Policy authoring basics
This page is a practical reference for writing policy rules in environment YAML files.
Rule anatomy
A policy rule typically includes:
id- optional
description - optional
stage - optional
target if(condition list)then(action list)
Example: control enforcement from scope
rules:
- id: API_SERVICE_CONTINUITY_SCOPE
description: In-scope service continuity requires traffic filtering
stage: init
target: component
if:
- eq: { key: type, value: api }
- eq: { key: serviceContinuity, value: inScope }
then:
- expect: { entity: component, control: trafficFiltering }
Common condition patterns
- equality checks (
eq) - inclusion checks (
in,not_in) - presence checks (
present) - topology-aware checks (
upstream,downstream,connectedvariants)
Use only the minimal condition set needed to express intent.
Common action patterns
expect/ control addition patternssetfor derived values- scoring (
score,map_score, mapped scoring) specification/map_specification- icon actions where visual signaling is needed
Stage guidance
init/pre: derive baseline controls/valuesdefault/post: apply main scoring/spec outputsfinal: final adjustments only
Naming conventions
Prefer:
ENTITY_SCOPE_NAME_SCOPE- clear functional suffixes for score/spec rules where needed
Examples:
WEB_APPLICATION_SERVICE_CONTINUITY_SCOPECONNECTED_SERVICE_CONTINUITY_SCOPECONNECTION_SERVICE_CONTINUITY_SCOPE
Quality bar before merge
- Rule intent is one-line explainable.
- YAML is parse-valid.
- Rule triggers exactly when expected.
- Rule does not trigger when condition is not met.
- No accidental behavior change in unrelated environments.