VARASYS/ZDDC - Forgejo: Beyond coding. We forge.

VARASYS/ZDDC

Fork 0

Commit graph

Author	SHA1	Message	Date
ZDDC	1e0e403f1e	feat(zddc): retire defaults.zddc.yaml; .zddc.zip is the policy carrier (phase 6) Completes the migration. The embedded per-depth tree (internal/zddc/defaults/) is now the sole source of the shipped baseline; defaults.zddc.yaml is deleted. - EmbeddedDefaults() assembles the tree (no yaml). show-defaults now emits a .zddc.zip (per-depth, "*" wildcard members) via EmbeddedDefaultsZip() — operators redirect it to <ROOT>/.zddc.zip (or any directory) and edit/add/ delete individual members. - Dropped EmbeddedDefaultsBytes; reworked the dumpable test to validate the emitted zip; removed the now-redundant tree-vs-yaml oracle (the Layer-2 matrix is the ongoing behavioral guarantee, and it stays green). - Swept stale "defaults.zddc.yaml" comment references to the embedded tree. - GRAMMAR.md §1/§6 updated: .zddc.zip is a policy bundle mountable at ANY directory (subtree mount; inherit:false + acl.inherit:false = island); the shipped baseline is the embedded bundle at the root. Net of the 6-phase migration: policy is per-depth .zddc files in a .zddc.zip that an operator can drop at any level to override the cascade; the engine (Assemble + the unchanged walker) enforces it. Full Go suite + matrix green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-05 11:35:21 -05:00
ZDDC	a84bdfdc58	docs(zddc): formal .zddc grammar reference Consolidates the .zddc policy language — scattered today across ZddcFile struct comments, defaults.zddc.yaml, and ARCHITECTURE.md — into one authoritative spec: - document model + cascade (levels root→leaf, virtual paths:, fences) and the rule that decisions resolve at the target's OWN dir (the bug class we hit); - the decision pipeline: active-admin bypass → WORM mask → cascade ACL, plus elevation + default-allow-on-empty-tree; - ACL composition, with the two deliberately-different rules stated plainly (role membership unions up the tree; permissions take the deepest match); - a per-key reference table (type + cascade semantics + meaning) for all ~25 keys, including the mergeOverlay trap for adding new keys; - reserved namespaces (.zddc.d, .zddc.zip); - a reserved `when:` extension point for sandboxed, side-effect-free expressions (CEL/expr-lang) — the safe alternative to raw JS, complementing the existing OPA/Rego Decider seam; - validation + the two executable backings (Layer 1 engine, Layer 2 matrix). Policy-as-data: operators express behaviour in .zddc; the app enforces. Per the chosen direction (formalize first; sandboxed expressions for the conditional gap). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-05 10:24:15 -05:00

Author

SHA1

Message

Date

ZDDC

1e0e403f1e

feat(zddc): retire defaults.zddc.yaml; .zddc.zip is the policy carrier (phase 6)

Completes the migration. The embedded per-depth tree (internal/zddc/defaults/)
is now the sole source of the shipped baseline; defaults.zddc.yaml is deleted.

  - EmbeddedDefaults() assembles the tree (no yaml). show-defaults now emits a
    .zddc.zip (per-depth, "*" wildcard members) via EmbeddedDefaultsZip() —
    operators redirect it to <ROOT>/.zddc.zip (or any directory) and edit/add/
    delete individual members.
  - Dropped EmbeddedDefaultsBytes; reworked the dumpable test to validate the
    emitted zip; removed the now-redundant tree-vs-yaml oracle (the Layer-2
    matrix is the ongoing behavioral guarantee, and it stays green).
  - Swept stale "defaults.zddc.yaml" comment references to the embedded tree.
  - GRAMMAR.md §1/§6 updated: .zddc.zip is a policy bundle mountable at ANY
    directory (subtree mount; inherit:false + acl.inherit:false = island); the
    shipped baseline is the embedded bundle at the root.

Net of the 6-phase migration: policy is per-depth .zddc files in a .zddc.zip
that an operator can drop at any level to override the cascade; the engine
(Assemble + the unchanged walker) enforces it. Full Go suite + matrix green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-05 11:35:21 -05:00

ZDDC

a84bdfdc58

docs(zddc): formal .zddc grammar reference

Consolidates the .zddc policy language — scattered today across ZddcFile struct
comments, defaults.zddc.yaml, and ARCHITECTURE.md — into one authoritative spec:

  - document model + cascade (levels root→leaf, virtual paths:, fences) and the
    rule that decisions resolve at the target's OWN dir (the bug class we hit);
  - the decision pipeline: active-admin bypass → WORM mask → cascade ACL, plus
    elevation + default-allow-on-empty-tree;
  - ACL composition, with the two deliberately-different rules stated plainly
    (role membership unions up the tree; permissions take the deepest match);
  - a per-key reference table (type + cascade semantics + meaning) for all ~25
    keys, including the mergeOverlay trap for adding new keys;
  - reserved namespaces (.zddc.d, .zddc.zip);
  - a reserved `when:` extension point for sandboxed, side-effect-free
    expressions (CEL/expr-lang) — the safe alternative to raw JS, complementing
    the existing OPA/Rego Decider seam;
  - validation + the two executable backings (Layer 1 engine, Layer 2 matrix).

Policy-as-data: operators express behaviour in .zddc; the app enforces. Per the
chosen direction (formalize first; sandboxed expressions for the conditional gap).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-05 10:24:15 -05:00

2 commits