mig5/enroll
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Activity Actions

Updates to DEVELOPMENT.md re: manifest and validate

Browse source
This commit is contained in:
Miguel Jacq 2026-06-22 10:09:31 +10:00
parent 1e61ae2ff9
commit 03dc467e32
Signed by: mig5
GPG key ID: 03906B4110AAD3B8
1 changed files with 6 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
DEVELOPMENT.md
View file

@ -788,6 +788,9 @@ SOPS mode:
The renderers do not know about SOPS. The renderers do not know about SOPS.
Note: Manifest deliberately hooks into validate() to make sure the harvest meets the schema and
doesn't contain dangerous tamperings before turning it into config management code.
--- ---
## 12. The renderer-neutral `CMModule` model ## 12. The renderer-neutral `CMModule` model
@ -1380,11 +1383,14 @@ This is intended to answer “what did Enroll collect and why?”
4. every `managed_file.src_rel` points to an artifact file, 4. every `managed_file.src_rel` points to an artifact file,
5. firewall runtime generated artifacts exist, 5. firewall runtime generated artifacts exist,
6. there are no unreferenced artifact files, reported as warnings. 6. there are no unreferenced artifact files, reported as warnings.
7. there are no malicious or unsafe bits such as symlinks/hardlinks etc traversing out of the artifact tree
It returns a `ValidationResult` with `errors`, `warnings`, `ok()`, `to_dict()`, and `to_text()`. It returns a `ValidationResult` with `errors`, `warnings`, `ok()`, `to_dict()`, and `to_text()`.
The CLI supports local schema override with `--schema`, warning failure with `--fail-on-warnings`, JSON/text output, and `--out`. The CLI supports local schema override with `--schema`, warning failure with `--fail-on-warnings`, JSON/text output, and `--out`.
Note that manifest() hooks into validate() to make sure the harvest is safe before rendering it into config management code.
--- ---
## 19. Remote harvesting ## 19. Remote harvesting