You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Kubernetes rules-over-backend support: K8s now implements cfgov.RuleStore by storing Sentinel rule JSON arrays in ConfigMap data keys at configmap/{app}-{type}-rules/rules.json (ConfigMap/file-datasource convention, not a CRD datasource).
Kubernetes config backend: k8s adapter for ConfigMap/Secret data keys (configmap|secret/<name>/<dataKey>) with kubeconfig context wiring, fail-closed coordinate validation, Secret-safe trace redaction, resourceVersion CAS, and honest SupportsHistory=false / SupportsWatch=false capability reporting.
etcd rules-over-backend support: etcd now implements cfgov.RuleStore, deriving Sentinel rule coordinates as {app}-{type}-rules under a separate etcdRuleNamespace / ETCD_RULE_NAMESPACE override with default SENTINEL.
etcd config backend: cfgov.Backend adapter with safe single-segment namespace/key mapping, CAS revisions, real watch support, TLS/mTLS connection options, context wiring, and honest SupportsHistory=false capability reporting.
Rule deep-validation parity with sentinel-cli: ported the 5 cross-rule deep checks (MULTIPLE_SYSTEM_RULES, FLOW_REFRESOURCE_MISSING — ERROR; PARAM_WITHOUT_FLOW, AUTHORITY_MIXED_STRATEGY, FLOW_DEGRADE_GRADE_MISMATCH — WARNING) alongside the existing duplicate-key and dangerous-threshold checks. New rule validate --dir <dir> aggregates every <type>.json and runs the full cross-rule check set in one pass (--file XOR --dir). Single-file rule validate --file --deep now runs only intra-type checks (IntraTypeDeepCheck), so it no longer false-positives on cross-type rules; ERROR checks still block rule create/update/import/rollback.
config push --create-only / --update-only (mutually exclusive): fail-if-exists (RESOURCE_ALREADY_EXISTS) / fail-if-not-found (RESOURCE_NOT_FOUND) semantics layered on the existing upsert as a post-authorization pre-write check; default push stays upsert, and CAS / backup / dry-run / audit / risk classification are unchanged.
Local RBAC role management: ctx role set/unset/list write per-operator reader/writer/admin roles into the context (reader→R0, writer→R2, admin→R3 ceiling, enforced through opskit-core/safety); independent of the --roles-source/--roles-url remote role path.
Convenience polish: rule list --type filter; rule diff --dir directory batch diff; config listen transient-error backoff (2s→60s, abort after 20 consecutive failures; auth failures still return immediately); doctorauth and write-probe checks (write-probe only confirms the governance write path / effective-risk is computable — never mutates a backend); capabilities.supported.outputFormats; bare parent commands now list their subcommands and mistyped subcommands keep closest-match suggestions.
Fixed
Embedded AI Skill (skills/cfgov-cli/SKILL.md): added the required YAML frontmatter (name/description/allowed-tools) — it was missing since v0.1.0, so agent skill loaders (e.g. cc-switch) rejected it with "missing YAML frontmatter delimited by ---" — and refreshed the documented backends to Nacos, Apollo, etcd, and Kubernetes.
