Skip to content

Registry lint guard for healthCheck.assertFile + allowlist (#660 PR 5) #1223

Description

@mchmarny

Summary

Add a pkg/recipe registry-validation guard that blocks new registry
components from landing without a healthCheck.assertFile, and enforces
the read-only assertion allowlist on registry-declared Chainsaw content.

Lands after #660 PR 3 (backfill) so all current components are covered
before the guard begins enforcing.

Scope

Required healthCheck.assertFile on new components

  • Lint-level check in pkg/recipe that runs as part of the existing
    repo CI / make qualify surface (not new runtime behavior).
  • Rejects any recipes/registry.yaml entry that lacks
    healthCheck.assertFile after this PR lands.
  • Existing components are grandfathered only insofar as they all
    declare assertFile by the time this PR ships ([EPIC] Reuse Chainsaw health checks in aicr validate --phase deployment #660 PR 3 must land
    first).

Read-only allowlist enforcement

Surface decision (open)

Out of Scope

Acceptance Criteria

  • make qualify (or the chosen surface) fails when a new registry
    entry lacks healthCheck.assertFile.
  • make qualify fails when registry-declared assert content uses an
    operation outside the assert / error allowlist.
  • The check produces a structured ErrCodeInvalidRequest with the
    offending component name + operation.
  • Documentation in docs/contributor/recipe.md (or equivalent)
    explains the contract for new components.

Related

Metadata

Metadata

Assignees

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions