constant names violate UPPER_SNAKE_CASE convention (%d violations)", [input.repository.naming.constantCaseViolations])
|
|
37
|
+
}
|
|
38
|
+
|
|
39
|
+
violations[{"id": "TAX-09", "message": msg}] {
|
|
40
|
+
input.repository.type == "core"
|
|
41
|
+
file := input.repository.files[_]
|
|
42
|
+
contains(file, "product-specific")
|
|
43
|
+
not startswith(file, "reference/knowledge/demo")
|
|
44
|
+
msg := sprintf("Product-specific artifact found in Core reference/: %v", [file])
|
|
45
|
+
}
|
|
46
|
+
|
|
47
|
+
violations[{"id": "TAX-10", "message": msg}] {
|
|
48
|
+
file := input.repository.files[_]
|
|
49
|
+
startswith(file, "reference/")
|
|
50
|
+
input.repository.productArtifacts[file]
|
|
51
|
+
msg := sprintf("Product-specific artifact must not be in reference/: %v (use docs/ or satellite repo)", [file])
|
|
52
|
+
}
|
|
53
|
+
|
|
54
|
+
violations[{"id": "TAX-05", "message": msg}] {
|
|
55
|
+
input.repository.type == "core"
|
|
56
|
+
expected := {"reference", "sdk", "rulesets"}
|
|
57
|
+
actual := {dir | dir := input.repository.directories[_]}
|
|
58
|
+
missing := expected - actual
|
|
59
|
+
count(missing) > 0
|
|
60
|
+
msg := sprintf("Core repository missing directories: %v", [concat(", ", missing)])
|
|
61
|
+
}
|
|
62
|
+
|
|
63
|
+
violations[{"id": "TAX-06", "message": msg}] {
|
|
64
|
+
input.repository.type == "satellite"
|
|
65
|
+
expected := {"src", "tests", "docs"}
|
|
66
|
+
actual := {dir | dir := input.repository.directories[_]}
|
|
67
|
+
missing := expected - actual
|
|
68
|
+
count(missing) > 0
|
|
69
|
+
msg := sprintf("Satellite repository missing directories: %v", [concat(", ", missing)])
|
|
70
|
+
}
|
|
71
|
+
|
|
72
|
+
is_valid_adr_name(name) {
|
|
73
|
+
regex.match(`^[0-9]{4}-[a-z0-9-]+\.md$`, name)
|
|
74
|
+
}
|
|
75
|
+
|
|
76
|
+
violations[{"id": "TAX-07", "message": msg}] {
|
|
77
|
+
adr := input.repository.adrs[_]
|
|
78
|
+
name := split(adr, "/")[count(split(adr, "/")) - 1]
|
|
79
|
+
not endswith(name, ".es.md")
|
|
80
|
+
not is_valid_adr_name(name)
|
|
81
|
+
msg := sprintf("ADR filename does not match pattern ^[0-9]{4}-[a-z-]+\\.md$: %v", [name])
|
|
82
|
+
}
|
|
83
|
+
|
|
84
|
+
violations[{"id": "TAX-08", "message": msg}] {
|
|
85
|
+
adr := input.repository.adrs[_]
|
|
86
|
+
name := split(adr, "/")[count(split(adr, "/")) - 1]
|
|
87
|
+
endswith(name, ".md")
|
|
88
|
+
not endswith(name, ".es.md")
|
|
89
|
+
es_name := replace(name, ".md", ".es.md")
|
|
90
|
+
adrs_set := {split(a, "/")[count(split(a, "/")) - 1] | a := input.repository.adrs[_]}
|
|
91
|
+
not adrs_set[es_name]
|
|
92
|
+
msg := sprintf("ADR missing bilingual pair: %v", [name])
|
|
93
|
+
}
|
|
94
|
+
|
|
95
|
+
violations[{"id": "TAX-11", "message": "Root-level topologies/ directory is prohibited"}] {
|
|
96
|
+
dir := input.repository.directories[_]
|
|
97
|
+
dir == "topologies"
|
|
98
|
+
}
|
|
@@ -0,0 +1,91 @@
|
|
|
1
|
+
package evolith.repository_taxonomy_test
|
|
2
|
+
|
|
3
|
+
import data.evolith.repository_taxonomy
|
|
4
|
+
|
|
5
|
+
test_core_with_required_dirs_has_no_violations {
|
|
6
|
+
violations := repository_taxonomy.violations with input as {
|
|
7
|
+
"repository": {
|
|
8
|
+
"type": "core",
|
|
9
|
+
"directories": ["reference", "sdk", "rulesets", "src"],
|
|
10
|
+
"adrs": ["reference/architecture/adrs/core/0001-monorepo-orchestration.md", "reference/architecture/adrs/core/0001-monorepo-orchestration.es.md"]
|
|
11
|
+
}
|
|
12
|
+
}
|
|
13
|
+
count(violations) == 0
|
|
14
|
+
}
|
|
15
|
+
|
|
16
|
+
test_core_missing_reference_dir_is_violation {
|
|
17
|
+
violations := repository_taxonomy.violations with input as {
|
|
18
|
+
"repository": {
|
|
19
|
+
"type": "core",
|
|
20
|
+
"directories": ["sdk", "rulesets"],
|
|
21
|
+
"adrs": []
|
|
22
|
+
}
|
|
23
|
+
}
|
|
24
|
+
violations[_].id == "TAX-05"
|
|
25
|
+
}
|
|
26
|
+
|
|
27
|
+
test_satellite_with_required_dirs_has_no_violations {
|
|
28
|
+
violations := repository_taxonomy.violations with input as {
|
|
29
|
+
"repository": {
|
|
30
|
+
"type": "satellite",
|
|
31
|
+
"directories": ["src", "tests", "docs"],
|
|
32
|
+
"adrs": []
|
|
33
|
+
}
|
|
34
|
+
}
|
|
35
|
+
count(violations) == 0
|
|
36
|
+
}
|
|
37
|
+
|
|
38
|
+
test_satellite_missing_dirs_is_violation {
|
|
39
|
+
violations := repository_taxonomy.violations with input as {
|
|
40
|
+
"repository": {
|
|
41
|
+
"type": "satellite",
|
|
42
|
+
"directories": ["src"],
|
|
43
|
+
"adrs": []
|
|
44
|
+
}
|
|
45
|
+
}
|
|
46
|
+
violations[_].id == "TAX-06"
|
|
47
|
+
}
|
|
48
|
+
|
|
49
|
+
test_adr_with_valid_name_has_no_violation {
|
|
50
|
+
violations := repository_taxonomy.violations with input as {
|
|
51
|
+
"repository": {
|
|
52
|
+
"type": "core",
|
|
53
|
+
"directories": ["reference", "sdk", "rulesets"],
|
|
54
|
+
"adrs": ["reference/architecture/adrs/core/0002-clean-architecture.md", "reference/architecture/adrs/core/0002-clean-architecture.es.md"]
|
|
55
|
+
}
|
|
56
|
+
}
|
|
57
|
+
count(violations) == 0
|
|
58
|
+
}
|
|
59
|
+
|
|
60
|
+
test_adr_invalid_name_is_violation {
|
|
61
|
+
violations := repository_taxonomy.violations with input as {
|
|
62
|
+
"repository": {
|
|
63
|
+
"type": "core",
|
|
64
|
+
"directories": ["reference", "sdk", "rulesets"],
|
|
65
|
+
"adrs": ["reference/architecture/adrs/core/invalid-adr-name.md"]
|
|
66
|
+
}
|
|
67
|
+
}
|
|
68
|
+
violations[_].id == "TAX-07"
|
|
69
|
+
}
|
|
70
|
+
|
|
71
|
+
test_adr_missing_bilingual_pair_is_violation {
|
|
72
|
+
violations := repository_taxonomy.violations with input as {
|
|
73
|
+
"repository": {
|
|
74
|
+
"type": "core",
|
|
75
|
+
"directories": ["reference", "sdk", "rulesets"],
|
|
76
|
+
"adrs": ["reference/architecture/adrs/core/0001-feature.md"]
|
|
77
|
+
}
|
|
78
|
+
}
|
|
79
|
+
violations[_].id == "TAX-08"
|
|
80
|
+
}
|
|
81
|
+
|
|
82
|
+
test_root_topologies_dir_is_violation {
|
|
83
|
+
violations := repository_taxonomy.violations with input as {
|
|
84
|
+
"repository": {
|
|
85
|
+
"type": "core",
|
|
86
|
+
"directories": ["reference", "sdk", "rulesets", "topologies"],
|
|
87
|
+
"adrs": []
|
|
88
|
+
}
|
|
89
|
+
}
|
|
90
|
+
violations[_].id == "TAX-11"
|
|
91
|
+
}
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
package evolith.satellite_contracts
|
|
2
|
+
|
|
3
|
+
violations[{"id": "SVC-01", "message": "evolith.yaml not found at repository root or multiple evolith.yaml files found"}] {
|
|
4
|
+
not input.satellite.contracts.hasEvolyamlAtRoot
|
|
5
|
+
}
|
|
6
|
+
|
|
7
|
+
violations[{"id": "SVC-03", "message": "F1 phase satellite must reference core/ADR-0047 in spec.compliance.adrRegistry"}] {
|
|
8
|
+
input.satellite.contracts.phase == "F1"
|
|
9
|
+
not input.satellite.contracts.hasAdr0047
|
|
10
|
+
}
|
|
11
|
+
|
|
12
|
+
violations[{"id": "SVC-04", "message": "F2/F3 satellite missing extraction readiness score documentation"}] {
|
|
13
|
+
input.satellite.contracts.phase == "F2"
|
|
14
|
+
not input.satellite.contracts.hasExtractionReadinessScore
|
|
15
|
+
}
|
|
16
|
+
|
|
17
|
+
violations[{"id": "SVC-04", "message": "F2/F3 satellite missing extraction readiness score documentation"}] {
|
|
18
|
+
input.satellite.contracts.phase == "F3"
|
|
19
|
+
not input.satellite.contracts.hasExtractionReadinessScore
|
|
20
|
+
}
|
|
21
|
+
|
|
22
|
+
violations[{"id": "SVC-05", "message": "Core version referenced does not exist in Evolith Core registry"}] {
|
|
23
|
+
not input.satellite.contracts.coreVersionExists
|
|
24
|
+
}
|
|
25
|
+
|
|
26
|
+
violations[{"id": "SVC-02", "message": "Satellite name must be unique across all registered Evolith satellites — name conflict detected in registry"}] {
|
|
27
|
+
not input.satellite.contracts.nameIsUnique
|
|
28
|
+
}
|
|
29
|
+
|
|
30
|
+
violations[{"id": "MIG-01", "message": "No documented upgrade path for satellite governance version — run 'evolith upgrade --target <version>' to document the upgrade procedure"}] {
|
|
31
|
+
input.satellite.contracts.needsGovernanceUpgrade
|
|
32
|
+
not input.satellite.contracts.upgradePathDocumented
|
|
33
|
+
}
|
|
34
|
+
|
|
35
|
+
violations[{"id": "MIG-02", "message": "Phase transition attempted without Architecture Board approval artifact"}] {
|
|
36
|
+
input.satellite.contracts.phaseTransitionWithoutApproval
|
|
37
|
+
}
|
|
38
|
+
|
|
39
|
+
violations[{"id": "MIG-03", "message": "Satellite deprecated without marking status in evolith.yaml"}] {
|
|
40
|
+
input.satellite.contracts.isDeprecated
|
|
41
|
+
not input.satellite.contracts.deprecatedStatusMarked
|
|
42
|
+
}
|
|
@@ -0,0 +1,70 @@
|
|
|
1
|
+
package evolith.satellite_contracts_test
|
|
2
|
+
|
|
3
|
+
import data.evolith.satellite_contracts
|
|
4
|
+
|
|
5
|
+
compliant_f1_input := {"satellite": {"contracts": {
|
|
6
|
+
"hasEvolyamlAtRoot": true,
|
|
7
|
+
"phase": "F1",
|
|
8
|
+
"hasAdr0047": true,
|
|
9
|
+
"hasExtractionReadinessScore": false,
|
|
10
|
+
"coreVersionExists": true,
|
|
11
|
+
"phaseTransitionWithoutApproval": false,
|
|
12
|
+
"isDeprecated": false,
|
|
13
|
+
"deprecatedStatusMarked": false,
|
|
14
|
+
}}}
|
|
15
|
+
|
|
16
|
+
test_compliant_f1_satellite_has_no_violations {
|
|
17
|
+
violations := satellite_contracts.violations with input as compliant_f1_input
|
|
18
|
+
count(violations) == 0
|
|
19
|
+
}
|
|
20
|
+
|
|
21
|
+
test_missing_evolyaml_is_rejected {
|
|
22
|
+
i := json.patch(compliant_f1_input, [{"op": "replace", "path": "/satellite/contracts/hasEvolyamlAtRoot", "value": false}])
|
|
23
|
+
violations := satellite_contracts.violations with input as i
|
|
24
|
+
violations[_].id == "SVC-01"
|
|
25
|
+
}
|
|
26
|
+
|
|
27
|
+
test_f1_missing_adr0047_is_rejected {
|
|
28
|
+
i := json.patch(compliant_f1_input, [{"op": "replace", "path": "/satellite/contracts/hasAdr0047", "value": false}])
|
|
29
|
+
violations := satellite_contracts.violations with input as i
|
|
30
|
+
violations[_].id == "SVC-03"
|
|
31
|
+
}
|
|
32
|
+
|
|
33
|
+
test_f2_missing_extraction_readiness_is_rejected {
|
|
34
|
+
i := json.patch(compliant_f1_input, [
|
|
35
|
+
{"op": "replace", "path": "/satellite/contracts/phase", "value": "F2"},
|
|
36
|
+
{"op": "replace", "path": "/satellite/contracts/hasExtractionReadinessScore", "value": false},
|
|
37
|
+
])
|
|
38
|
+
violations := satellite_contracts.violations with input as i
|
|
39
|
+
violations[_].id == "SVC-04"
|
|
40
|
+
}
|
|
41
|
+
|
|
42
|
+
test_f3_missing_extraction_readiness_is_rejected {
|
|
43
|
+
i := json.patch(compliant_f1_input, [
|
|
44
|
+
{"op": "replace", "path": "/satellite/contracts/phase", "value": "F3"},
|
|
45
|
+
{"op": "replace", "path": "/satellite/contracts/hasExtractionReadinessScore", "value": false},
|
|
46
|
+
])
|
|
47
|
+
violations := satellite_contracts.violations with input as i
|
|
48
|
+
violations[_].id == "SVC-04"
|
|
49
|
+
}
|
|
50
|
+
|
|
51
|
+
test_core_version_not_found_is_rejected {
|
|
52
|
+
i := json.patch(compliant_f1_input, [{"op": "replace", "path": "/satellite/contracts/coreVersionExists", "value": false}])
|
|
53
|
+
violations := satellite_contracts.violations with input as i
|
|
54
|
+
violations[_].id == "SVC-05"
|
|
55
|
+
}
|
|
56
|
+
|
|
57
|
+
test_phase_transition_without_approval_is_rejected {
|
|
58
|
+
i := json.patch(compliant_f1_input, [{"op": "replace", "path": "/satellite/contracts/phaseTransitionWithoutApproval", "value": true}])
|
|
59
|
+
violations := satellite_contracts.violations with input as i
|
|
60
|
+
violations[_].id == "MIG-02"
|
|
61
|
+
}
|
|
62
|
+
|
|
63
|
+
test_deprecated_without_status_marked_is_rejected {
|
|
64
|
+
i := json.patch(compliant_f1_input, [
|
|
65
|
+
{"op": "replace", "path": "/satellite/contracts/isDeprecated", "value": true},
|
|
66
|
+
{"op": "replace", "path": "/satellite/contracts/deprecatedStatusMarked", "value": false},
|
|
67
|
+
])
|
|
68
|
+
violations := satellite_contracts.violations with input as i
|
|
69
|
+
violations[_].id == "MIG-03"
|
|
70
|
+
}
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
{
|
|
2
|
+
"$schema": "http://json-schema.org/draft-07/schema#",
|
|
3
|
+
"$id": "https://evolith.dev/schema/opa/abac-mcp-tool-access.input.schema.json",
|
|
4
|
+
"title": "ABAC MCP Tool Access OPA Policy Input Schema",
|
|
5
|
+
"type": "object",
|
|
6
|
+
"required": ["user", "tool_name", "environment"],
|
|
7
|
+
"properties": {
|
|
8
|
+
"user": {
|
|
9
|
+
"type": "object",
|
|
10
|
+
"required": ["id", "roles"],
|
|
11
|
+
"properties": {
|
|
12
|
+
"id": { "type": "string" },
|
|
13
|
+
"roles": { "type": "array", "items": { "type": "string" } },
|
|
14
|
+
"tenant": { "type": "string" }
|
|
15
|
+
}
|
|
16
|
+
},
|
|
17
|
+
"tool_name": { "type": "string" },
|
|
18
|
+
"resource_domain": { "type": "string" },
|
|
19
|
+
"environment": { "type": "string" }
|
|
20
|
+
}
|
|
21
|
+
}
|