You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add a plan validation step to the existing deploymentplanresult controller. Validation runs inline after a plan target result completes — no new controller, no new reconcile_work_scope kind.
Why inline (decision update)
Earlier sketch had a separate controller with its own work-queue kind. Simplifying for v1: re-evaluation on rule edits doesn't matter yet, OPA eval is in-process and fast, and one trigger condition (plan completion) keeps the flow obvious.
Tradeoff knowingly accepted: re-validating against an edited rule will require re-running the agent's Plan call (or a future bolt-on path). Fine for now.
Scope
In apps/workspace-engine/svc/controllers/deploymentplanresult/:
New validator.go:
Load policyRulePlanValidationOpa rules for the plan's workspace.
For each rule, call pkg/planvalidation.Evaluate (already exists).
Upsert into deploymentPlanTargetResultValidation.
controller.go: call the validator after UpdateDeploymentPlanTargetResultCompleted succeeds (around line 184), before MaybeUpdateTargetCheck. The check renderer (sub-issue feat: render plan validation results in github check #1091) then naturally picks up validation rows in the same pass.
getters_postgres.go / setters_postgres.go: extend with rule-load and validation-upsert queries.
Out of scope
No new reconcile_work_scope kind.
No new worker.
No re-validation trigger on rule create/edit (deferred).
Sub-issue of #1073.
Add a plan validation step to the existing
deploymentplanresultcontroller. Validation runs inline after a plan target result completes — no new controller, no newreconcile_work_scopekind.Why inline (decision update)
Earlier sketch had a separate controller with its own work-queue kind. Simplifying for v1: re-evaluation on rule edits doesn't matter yet, OPA eval is in-process and fast, and one trigger condition (plan completion) keeps the flow obvious.
Tradeoff knowingly accepted: re-validating against an edited rule will require re-running the agent's
Plancall (or a future bolt-on path). Fine for now.Scope
In
apps/workspace-engine/svc/controllers/deploymentplanresult/:validator.go:policyRulePlanValidationOparules for the plan's workspace.pkg/planvalidation.Evaluate(already exists).deploymentPlanTargetResultValidation.controller.go: call the validator afterUpdateDeploymentPlanTargetResultCompletedsucceeds (around line 184), beforeMaybeUpdateTargetCheck. The check renderer (sub-issue feat: render plan validation results in github check #1091) then naturally picks up validation rows in the same pass.getters_postgres.go/setters_postgres.go: extend with rule-load and validation-upsert queries.Out of scope
reconcile_work_scopekind.Depends on
#1088 (schema).