zwoop commented on code in PR #12950: URL: https://github.com/apache/trafficserver/pull/12950#discussion_r2909713573
########## doc/admin-guide/configuration/hrw4u.en.rst: ########## @@ -494,6 +542,137 @@ Run with `--debug all` to trace: - Condition evaluations - State and output emission +Sandbox Policy Enforcement +========================== + +Organizations deploying HRW4U across teams can restrict which language features +are permitted using a sandbox configuration file. When a denied feature is used, +the compiler emits a clear error with a configurable message explaining the +restriction. + +Pass the sandbox file with ``--sandbox``: + +.. code-block:: none + + hrw4u --sandbox /etc/trafficserver/hrw4u-sandbox.yaml rules.hrw4u + +The sandbox file is YAML with a single top-level ``sandbox`` key. A JSON +Schema for editor validation and autocomplete is provided at +``tools/hrw4u/schema/sandbox.schema.json``. + +.. code-block:: yaml + + sandbox: + message: | # optional: shown once after all denial errors + ... + deny: + sections: [ ... ] # section names, e.g. TXN_START + functions: [ ... ] # function names, e.g. run-plugin + conditions: [ ... ] # condition keys, e.g. geo. + operators: [ ... ] # operator keys, e.g. inbound.conn.dscp + language: [ ... ] # break, variables, in, else, elif + +All deny lists are optional. An empty or missing sandbox file permits everything. + +Sections +-------- + +The ``sections`` list accepts any of the HRW4U section names listed in the Review Comment: As intended. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
