Expand description
Handler-level git-write policy allowlist (ADR-108 Amendment).
git.commit / git.branch / git.push fail closed at the handler when
no policy artifact is configured, or the artifact is empty — the same
enforcement class as crate::write_argv::reject_force’s unconditional
force-push denial: deliberately not dependent on Gate configuration. The
Rego/Gate policy path (ADR-018) still runs on top of this, unchanged;
this module only adds a handler-level precondition that must also pass.
The policy is a closed allowlist of (repo_path, branch_patterns)
entries sourced from the [git_write] section of the standard khive
config file (khive_runtime::engine_config::KhiveConfig). Discovery
(--config/KHIVE_CONFIG, project khive.toml, db-anchored
.khive/config.toml, ~/.khive/config.toml) happens exactly once, at
boot, in the transport layer (khive-mcp::serve) via
khive_runtime::runtime_config_from_khive_config, which threads the
resolved [git_write] section into RuntimeConfig::git_write. This
module never re-reads KHIVE_CONFIG or re-runs discovery itself —
GitWritePolicy::from_config is a pure, I/O-free conversion from the
already-resolved RuntimeConfig::git_write the handler reads via
self.runtime().config().git_write (ADR-108 review r2: a handler-level
reload ignored an explicit --config path that was not also exported as
KHIVE_CONFIG, so kkernel mcp --config /path silently failed closed).
An allowlisted repo is operator-declared trusted provenance — this is
the concrete boundary ADR-108’s Open Question 4 (fork-content write
capability stays unbuilt) resolves to: only repos an operator has
explicitly named ever accept a khive-mediated write.
Structs§
- GitWrite
Policy - The parsed
[git_write]allowlist. - GitWrite
Policy Entry - One allowlisted
(repo_path, branch_patterns)entry.
Enums§
- GitWrite
Policy Error - Why a git-write policy check failed.