Run buf Policies locally

private/buf/bufctl/controller.go

@@ -65,6 +65,7 @@ type ImageWithConfig interface {
 	LintConfig() bufconfig.LintConfig
 	BreakingConfig() bufconfig.BreakingConfig
 	PluginConfigs() []bufconfig.PluginConfig
+	PolicyConfigs() []bufconfig.PolicyConfig
 
 	isImageWithConfig()
 }
@@ -404,7 +405,10 @@ func (c *controller) GetTargetImageWithConfigsAndCheckClient(
 		}
 		lintConfig := bufconfig.DefaultLintConfigV1
 		breakingConfig := bufconfig.DefaultBreakingConfigV1
-		var pluginConfigs []bufconfig.PluginConfig
+		var (
+			pluginConfigs []bufconfig.PluginConfig
+			policyConfigs []bufconfig.PolicyConfig
+		)
 		pluginKeyProvider := bufplugin.NopPluginKeyProvider
 		bufYAMLFile, err := bufconfig.GetBufYAMLFileForPrefixOrOverride(
 			ctx,
@@ -442,6 +446,7 @@ func (c *controller) GetTargetImageWithConfigsAndCheckClient(
 			// buf.yaml file is found, the PluginConfigs from the buf.yaml file and the PluginKeys
 			// from the buf.lock file are resolved to create the PluginKeyProvider.
 			pluginConfigs = bufYAMLFile.PluginConfigs()
+			policyConfigs = bufYAMLFile.PolicyConfigs()
 			// If a config override is provided, the PluginConfig remote Refs use the BSR
 			// to resolve the PluginKeys. No buf.lock is required.
 			// If the buf.yaml file is not found, the bufplugin.NopPluginKeyProvider is returned.
@@ -485,6 +490,7 @@ func (c *controller) GetTargetImageWithConfigsAndCheckClient(
 				lintConfig,
 				breakingConfig,
 				pluginConfigs,
+				policyConfigs,
 			),
 		}
 		checkClient, err := bufcheck.NewClient(
@@ -495,6 +501,7 @@ func (c *controller) GetTargetImageWithConfigsAndCheckClient(
 			),
 			bufcheck.ClientWithLocalWasmPluginsFromOS(),
 			bufcheck.ClientWithRemoteWasmPlugins(pluginKeyProvider, c.pluginDataProvider),
+			bufcheck.ClientWithLocalPolicies(bucket),
 		)
 		if err != nil {
 			return nil, nil, err
@@ -801,6 +808,13 @@ func (c *controller) GetCheckClientForWorkspace(
 	if err != nil {
 		return nil, err
 	}
+	bucket, err := c.storageosProvider.NewReadWriteBucket(
+		".",
+		storageos.ReadWriteBucketWithSymlinksIfSupported(),
+	)
+	if err != nil {
+		return nil, err
+	}
 	return bufcheck.NewClient(
 		c.logger,
 		bufcheck.ClientWithStderr(c.container.Stderr()),
@@ -812,6 +826,7 @@ func (c *controller) GetCheckClientForWorkspace(
 			pluginKeyProvider,
 			c.pluginDataProvider,
 		),
+		bufcheck.ClientWithLocalPolicies(bucket),
 	)
 }
 
@@ -1182,6 +1197,7 @@ func (c *controller) buildTargetImageWithConfigs(
 				workspace.GetLintConfigForOpaqueID(module.OpaqueID()),
 				workspace.GetBreakingConfigForOpaqueID(module.OpaqueID()),
 				workspace.PluginConfigs(),
+				workspace.PolicyConfigs(),
 			),
 		)
 	}

private/buf/bufctl/image_with_config.go

@@ -28,6 +28,7 @@ type imageWithConfig struct {
 	lintConfig     bufconfig.LintConfig
 	breakingConfig bufconfig.BreakingConfig
 	pluginConfigs  []bufconfig.PluginConfig
+	policyConfigs  []bufconfig.PolicyConfig
 }
 
 func newImageWithConfig(
@@ -37,6 +38,7 @@ func newImageWithConfig(
 	lintConfig bufconfig.LintConfig,
 	breakingConfig bufconfig.BreakingConfig,
 	pluginConfigs []bufconfig.PluginConfig,
+	policyConfigs []bufconfig.PolicyConfig,
 ) *imageWithConfig {
 	return &imageWithConfig{
 		Image:          image,
@@ -45,6 +47,7 @@ func newImageWithConfig(
 		lintConfig:     lintConfig,
 		breakingConfig: breakingConfig,
 		pluginConfigs:  pluginConfigs,
+		policyConfigs:  policyConfigs,
 	}
 }
 
@@ -68,4 +71,8 @@ func (i *imageWithConfig) PluginConfigs() []bufconfig.PluginConfig {
 	return i.pluginConfigs
 }
 
+func (i *imageWithConfig) PolicyConfigs() []bufconfig.PolicyConfig {
+	return i.policyConfigs
+}
+
 func (*imageWithConfig) isImageWithConfig() {}

private/buf/buflsp/file.go

@@ -721,6 +721,7 @@ func (f *file) RunLints(ctx context.Context) bool {
 		f.workspace.GetLintConfigForOpaqueID(f.module.OpaqueID()),
 		f.image,
 		bufcheck.WithPluginConfigs(f.workspace.PluginConfigs()...),
+		bufcheck.WithPolicyConfigs(f.workspace.PolicyConfigs()...),
 	))
 }
 
@@ -749,6 +750,7 @@ func (f *file) RunBreaking(ctx context.Context) bool {
 		f.image,
 		f.againstImage,
 		bufcheck.WithPluginConfigs(f.workspace.PluginConfigs()...),
+		bufcheck.WithPolicyConfigs(f.workspace.PolicyConfigs()...),
 	))
 }
 

private/buf/bufworkspace/workspace.go

@@ -21,6 +21,7 @@ import (
 	"github.com/bufbuild/buf/private/bufpkg/bufmodule"
 	"github.com/bufbuild/buf/private/bufpkg/bufparse"
 	"github.com/bufbuild/buf/private/bufpkg/bufplugin"
+	"github.com/bufbuild/buf/private/bufpkg/bufpolicy"
 )
 
 // Workspace is a buf workspace.
@@ -81,6 +82,14 @@ type Workspace interface {
 	//
 	// These come from the buf.lock file. Only v2 supports plugins.
 	RemotePluginKeys() []bufplugin.PluginKey
+	// PolicyConfigs gets the configured PolicyConfigs of the Workspace.
+	//
+	// These come from the buf.yaml files.
+	PolicyConfigs() []bufconfig.PolicyConfig
+	// RemotePolicyKeys gets the remote PolicyKeys of the Workspace.
+	//
+	// These come from the buf.lock file. Only v2 supports policies.
+	RemotePolicyKeys() []bufpolicy.PolicyKey
 	// ConfiguredDepModuleRefs returns the configured dependencies of the Workspace as Refs.
 	//
 	// These come from buf.yaml files.
@@ -114,6 +123,8 @@ type workspace struct {
 	opaqueIDToBreakingConfig map[string]bufconfig.BreakingConfig
 	pluginConfigs            []bufconfig.PluginConfig
 	remotePluginKeys         []bufplugin.PluginKey
+	policyConfigs            []bufconfig.PolicyConfig
+	remotePolicyKeys         []bufpolicy.PolicyKey
 	configuredDepModuleRefs  []bufparse.Ref
 
 	// If true, the workspace was created from v2 buf.yamls.
@@ -127,6 +138,7 @@ func newWorkspace(
 	opaqueIDToBreakingConfig map[string]bufconfig.BreakingConfig,
 	pluginConfigs []bufconfig.PluginConfig,
 	remotePluginKeys []bufplugin.PluginKey,
+	policyConfigs []bufconfig.PolicyConfig,
 	configuredDepModuleRefs []bufparse.Ref,
 	isV2 bool,
 ) *workspace {
@@ -136,6 +148,7 @@ func newWorkspace(
 		opaqueIDToBreakingConfig: opaqueIDToBreakingConfig,
 		pluginConfigs:            pluginConfigs,
 		remotePluginKeys:         remotePluginKeys,
+		policyConfigs:            policyConfigs,
 		configuredDepModuleRefs:  configuredDepModuleRefs,
 		isV2:                     isV2,
 	}
@@ -157,6 +170,14 @@ func (w *workspace) RemotePluginKeys() []bufplugin.PluginKey {
 	return slices.Clone(w.remotePluginKeys)
 }
 
+func (w *workspace) PolicyConfigs() []bufconfig.PolicyConfig {
+	return slices.Clone(w.policyConfigs)
+}
+
+func (w *workspace) RemotePolicyKeys() []bufpolicy.PolicyKey {
+	return slices.Clone(w.remotePolicyKeys)
+}
+
 func (w *workspace) ConfiguredDepModuleRefs() []bufparse.Ref {
 	return slices.Clone(w.configuredDepModuleRefs)
 }

private/buf/bufworkspace/workspace_provider.go

@@ -149,6 +149,7 @@ func (w *workspaceProvider) GetWorkspaceForModuleKey(
 	var (
 		pluginConfigs    []bufconfig.PluginConfig
 		remotePluginKeys []bufplugin.PluginKey
+		policyConfigs    []bufconfig.PolicyConfig
 	)
 	if config.configOverride != "" {
 		bufYAMLFile, err := bufconfig.GetBufYAMLFileForOverride(config.configOverride)
@@ -205,6 +206,8 @@ func (w *workspaceProvider) GetWorkspaceForModuleKey(
 					return nil, err
 				}
 			}
+
+			policyConfigs = bufYAMLFile.PolicyConfigs()
 		}
 	}
 
@@ -243,6 +246,7 @@ func (w *workspaceProvider) GetWorkspaceForModuleKey(
 		opaqueIDToBreakingConfig,
 		pluginConfigs,
 		remotePluginKeys,
+		policyConfigs,
 		nil,
 		false,
 	), nil
@@ -408,6 +412,7 @@ func (w *workspaceProvider) getWorkspaceForBucketAndModuleDirPathsV1Beta1OrV1(
 		v1WorkspaceTargeting.bucketIDToModuleConfig,
 		nil, // No PluginConfigs for v1
 		nil, // No remote PluginKeys for v1
+		nil, // No PolicyConfigs for v1
 		v1WorkspaceTargeting.allConfiguredDepModuleRefs,
 		false,
 	)
@@ -507,6 +512,7 @@ func (w *workspaceProvider) getWorkspaceForBucketBufYAMLV2(
 		v2Targeting.bucketIDToModuleConfig,
 		v2Targeting.bufYAMLFile.PluginConfigs(),
 		remotePluginKeys,
+		v2Targeting.bufYAMLFile.PolicyConfigs(),
 		v2Targeting.bufYAMLFile.ConfiguredDepModuleRefs(),
 		true,
 	)
@@ -518,6 +524,7 @@ func (w *workspaceProvider) getWorkspaceForBucketModuleSet(
 	bucketIDToModuleConfig map[string]bufconfig.ModuleConfig,
 	pluginConfigs []bufconfig.PluginConfig,
 	remotePluginKeys []bufplugin.PluginKey,
+	policyConfigs []bufconfig.PolicyConfig,
 	// Expected to already be unique by FullName.
 	configuredDepModuleRefs []bufparse.Ref,
 	isV2 bool,
@@ -544,6 +551,7 @@ func (w *workspaceProvider) getWorkspaceForBucketModuleSet(
 		opaqueIDToBreakingConfig,
 		pluginConfigs,
 		remotePluginKeys,
+		policyConfigs,
 		configuredDepModuleRefs,
 		isV2,
 	), nil

private/buf/cmd/buf/command/breaking/breaking.go

@@ -286,6 +286,7 @@ func run(
 	for i, imageWithConfig := range imageWithConfigs {
 		breakingOptions := []bufcheck.BreakingOption{
 			bufcheck.WithPluginConfigs(imageWithConfig.PluginConfigs()...),
+			bufcheck.WithPolicyConfigs(imageWithConfig.PolicyConfigs()...),
 			bufcheck.WithRelatedCheckConfigs(allCheckConfigs...),
 		}
 		if flags.ExcludeImports {

private/buf/cmd/buf/command/lint/lint.go

@@ -150,6 +150,7 @@ func run(
 	for _, imageWithConfig := range imageWithConfigs {
 		lintOptions := []bufcheck.LintOption{
 			bufcheck.WithPluginConfigs(imageWithConfig.PluginConfigs()...),
+			bufcheck.WithPolicyConfigs(imageWithConfig.PolicyConfigs()...),
 			bufcheck.WithRelatedCheckConfigs(allCheckConfigs...),
 		}
 		if err := checkClient.Lint(

private/bufpkg/bufanalysis/bufanalysis.go

@@ -149,6 +149,11 @@ type FileAnnotation interface {
 	// May be empty if this annotation did not originate from a plugin.
 	// This may be added to the printed message field for certain printers.
 	PluginName() string
+	// PolicyName is the name of the policy that the annotation originated from.
+	//
+	// May be empty if this annotation did not originate from a policy.
+	// This may be added to the printed message field for certain printers.
+	PolicyName() string
 
 	isFileAnnotation()
 }
@@ -163,6 +168,7 @@ func NewFileAnnotation(
 	typeString string,
 	message string,
 	pluginName string,
+	policyName string,
 ) FileAnnotation {
 	return newFileAnnotation(
 		fileInfo,
@@ -173,6 +179,7 @@ func NewFileAnnotation(
 		typeString,
 		message,
 		pluginName,
+		policyName,
 	)
 }