Skip to main content

Module validation

Module validation 

Source
Expand description

Format validation per ADR-021 §6 (the “validation framework” umbrella) and ADR-020 §3 (format_regex / pattern_id metadata fields).

The check is format-only and lazy on demand: it compares a candidate value against the regex declared by the global-index entry (format_regex) or, failing that, by the pattern referenced through pattern_id. A Liveness probe — actually asking the upstream whether the value still works — is a separate phase (P9.2) and lives in its own module.

§Resolution order

  1. If the entry has an inline format_regex, compile and use it.
  2. Otherwise, if the entry has a pattern_id, look it up in the devboy_secret_patterns::Catalogue and use its SecretPattern::format_regex.
  3. Otherwise, return FormatCheck::NoRule — the caller chose not to declare a format, so the validator stays silent.

Inline format_regex wins over pattern_id because a project may have a tighter shape in mind than the generic pattern (e.g. a regex that pins the prefix to a specific tenant id).

§What the validator does not do

  • Compile patterns ahead of time. Inline format_regex compiles on every call. The catalogue’s format_regex() is already cached behind OnceLock. A full ahead-of-time compile of all index entries can land later if profiling shows it’s needed; for now secrets validate <path> is on demand and the cost is acceptable.
  • Probe upstream liveness. That’s P9.2. A pattern that is well-formed but revoked still passes this check.

Enums§

FormatCheck
Outcome of validate_format.
FormatRuleSource
Provenance of the regex used by the check.

Functions§

validate_format
Validate value against the format rule attached to entry.