feat(policy): add policy develop init (#2229)

Signed-off-by: Sylwester Piskozub <[email protected]>

Author: Piskoo

app/cli/cmd/policy.go

@@ -0,0 +1,30 @@
+//
+// Copyright 2025 The Chainloop Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+)
+
+func newPolicyCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "policy",
+		Short: "Craft chainloop policies",
+	}
+
+	cmd.AddCommand(newPolicyDevelopCmd())
+	return cmd
+}

app/cli/cmd/policy_develop.go

@@ -0,0 +1,33 @@
+//
+// Copyright 2025 The Chainloop Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+)
+
+func newPolicyDevelopCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:     "develop",
+		Aliases: []string{"devel"},
+		Short: `Tools for policy development
+Refer to https://docs.chainloop.dev/guides/custom-policies
+`,
+	}
+
+	cmd.AddCommand(newPolicyDevelopInitCmd())
+	return cmd
+}

app/cli/cmd/policy_develop_init.go

@@ -0,0 +1,78 @@
+//
+// Copyright 2025 The Chainloop Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cmd
+
+import (
+	"fmt"
+
+	"github.com/chainloop-dev/chainloop/app/cli/internal/action"
+	"github.com/spf13/cobra"
+)
+
+func newPolicyDevelopInitCmd() *cobra.Command {
+	var (
+		force       bool
+		embedded    bool
+		name        string
+		description string
+		directory   string
+	)
+
+	cmd := &cobra.Command{
+		Use:   "init",
+		Short: "Initialize a new policy",
+		Long: `Initialize a new policy by creating template policy files in the specified directory.
+By default, it creates chainloop-policy.yaml and chainloop-policy.rego files.`,
+		Example: `  
+  # Initialize in current directory with separate files
+  chainloop policy develop init
+
+  # Initialize in specific directory with embedded format and policy name
+  chainloop policy develop init --directory ./policies --embedded --name mypolicy`,
+		RunE: func(_ *cobra.Command, _ []string) error {
+			if directory == "" {
+				directory = "."
+			}
+			opts := &action.PolicyInitOpts{
+				Force:       force,
+				Embedded:    embedded,
+				Name:        name,
+				Description: description,
+				Directory:   directory,
+			}
+
+			policyInit, err := action.NewPolicyInit(opts, actionOpts)
+			if err != nil {
+				return fmt.Errorf("failed to initialize policy: %w", err)
+			}
+
+			if err := policyInit.Run(); err != nil {
+				return newGracefulError(err)
+			}
+
+			logger.Info().Msg("Initialized policy files")
+
+			return nil
+		},
+	}
+
+	cmd.Flags().BoolVarP(&force, "force", "f", false, "overwrite existing files")
+	cmd.Flags().BoolVar(&embedded, "embedded", false, "initialize an embedded policy (single YAML file)")
+	cmd.Flags().StringVar(&name, "name", "", "name of the policy")
+	cmd.Flags().StringVar(&description, "description", "", "description of the policy")
+	cmd.Flags().StringVar(&directory, "directory", "", "directory for policy")
+	return cmd
+}

app/cli/cmd/root.go

@@ -242,7 +242,7 @@ func NewRootCmd(l zerolog.Logger) *cobra.Command {
 	rootCmd.AddCommand(newWorkflowCmd(), newAuthCmd(), NewVersionCmd(),
 		newAttestationCmd(), newArtifactCmd(), newConfigCmd(),
 		newIntegrationCmd(), newOrganizationCmd(), newCASBackendCmd(),
-		newReferrerDiscoverCmd(),
+		newReferrerDiscoverCmd(), newPolicyCmd(),
 	)
 
 	// Load plugins if we are not running a subcommand

app/cli/documentation/cli-reference.mdx

@@ -2703,6 +2703,180 @@ Options inherited from parent commands
 -y, --yes                       Skip confirmation
 ```
 
+## chainloop policy
+
+Craft chainloop policies
+
+Options
+
+```
+-h, --help   help for policy
+```
+
+Options inherited from parent commands
+
+```
+--artifact-cas string       URL for the Artifacts Content Addressable Storage API ($CHAINLOOP_ARTIFACT_CAS_API) (default "api.cas.chainloop.dev:443")
+--artifact-cas-ca string    CUSTOM CA file for the Artifacts CAS API (optional) ($CHAINLOOP_ARTIFACT_CAS_API_CA)
+-c, --config string             Path to an existing config file (default is $HOME/.config/chainloop/config.toml)
+--control-plane string      URL for the Control Plane API ($CHAINLOOP_CONTROL_PLANE_API) (default "api.cp.chainloop.dev:443")
+--control-plane-ca string   CUSTOM CA file for the Control Plane API (optional) ($CHAINLOOP_CONTROL_PLANE_API_CA)
+--debug                     Enable debug/verbose logging mode
+-i, --insecure                  Skip TLS transport during connection to the control plane ($CHAINLOOP_API_INSECURE)
+-n, --org string                organization name
+-o, --output string             Output format, valid options are json and table (default "table")
+-t, --token string              API token. NOTE: Alternatively use the env variable CHAINLOOP_TOKEN
+-y, --yes                       Skip confirmation
+```
+
+### chainloop policy develop
+
+Tools for policy development
+Refer to https://docs.chainloop.dev/guides/custom-policies
+
+Options
+
+```
+-h, --help   help for develop
+```
+
+Options inherited from parent commands
+
+```
+--artifact-cas string       URL for the Artifacts Content Addressable Storage API ($CHAINLOOP_ARTIFACT_CAS_API) (default "api.cas.chainloop.dev:443")
+--artifact-cas-ca string    CUSTOM CA file for the Artifacts CAS API (optional) ($CHAINLOOP_ARTIFACT_CAS_API_CA)
+-c, --config string             Path to an existing config file (default is $HOME/.config/chainloop/config.toml)
+--control-plane string      URL for the Control Plane API ($CHAINLOOP_CONTROL_PLANE_API) (default "api.cp.chainloop.dev:443")
+--control-plane-ca string   CUSTOM CA file for the Control Plane API (optional) ($CHAINLOOP_CONTROL_PLANE_API_CA)
+--debug                     Enable debug/verbose logging mode
+-i, --insecure                  Skip TLS transport during connection to the control plane ($CHAINLOOP_API_INSECURE)
+-n, --org string                organization name
+-o, --output string             Output format, valid options are json and table (default "table")
+-t, --token string              API token. NOTE: Alternatively use the env variable CHAINLOOP_TOKEN
+-y, --yes                       Skip confirmation
+```
+
+#### chainloop policy develop help
+
+Help about any command
+
+Synopsis
+
+Help provides help for any command in the application.
+Simply type develop help [path to command] for full details.
+
+```
+chainloop policy develop help [command] [flags]
+```
+
+Options
+
+```
+-h, --help   help for help
+```
+
+Options inherited from parent commands
+
+```
+--artifact-cas string       URL for the Artifacts Content Addressable Storage API ($CHAINLOOP_ARTIFACT_CAS_API) (default "api.cas.chainloop.dev:443")
+--artifact-cas-ca string    CUSTOM CA file for the Artifacts CAS API (optional) ($CHAINLOOP_ARTIFACT_CAS_API_CA)
+-c, --config string             Path to an existing config file (default is $HOME/.config/chainloop/config.toml)
+--control-plane string      URL for the Control Plane API ($CHAINLOOP_CONTROL_PLANE_API) (default "api.cp.chainloop.dev:443")
+--control-plane-ca string   CUSTOM CA file for the Control Plane API (optional) ($CHAINLOOP_CONTROL_PLANE_API_CA)
+--debug                     Enable debug/verbose logging mode
+-i, --insecure                  Skip TLS transport during connection to the control plane ($CHAINLOOP_API_INSECURE)
+-n, --org string                organization name
+-o, --output string             Output format, valid options are json and table (default "table")
+-t, --token string              API token. NOTE: Alternatively use the env variable CHAINLOOP_TOKEN
+-y, --yes                       Skip confirmation
+```
+
+#### chainloop policy develop init
+
+Initialize a new policy
+
+Synopsis
+
+Initialize a new policy by creating template policy files in the specified directory.
+By default, it creates chainloop-policy.yaml and chainloop-policy.rego files.
+
+```
+chainloop policy develop init [flags]
+```
+
+Examples
+
+```
+
+Initialize in current directory with separate files
+chainloop policy develop init
+
+Initialize in specific directory with embedded format and policy name
+chainloop policy develop init --directory ./policies --embedded --name mypolicy
+```
+
+Options
+
+```
+--description string   description of the policy
+--directory string     directory for policy
+--embedded             initialize an embedded policy (single YAML file)
+-f, --force                overwrite existing files
+-h, --help                 help for init
+--name string          name of the policy
+```
+
+Options inherited from parent commands
+
+```
+--artifact-cas string       URL for the Artifacts Content Addressable Storage API ($CHAINLOOP_ARTIFACT_CAS_API) (default "api.cas.chainloop.dev:443")
+--artifact-cas-ca string    CUSTOM CA file for the Artifacts CAS API (optional) ($CHAINLOOP_ARTIFACT_CAS_API_CA)
+-c, --config string             Path to an existing config file (default is $HOME/.config/chainloop/config.toml)
+--control-plane string      URL for the Control Plane API ($CHAINLOOP_CONTROL_PLANE_API) (default "api.cp.chainloop.dev:443")
+--control-plane-ca string   CUSTOM CA file for the Control Plane API (optional) ($CHAINLOOP_CONTROL_PLANE_API_CA)
+--debug                     Enable debug/verbose logging mode
+-i, --insecure                  Skip TLS transport during connection to the control plane ($CHAINLOOP_API_INSECURE)
+-n, --org string                organization name
+-o, --output string             Output format, valid options are json and table (default "table")
+-t, --token string              API token. NOTE: Alternatively use the env variable CHAINLOOP_TOKEN
+-y, --yes                       Skip confirmation
+```
+
+### chainloop policy help
+
+Help about any command
+
+Synopsis
+
+Help provides help for any command in the application.
+Simply type policy help [path to command] for full details.
+
+```
+chainloop policy help [command] [flags]
+```
+
+Options
+
+```
+-h, --help   help for help
+```
+
+Options inherited from parent commands
+
+```
+--artifact-cas string       URL for the Artifacts Content Addressable Storage API ($CHAINLOOP_ARTIFACT_CAS_API) (default "api.cas.chainloop.dev:443")
+--artifact-cas-ca string    CUSTOM CA file for the Artifacts CAS API (optional) ($CHAINLOOP_ARTIFACT_CAS_API_CA)
+-c, --config string             Path to an existing config file (default is $HOME/.config/chainloop/config.toml)
+--control-plane string      URL for the Control Plane API ($CHAINLOOP_CONTROL_PLANE_API) (default "api.cp.chainloop.dev:443")
+--control-plane-ca string   CUSTOM CA file for the Control Plane API (optional) ($CHAINLOOP_CONTROL_PLANE_API_CA)
+--debug                     Enable debug/verbose logging mode
+-i, --insecure                  Skip TLS transport during connection to the control plane ($CHAINLOOP_API_INSECURE)
+-n, --org string                organization name
+-o, --output string             Output format, valid options are json and table (default "table")
+-t, --token string              API token. NOTE: Alternatively use the env variable CHAINLOOP_TOKEN
+-y, --yes                       Skip confirmation
+```
+
 ## chainloop version
 
 Command line version

app/cli/internal/action/policy_develop_init.go

@@ -0,0 +1,58 @@
+//
+// Copyright 2025 The Chainloop Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package action
+
+import (
+	"fmt"
+
+	"github.com/chainloop-dev/chainloop/app/cli/internal/policydevel"
+)
+
+type PolicyInitOpts struct {
+	Force       bool
+	Embedded    bool
+	Name        string
+	Description string
+	Directory   string
+}
+
+type PolicyInit struct {
+	*ActionsOpts
+	opts *PolicyInitOpts
+}
+
+func NewPolicyInit(opts *PolicyInitOpts, actionOpts *ActionsOpts) (*PolicyInit, error) {
+	return &PolicyInit{
+		ActionsOpts: actionOpts,
+		opts:        opts,
+	}, nil
+}
+
+func (action *PolicyInit) Run() error {
+	initOpts := &policydevel.InitOptions{
+		Directory:   action.opts.Directory,
+		Embedded:    action.opts.Embedded,
+		Force:       action.opts.Force,
+		Name:        action.opts.Name,
+		Description: action.opts.Description,
+	}
+
+	if err := policydevel.Initialize(initOpts); err != nil {
+		return fmt.Errorf("initializing policy: %w", err)
+	}
+
+	return nil
+}