Add CI check to scan Traffic Policy code and fix borked snippets (#1992)

https://linear.app/ngrok/issue/DOC-427/expand-ci-checks-to-scan-traffic-policy-code-snippets

Author: sg-writer

.github/workflows/test-policies.yml

@@ -0,0 +1,19 @@
+name: test-policies
+on:
+  workflow_dispatch: {}
+  pull_request:
+    types: [opened, synchronize, reopened]
+  push:
+    branches:
+      - main
+jobs:
+  test-policies:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref }}
+      - name: Install Python dependencies
+        run: pip install PyYAML
+      - name: Validate policies
+        run: ./scripts/test-policies.sh

scripts/test-policies.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+# Validates traffic policy YAML/JSON in .mdx/.md code blocks. No temp files.
+# Reports failures as source path (block N). Usage: ./test-policies.sh
+set -e
+cd "$(dirname "$0")/.."
+exec python3 scripts/validate_policy_snippets.py

scripts/validate_policy_snippets.py

@@ -0,0 +1,151 @@
+#!/usr/bin/env python3
+"""
+Validate traffic policy YAML/JSON in code blocks under traffic-policy docs.
+Reads source files only; no temp files. Reports failures as source path (block N).
+"""
+import json
+import re
+import sys
+from pathlib import Path
+
+try:
+    import yaml
+except ImportError:
+    print("PyYAML required: pip install PyYAML", file=sys.stderr)
+    sys.exit(2)
+
+ROOT = Path(__file__).resolve().parent.parent
+SEARCH_DIRS = [
+    ROOT / "traffic-policy",
+    ROOT / "snippets" / "traffic-policy",
+    ROOT / "universal-gateway",
+]
+POLICY_KEYS = ("on_http_request", "on_http_response", "on_tcp_connect")
+
+
+def find_source_files():
+    out = []
+    for d in SEARCH_DIRS:
+        if not d.is_dir():
+            continue
+        for p in d.rglob("*"):
+            if p.suffix in (".mdx", ".md"):
+                out.append(p)
+    return sorted(out)
+
+
+def extract_blocks(path):
+    """Yield (is_json, content) for each policy-like code block. Line-by-line to avoid regex cross-block bugs."""
+    lines = path.read_text().splitlines()
+    i = 0
+    while i < len(lines):
+        line = lines[i]
+        if line.strip().startswith("```"):
+            rest = line.strip()[3:].strip().lower()
+            if rest.startswith("yaml"):
+                kind = "yaml"
+            elif rest.startswith("json"):
+                kind = "json"
+            else:
+                i += 1
+                continue
+            if "skip-validation" in rest or "skip_validation" in rest:
+                i += 1
+                while i < len(lines) and lines[i].strip() != "```":
+                    i += 1
+                if i < len(lines):
+                    i += 1
+                continue
+            i += 1
+            block = []
+            while i < len(lines) and lines[i].strip() != "```":
+                block.append(lines[i])
+                i += 1
+            if i < len(lines):
+                i += 1  # consume closing ```
+            content = "\n".join(block)
+            if any(k in content for k in POLICY_KEYS):
+                yield ("json" if kind == "json" else "yaml", content)
+            continue
+        i += 1
+
+
+def validate_block(content, is_json):
+    # is_json is the string "json" or "yaml" from extractor
+    # Infer format from content so we never parse YAML as JSON
+    raw = content.strip()
+    if raw.startswith("{"):
+        is_json = True
+    elif raw.startswith("on_") or "\non_" in "\n" + raw:
+        is_json = False
+    else:
+        is_json = is_json == "json"
+    if is_json:
+        try:
+            d = json.loads(content)
+        except json.JSONDecodeError as e:
+            return str(e)
+    else:
+        try:
+            d = yaml.safe_load(content)
+        except yaml.YAMLError as e:
+            return str(e).split("\n")[0]
+    if d is None:
+        return "empty document"
+    if not isinstance(d, dict):
+        return "root must be an object"
+    if not any(k in d for k in POLICY_KEYS):
+        # Allow agent config format: endpoints: [ { traffic_policy: { on_http_request: ... } } ]
+        if "endpoints" in d and isinstance(d["endpoints"], list):
+            for ep in d["endpoints"]:
+                if isinstance(ep, dict) and "traffic_policy" in ep:
+                    tp = ep["traffic_policy"]
+                    if isinstance(tp, dict) and any(k in tp for k in POLICY_KEYS):
+                        return None
+        # Allow API request body: { "traffic_policy": "{ \"on_http_request\": ... }", "bindings": ..., "type": "cloud" }
+        if isinstance(d.get("traffic_policy"), str) and d.get("type") == "cloud":
+            try:
+                inner = json.loads(d["traffic_policy"])
+                if isinstance(inner, dict) and any(k in inner for k in POLICY_KEYS):
+                    return None
+            except (json.JSONDecodeError, TypeError):
+                pass
+        return "missing policy key (need one of: " + ", ".join(POLICY_KEYS) + ")"
+    return None
+
+
+def main():
+    sources = find_source_files()
+    if not sources:
+        print("No source files found.")
+        return 0
+
+    total = 0
+    passed = 0
+    failed = 0
+    for path in sources:
+        rel = path.relative_to(ROOT)
+        for block_idx, (is_json, content) in enumerate(extract_blocks(path), 1):
+            total += 1
+            err = validate_block(content, is_json)
+            if err is None:
+                passed += 1
+                print(f"✅ {rel} (block {block_idx})")
+            else:
+                failed += 1
+                print(f"❌ {rel} (block {block_idx}): {err}")
+
+    print("")
+    print("==========================================")
+    print("SUMMARY")
+    print("==========================================")
+    print(f"Total: {total} | Passed: {passed} | Failed: {failed}")
+    if failed:
+        print("❌ Some blocks invalid.")
+        return 1
+    print("🎉 All valid.")
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())

snippets/traffic-policy/gallery/route-requests/BasedOnUrl.mdx

@@ -5,9 +5,9 @@
 on_http_request:
   - name: "Route requests based on URL"
     actions:
-    - type: "forward-internal"
-    config:
-    url: "https://${req.host.split(".example.com")[0]}.internal"
+      - type: "forward-internal"
+        config:
+          url: "https://${req.host.split(\".example.com\")[0]}.internal"
 ```
 ```json policy.json
 {

traffic-policy/actions/add-headers.mdx

@@ -137,7 +137,7 @@ configuration will add headers to the response from the upstream service when th
 ```yaml policy.yml highlight={3}
 on_http_response:
   - expressions:
-      - "req.method == "GET" && req.url.path.startsWith("/status/200")"
+      - "req.method == \"GET\" && req.url.path.startsWith(\"/status/200\")"
     actions:
       - type: "add-headers"
         config:

traffic-policy/actions/owasp-crs-request.mdx

@@ -234,8 +234,8 @@ on_http_request:
               "matched_rules_first_data": "${actions.ngrok.owasp_crs_request.matched_rules[0].data}"
             }
           }
-      ]
         }
+      ]
     }
   ]
 }

traffic-policy/actions/redirect.mdx

@@ -118,7 +118,7 @@ on_http_request:
     actions:
       - type: redirect
         config:
-      from: /api/v1/
+          from: /api/v1/
           to: /api/v2/
 ```
 

traffic-policy/concepts/expressions.mdx

@@ -89,7 +89,7 @@ You must wrap expressions containing `!` in quotes for them to be parsed correct
 ```yaml
 on_tcp_connect:
   - expressions:
-      - !(conn.client_ip in ['2001:4860:7:f0e::f4', '98.35.32.113'])
+      - "!(conn.client_ip in ['2001:4860:7:f0e::f4', '98.35.32.113'])"
     actions:
       - type: deny
 ```

traffic-policy/examples/block-unwanted-requests.mdx

@@ -129,7 +129,7 @@ on_http_request:
       - type: custom-response
         config:
           status_code: 200
-          body: User-agent: ChatGPT-User\r\nDisallow: /
+          body: "User-agent: ChatGPT-User\r\nDisallow: /"
           headers:
             content-type: text/plain
 ```
@@ -259,7 +259,7 @@ This rule sends a custom response with status code `401` and body `Unauthorized`
 ```yaml policy.yml
 on_http_request:
   - expressions:
-      - !('authorization' in req.headers)
+      - "!('authorization' in req.headers)"
     actions:
       - type: custom-response
         config:
@@ -308,7 +308,7 @@ on_http_request:
       - type: custom-response
         config:
           status_code: 401
-          body: Unauthorized request due to country of origin.
+          body: "Unauthorized request due to country of origin."
 ```
 
 ```json policy.json
@@ -355,7 +355,7 @@ on_http_request:
       - type: custom-response
         config:
           status_code: 400
-          body: Error: You can't upload content larger than 1MB.
+          body: "Error: You can't upload content larger than 1MB."
 ```
 
 ```json policy.json
@@ -392,7 +392,7 @@ In this example, the Algolia web crawler is exempted from any rate limiting conf
 ```yaml policy.yml
 on_http_request:
   - expressions:
-      - !('com.algolia.crawler' in conn.client_ip.categories)
+      - "!('com.algolia.crawler' in conn.client_ip.categories)"
     actions:
       - type: rate-limit
         config:

traffic-policy/getting-started/agent-endpoints/config-file.mdx

@@ -33,7 +33,7 @@ endpoints:
             - type: custom-response
               config:
                 status_code: 200
-                body: Hello, World!
+                body: "Hello, World!"
 ```
 
 This policy will respond to each HTTP request with “Hello, World!"