Skip to main content

Module write_policy

Module write_policy 

Source
Expand description

Handler-level git-write policy allowlist (ADR-108 Amendment).

git.commit / git.branch / git.push fail closed at the handler when no policy artifact is configured, or the artifact is empty — the same enforcement class as crate::write_argv::reject_force’s unconditional force-push denial: deliberately not dependent on Gate configuration. The Rego/Gate policy path (ADR-018) still runs on top of this, unchanged; this module only adds a handler-level precondition that must also pass.

The policy is a closed allowlist of (repo_path, branch_patterns) entries sourced from the [git_write] section of the standard khive config file (khive_runtime::engine_config::KhiveConfig). Discovery (--config/KHIVE_CONFIG, project khive.toml, db-anchored .khive/config.toml, ~/.khive/config.toml) happens exactly once, at boot, in the transport layer (khive-mcp::serve) via khive_runtime::runtime_config_from_khive_config, which threads the resolved [git_write] section into RuntimeConfig::git_write. This module never re-reads KHIVE_CONFIG or re-runs discovery itself — GitWritePolicy::from_config is a pure, I/O-free conversion from the already-resolved RuntimeConfig::git_write the handler reads via self.runtime().config().git_write (ADR-108 review r2: a handler-level reload ignored an explicit --config path that was not also exported as KHIVE_CONFIG, so kkernel mcp --config /path silently failed closed). An allowlisted repo is operator-declared trusted provenance — this is the concrete boundary ADR-108’s Open Question 4 (fork-content write capability stays unbuilt) resolves to: only repos an operator has explicitly named ever accept a khive-mediated write.

Structs§

GitWritePolicy
The parsed [git_write] allowlist.
GitWritePolicyEntry
One allowlisted (repo_path, branch_patterns) entry.

Enums§

GitWritePolicyError
Why a git-write policy check failed.