lakehouse/crates/truth/src/devops.rs

//! DevOps task-class rules — scaffold for the long-horizon phase.
//!
//! Phase 42 PRD: "Terraform/Ansible rule shapes are scaffolded but
//! unpopulated until the long-horizon phase. Keeps the dispatcher
//! signature stable so no refactor needed later."
//!
//! This module is intentionally minimal. It registers no rules yet.
//! The `devops_rules` function exists so callers can compose it onto
//! a store (e.g. `devops_rules(staffing_rules(TruthStore::new()))`)
//! without branching on whether the DevOps phase has landed.
//!
//! When the long-horizon phase fleshes out the DevOps rule set, the
//! implementations drop in here — same `RuleCondition` primitives, same
//! `TruthStore::evaluate` contract, zero upstream refactor.

use crate::TruthStore;

/// Register DevOps rules on the store. Currently a no-op scaffold —
/// no rules are added. Safe to compose with other rule-set functions.
///
/// Planned task classes (not yet populated):
///   - `devops.terraform_plan` — `terraform validate` + pre-plan
///     sanity checks (no destroys without confirm flag, etc.)
///   - `devops.ansible_playbook` — `ansible-lint` + privileged-task
///     gates (no `become: true` on untagged hosts)
///   - `devops.shell_command` — whitelist / blocklist for
///     AI-generated shell invocations (covers what Phase 42
///     queryd SQL gate does for SQL — same idea, shell surface)
pub fn devops_rules(store: TruthStore) -> TruthStore {
    // Intentionally empty. See module-level doc for the phased rollout.
    store
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn devops_rules_is_a_noop_for_now() {
        // Scaffold guarantee: composing devops_rules onto an empty
        // store must not add any rules. Future long-horizon work will
        // populate this and the assertion shifts to counting the
        // expected additions.
        let store = devops_rules(TruthStore::new());
        assert_eq!(store.get_rules("devops.terraform_plan").len(), 0);
        assert_eq!(store.get_rules("devops.ansible_playbook").len(), 0);
        assert_eq!(store.get_rules("devops.shell_command").len(), 0);
    }
}