Expand description
Format validation per ADR-021 §6 (the “validation framework”
umbrella) and ADR-020 §3 (format_regex / pattern_id
metadata fields).
The check is format-only and lazy on demand: it compares a
candidate value against the regex declared by the global-index
entry (format_regex) or, failing that, by the pattern referenced
through pattern_id. A Liveness probe — actually asking the
upstream whether the value still works — is a separate phase
(P9.2) and lives in its own module.
§Resolution order
- If the entry has an inline
format_regex, compile and use it. - Otherwise, if the entry has a
pattern_id, look it up in thedevboy_secret_patterns::Catalogueand use itsSecretPattern::format_regex. - Otherwise, return
FormatCheck::NoRule— the caller chose not to declare a format, so the validator stays silent.
Inline format_regex wins over pattern_id because a project may
have a tighter shape in mind than the generic pattern (e.g. a
regex that pins the prefix to a specific tenant id).
§What the validator does not do
- Compile patterns ahead of time. Inline
format_regexcompiles on every call. The catalogue’sformat_regex()is already cached behindOnceLock. A full ahead-of-time compile of all index entries can land later if profiling shows it’s needed; for nowsecrets validate <path>is on demand and the cost is acceptable. - Probe upstream liveness. That’s P9.2. A pattern that is well-formed but revoked still passes this check.
Enums§
- Format
Check - Outcome of
validate_format. - Format
Rule Source - Provenance of the regex used by the check.
Functions§
- validate_
format - Validate
valueagainst the format rule attached toentry.