Problem
The Policy Authoring guide currently shows examples where policy rules produce results as simple objects with only a msg field (e.g. result := {"msg": "..."}). However, the actual result format consumed by the Conforma evaluation engine is richer and includes several fields that are not documented anywhere for external policy authors.
What is missing
The authoring docs should describe the result object structure that policy rules are expected to produce:
code (string): A unique identifier for the rule violation, formatted as <package_path>.<short_name>. Used for skipping rules and in violation reports.
msg (string): A human-readable message describing the violation, typically formatted via sprintf using custom.failure_msg from annotations.
effective_on (string): An RFC3339 timestamp controlling when the rule becomes a hard failure vs. a warning.
collections (list of strings, optional): Rule collections this violation belongs to, derived from custom.collections annotations.
term (any, optional): An additional term for grouping or identifying the specific subject of the violation.
severity (string, optional): Override severity level for the violation (e.g. "warning").
The docs should also document the helper functions available in data.lib.metadata (and their deprecated data.lib aliases) that produce correctly formatted results:
result_helper(chain, failure_sprintf_params) - produces a result with code, msg, effective_on, and optionally collections
result_helper_with_term(chain, failure_sprintf_params, term) - adds a term field
result_helper_with_severity(chain, failure_sprintf_params, severity) - adds a severity field
These helpers use rego.metadata.chain() to automatically derive code and effective_on from annotations, which is the recommended pattern for all policy rules in this repository.
Why it matters
External users authoring custom policies need to understand:
- What fields the result object must/can contain
- How those fields interact with the evaluation engine (e.g.
effective_on for grace periods, collections for grouping)
- That helper functions exist to produce correctly formatted results
- The relationship between rule annotations (
custom.short_name, custom.failure_msg, custom.effective_on, custom.collections) and the generated result fields
Suggested approach
Update the authoring guide to:
- Add a dedicated "Result format" section describing the result object schema
- Document
data.lib.metadata.result_helper and its variants with usage examples
- Update the existing code examples to use
result_helper instead of raw {"msg": "..."} objects
- Explain how annotations map to result fields
Problem
The Policy Authoring guide currently shows examples where policy rules produce results as simple objects with only a
msgfield (e.g.result := {"msg": "..."}). However, the actual result format consumed by the Conforma evaluation engine is richer and includes several fields that are not documented anywhere for external policy authors.What is missing
The authoring docs should describe the result object structure that policy rules are expected to produce:
code(string): A unique identifier for the rule violation, formatted as<package_path>.<short_name>. Used for skipping rules and in violation reports.msg(string): A human-readable message describing the violation, typically formatted viasprintfusingcustom.failure_msgfrom annotations.effective_on(string): An RFC3339 timestamp controlling when the rule becomes a hard failure vs. a warning.collections(list of strings, optional): Rule collections this violation belongs to, derived fromcustom.collectionsannotations.term(any, optional): An additional term for grouping or identifying the specific subject of the violation.severity(string, optional): Override severity level for the violation (e.g."warning").The docs should also document the helper functions available in
data.lib.metadata(and their deprecateddata.libaliases) that produce correctly formatted results:result_helper(chain, failure_sprintf_params)- produces a result withcode,msg,effective_on, and optionallycollectionsresult_helper_with_term(chain, failure_sprintf_params, term)- adds atermfieldresult_helper_with_severity(chain, failure_sprintf_params, severity)- adds aseverityfieldThese helpers use
rego.metadata.chain()to automatically derivecodeandeffective_onfrom annotations, which is the recommended pattern for all policy rules in this repository.Why it matters
External users authoring custom policies need to understand:
effective_onfor grace periods,collectionsfor grouping)custom.short_name,custom.failure_msg,custom.effective_on,custom.collections) and the generated result fieldsSuggested approach
Update the authoring guide to:
data.lib.metadata.result_helperand its variants with usage examplesresult_helperinstead of raw{"msg": "..."}objects