more audit work

2026-01-08 10:21:51 +02:00
parent 43c02081ef
commit 51cf4bc16c
546 changed files with 36721 additions and 4003 deletions
--- a/policies/schemas/policy-pack.schema.json
+++ b/policies/schemas/policy-pack.schema.json
@@ -2,28 +2,92 @@
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://stellaops.io/schemas/policy-pack.schema.json",
  "title": "Policy Pack Schema",
-  "description": "Schema for StellaOps policy pack definitions.",
+  "description": "Schema for StellaOps policy packs and overrides.",
  "type": "object",
+  "required": ["apiVersion", "kind", "metadata", "spec"],
  "properties": {
-    "name": {
+    "apiVersion": {
      "type": "string",
-      "description": "The name of the policy pack."
+      "pattern": "^policy\\.stellaops\\.io/v[0-9]+$"
    },
-    "version": {
+    "kind": {
      "type": "string",
-      "description": "The version of the policy pack."
+      "enum": ["PolicyPack", "PolicyOverride"]
    },
-    "description": {
-      "type": "string",
-      "description": "A description of the policy pack."
+    "metadata": {
+      "type": "object",
+      "required": ["name", "version"],
+      "properties": {
+        "name": { "type": "string" },
+        "version": { "type": "string" },
+        "description": { "type": "string" },
+        "parent": { "type": "string" },
+        "environment": { "type": "string" }
+      },
+      "additionalProperties": true
    },
-    "rules": {
-      "type": "array",
-      "description": "The rules in the policy pack.",
-      "items": {
-        "type": "object"
-      }
+    "spec": {
+      "type": "object",
+      "properties": {
+        "settings": {
+          "type": "object",
+          "additionalProperties": true
+        },
+        "rules": {
+          "type": "array",
+          "items": { "$ref": "#/$defs/rule" }
+        },
+        "ruleOverrides": {
+          "type": "array",
+          "items": { "$ref": "#/$defs/ruleOverride" }
+        },
+        "additionalRules": {
+          "type": "array",
+          "items": { "$ref": "#/$defs/rule" }
+        }
+      },
+      "additionalProperties": true
    }
  },
-  "required": ["name", "version"]
+  "$defs": {
+    "rule": {
+      "type": "object",
+      "required": ["name", "action"],
+      "properties": {
+        "name": { "type": "string" },
+        "action": { "type": "string", "enum": ["allow", "warn", "block"] },
+        "priority": { "type": "integer" },
+        "description": { "type": "string" },
+        "match": { "type": "object", "additionalProperties": true },
+        "unless": { "type": "object", "additionalProperties": true },
+        "require": { "type": "object", "additionalProperties": true },
+        "message": { "type": "string" },
+        "log": { "type": "boolean" },
+        "enabled": { "type": "boolean" },
+        "type": { "type": "string" }
+      },
+      "additionalProperties": true
+    },
+    "ruleOverride": {
+      "type": "object",
+      "required": ["name"],
+      "properties": {
+        "name": { "type": "string" },
+        "action": { "type": "string", "enum": ["allow", "warn", "block"] },
+        "enabled": { "type": "boolean" }
+      },
+      "additionalProperties": true
+    }
+  },
+  "allOf": [
+    {
+      "if": { "properties": { "kind": { "const": "PolicyPack" } } },
+      "then": { "properties": { "spec": { "required": ["rules"] } } }
+    },
+    {
+      "if": { "properties": { "kind": { "const": "PolicyOverride" } } },
+      "then": { "properties": { "metadata": { "required": ["parent", "environment"] } } }
+    }
+  ],
+  "additionalProperties": true
 }