mcr/internal/policy/defaults.go

package policy

// allActions lists every Action constant for the admin wildcard rule.
var allActions = []Action{
	ActionVersionCheck,
	ActionPull,
	ActionPush,
	ActionDelete,
	ActionCatalog,
	ActionPolicyManage,
}

// DefaultRules returns the built-in policy rules per ARCHITECTURE.md §4.
// Default rules use negative IDs and priority 0.
func DefaultRules() []Rule {
	return []Rule{
		{
			ID:          -1,
			Priority:    0,
			Description: "admin wildcard",
			Effect:      Allow,
			Roles:       []string{"admin"},
			Actions:     allActions,
		},
		{
			ID:           -2,
			Priority:     0,
			Description:  "human users have full content access",
			Effect:       Allow,
			Roles:        []string{"user"},
			AccountTypes: []string{"human"},
			Actions: []Action{
				ActionPull,
				ActionPush,
				ActionDelete,
				ActionCatalog,
			},
		},
		{
			ID:          -3,
			Priority:    0,
			Description: "version check always accessible",
			Effect:      Allow,
			Actions:     []Action{ActionVersionCheck},
		},
	}
}