fix(015-zero-trust-mesh): Zero trust mesh

charts/zero-trust-mesh/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: zero-trust-mesh
-version: 0.1.2
+version: 0.1.3
 description: Helm chart for Kubernetes NetworkPolicy + Istio zero-trust service communication
 appVersion: "1.0"
 type: application

charts/zero-trust-mesh/README.md

@@ -94,6 +94,7 @@ Most security defaults are now implicit in templates. Advanced overrides can sti
 | `workload` | Source workload name used for source pod selectors and default source service account | Helm release name |
 | `serviceAccount` | Source service account override | `""` |
 | `namespaceResourcesEnabled` | Enables namespace-wide default deny, DNS, egress gateway, mTLS, and default-deny AuthorizationPolicy resources | `false` |
+| `allowTo` | Service, host, and IP allow rules | `[]` |
 | `allowTo[].service` | Destination service rule name | `backend` |
 | `allowTo[].targetPodLabels` | Optional target pod selector override for generated NetworkPolicy and AuthorizationPolicy resources | `{ app: backend }` |
 | `allowTo[].serviceAccount` | Optional target service account override for AuthorizationPolicy naming | `allowTo[].service` |

charts/zero-trust-mesh/values.yaml

@@ -7,34 +7,38 @@ serviceAccount: ""
 # Keep false for per-service releases. Enable only in one baseline release per namespace.
 namespaceResourcesEnabled: false
 
-# Single allowTo list:
+# Single allowTo list. Defaults to no service-level allow rules.
+# Supported entry types:
 # - service rule: workload -> service
 # - hosts rule: approved external hosts (default ports: 80/HTTP and 443/HTTPS)
 # - ips rule: approved external IP/CIDR egress (default port: 443/TCP)
-allowTo:
-  - service: backend
-    # Optional target pod selector override; defaults to:
-    # app.kubernetes.io/name: <service>
-    # targetPodLabels:
-    #   app: backend
-    port: 8080
-    methods: ["GET", "POST"]
-    paths: ["/api/*"]
+allowTo: []
 
-  - hosts: ["api.stripe.com"]
-    # Optional custom ports/protocols for this host group.
-    # These are merged with defaults (80/HTTP and 443/HTTPS).
-    # ports:
-    #   - number: 80
-    #     protocol: HTTP
-    #   - number: 443
-    #     protocol: HTTPS
-
-  - ips: ["192.0.2.10"]
-    # Single IPs are normalized to /32 for NetworkPolicy ipBlock.
-    # CIDRs like 198.51.100.0/24 can also be used.
-    # Optional custom ports/protocols for this IP group.
-    # Defaults to 443/TCP.
-    # ports:
-    #   - number: 443
-    #     protocol: TCP
+# Example allowTo entries:
+# allowTo:
+#   - service: backend
+#     # Optional target pod selector override; defaults to:
+#     # app.kubernetes.io/name: <service>
+#     # targetPodLabels:
+#     #   app: backend
+#     port: 8080
+#     methods: ["GET", "POST"]
+#     paths: ["/api/*"]
+#
+#   - hosts: ["api.stripe.com"]
+#     # Optional custom ports/protocols for this host group.
+#     # These are merged with defaults (80/HTTP and 443/HTTPS).
+#     # ports:
+#     #   - number: 80
+#     #     protocol: HTTP
+#     #   - number: 443
+#     #     protocol: HTTPS
+#
+#   - ips: ["192.0.2.10"]
+#     # Single IPs are normalized to /32 for NetworkPolicy ipBlock.
+#     # CIDRs like 198.51.100.0/24 can also be used.
+#     # Optional custom ports/protocols for this IP group.
+#     # Defaults to 443/TCP.
+#     # ports:
+#     #   - number: 443
+#     #     protocol: TCP

specs/015-zero-trust-mesh/checklists/requirements.md

@@ -0,0 +1,24 @@
+# Requirements Quality Checklist: Zero Trust Mesh Empty Default Allow Rules
+
+**Purpose**: Validate specification quality before implementation handoff  
+**Created**: 2026-05-12  
+**Feature**: `specs/015-zero-trust-mesh/spec.md`
+
+## Content Quality
+
+- [x] No implementation details leak into user stories beyond chart-rendering behavior needed for acceptance.
+- [x] Requirements are testable through Helm render output.
+- [x] Requirements distinguish empty service-level allow rules from namespace baseline resources.
+- [x] Public values contract changes are documented.
+
+## Requirement Completeness
+
+- [x] User scenarios cover standalone zero-trust-mesh defaults, base chart subchart defaults, and discoverability.
+- [x] Acceptance criteria cover service, host, and IP sample resources.
+- [x] Edge cases cover explicit allow rules and namespace baseline resources.
+- [x] Success criteria are measurable with render checks and chart linting.
+- [x] Version bumps and regression assertions are captured.
+
+## Validation Result
+
+Validation completed 2026-05-12. Spec is ready for implementation review.

specs/015-zero-trust-mesh/contracts/render-contract.md

@@ -0,0 +1,47 @@
+# Render Contract: Zero Trust Mesh Empty Default Allow Rules
+
+## Standalone zero-trust-mesh default render
+
+Command:
+
+```bash
+helm template ztm-default ./charts/zero-trust-mesh -n default
+```
+
+Expected:
+
+- Exits with status `0`.
+- Does not render a `NetworkPolicy` named like `allow-ztm-default-to-backend-*`.
+- Does not render an `AuthorizationPolicy` named `allow-ztm-default-to-backend`.
+- Does not render a `ServiceEntry` named `external-api-stripe-com`.
+- Does not render IP egress resources for `192.0.2.10`.
+
+## Base render with zeroTrustMesh enabled
+
+Command:
+
+```bash
+helm template base-enabled ./charts/base -n default --set zeroTrustMesh.enabled=true
+```
+
+Expected:
+
+- Exits with status `0`.
+- Renders normal base chart workload resources.
+- Does not render sample zero-trust-mesh allow resources for `backend`.
+- Does not render sample zero-trust-mesh ServiceEntry resources for `api.stripe.com`.
+
+## Explicit allowTo render
+
+Commands:
+
+```bash
+helm template ztm-full ./charts/zero-trust-mesh -n default -f ./examples/zero-trust-mesh/values.full.yaml
+helm template base-with-ztm ./charts/base -n default -f ./examples/base/with-zero-trust-mesh.yaml
+```
+
+Expected:
+
+- Each command exits with status `0`.
+- Explicit service and host allow rules render from provided values.
+- Empty defaults do not suppress consumer-provided allow rules.

specs/015-zero-trust-mesh/data-model.md

@@ -0,0 +1,43 @@
+# Data Model: Zero Trust Mesh Empty Default Allow Rules
+
+## AllowToDefault
+
+Represents the active default value for zero-trust-mesh service-level allow rules.
+
+```yaml
+allowTo: []
+```
+
+Validation:
+
+- Empty list renders no service, host, or IP allow resources.
+- Non-empty list keeps existing rule semantics.
+
+## BaseZeroTrustMeshOverride
+
+Represents the base chart parent values passed to the aliased zero-trust-mesh dependency.
+
+```yaml
+zeroTrustMesh:
+  enabled: false
+  allowTo: []
+```
+
+Validation:
+
+- `enabled=false` keeps the subchart disabled.
+- `enabled=true` with no other values still passes an empty `allowTo` list to the subchart.
+- Consumer-provided `zeroTrustMesh.allowTo` replaces the empty default and renders explicit rules.
+
+## SampleAllowResource
+
+Any rendered manifest derived from example-only defaults, such as:
+
+- `allow-*-to-backend-*` NetworkPolicy
+- `allow-*-to-backend` AuthorizationPolicy
+- `external-api-stripe-com` ServiceEntry
+- `external-ip-*` resources for `192.0.2.10`
+
+Validation:
+
+- Sample resources must not appear in default standalone or default base zeroTrustMesh renders.

specs/015-zero-trust-mesh/plan.md

@@ -0,0 +1,91 @@
+# Implementation Plan: Zero Trust Mesh Empty Default Allow Rules
+
+**Branch**: `015-zero-trust-mesh` | **Date**: 2026-05-12 | **Spec**: `/specs/015-zero-trust-mesh/spec.md`  
+**Input**: Feature specification from `/specs/015-zero-trust-mesh/spec.md`
+
+## Summary
+
+Change zero-trust-mesh so the default `allowTo` list is empty and sample rules are documentation-only. Add a base chart parent override for `zeroTrustMesh.allowTo: []` so enabling the aliased subchart from base does not inherit sample allow rules from the currently packaged dependency.
+
+## Technical Context
+
+**Language/Version**: Helm template DSL, YAML manifests  
+**Primary Dependencies**: Helm 3 CLI, zero-trust-mesh chart, base chart dependency alias `zeroTrustMesh`  
+**Storage**: N/A  
+**Testing**: `helm lint`, `helm template`, focused shell render assertions  
+**Target Platform**: Kubernetes clusters using the dasmeta base and zero-trust-mesh Helm charts  
+**Project Type**: Helm chart repository  
+**Performance Goals**: No rendering performance change  
+**Constraints**: Keep explicit `allowTo` behavior intact; avoid changing zero-trust-mesh templates unnecessarily  
+**Scale/Scope**: `charts/zero-trust-mesh`, `charts/base`, focused tests, README, and Speckit artifacts under `specs/015-zero-trust-mesh/`
+
+## Constitution Check
+
+*GATE: Must pass before implementation. Re-check after design artifacts.*
+
+- [x] **Chart-First**: Work stays inside chart values, chart docs, chart tests, and repo specs.
+- [x] **Values Contract**: The consumer-facing behavior is represented in `values.yaml` as `allowTo: []` and `zeroTrustMesh.allowTo: []`.
+- [x] **Lint & Template**: Plan includes `helm lint` and `helm template` checks for standalone and base renders.
+- [x] **Versioning & Compatibility**: Change is backward-compatible for explicit values and includes patch version bumps.
+- [x] **Simplicity & Defaults**: Fix changes defaults only; template logic remains unchanged.
+- [x] **Examples for abilities**: Examples remain in comments and existing example files.
+- [x] **Regression testing**: Plan includes render assertions that detect accidental sample allow resources.
+
+## Project Structure
+
+### Documentation (this feature)
+
+```text
+specs/015-zero-trust-mesh/
+├── plan.md
+├── research.md
+├── data-model.md
+├── quickstart.md
+├── contracts/
+│   └── render-contract.md
+├── checklists/
+│   └── requirements.md
+└── tasks.md
+```
+
+### Source Code (repository root)
+
+```text
+charts/
+├── base/
+│   ├── Chart.yaml
+│   ├── values.yaml
+│   └── tests/
+│       └── render-zero-trust-default-empty.sh
+└── zero-trust-mesh/
+    ├── Chart.yaml
+    ├── README.md
+    ├── values.yaml
+    └── tests/
+        └── render-default-empty.sh
+```
+
+**Structure Decision**: Keep the behavioral change in values files. The existing templates already guard allow resources behind `.Values.allowTo`, so an empty list is enough to suppress sample resources.
+
+## Phase 0: Research Plan
+
+- Confirm current default render emits sample backend, Stripe, and IP resources.
+- Confirm templates are already conditional on `.Values.allowTo`.
+- Confirm base must override `zeroTrustMesh.allowTo` because it vendors a packaged dependency.
+
+## Phase 1: Design & Contracts Plan
+
+- Define render contract for empty default behavior in `contracts/render-contract.md`.
+- Document `AllowToDefault` and base override behavior in `data-model.md`.
+- Provide quickstart commands for focused assertions, chart linting, and explicit-value examples.
+- Re-check constitution compliance after artifact generation.
+
+## Post-Design Constitution Check
+
+- [x] No constitution violations remain in the planned implementation.
+- [x] Chart version bumps are included in tasks.
+- [x] Focused assertions cover standalone and base render behavior.
+
+## Complexity Tracking
+
+No constitution violations requiring justification.

specs/015-zero-trust-mesh/quickstart.md

@@ -0,0 +1,46 @@
+# Quickstart: Zero Trust Mesh Empty Default Allow Rules
+
+Run all commands from the repository root.
+
+## Focused Standalone Default Test
+
+```bash
+charts/zero-trust-mesh/tests/render-default-empty.sh ./charts/zero-trust-mesh
+```
+
+Expected: command exits with status `0`; no sample `backend`, `api.stripe.com`, or `192.0.2.10` resources are rendered.
+
+## Focused Base Default Test
+
+```bash
+charts/base/tests/render-zero-trust-default-empty.sh ./charts/base
+```
+
+Expected: command exits with status `0`; enabling `zeroTrustMesh` from base does not render sample allow resources.
+
+## Chart Lint
+
+```bash
+helm lint ./charts/zero-trust-mesh
+helm lint ./charts/base
+```
+
+Expected: each command reports `0 chart(s) failed`.
+
+## Default Renders
+
+```bash
+helm template ztm-default ./charts/zero-trust-mesh -n default
+helm template base-enabled ./charts/base -n default --set zeroTrustMesh.enabled=true
+```
+
+Expected: each command exits with status `0`; standalone zero-trust-mesh default output is empty, and base renders only its normal base resources.
+
+## Explicit AllowTo Regression
+
+```bash
+helm template ztm-full ./charts/zero-trust-mesh -n default -f ./examples/zero-trust-mesh/values.full.yaml
+helm template base-with-ztm ./charts/base -n default -f ./examples/base/with-zero-trust-mesh.yaml
+```
+
+Expected: each command exits with status `0` and renders the explicitly configured allow rules.

specs/015-zero-trust-mesh/research.md

@@ -0,0 +1,28 @@
+# Research: Zero Trust Mesh Empty Default Allow Rules
+
+## Decision: Set active zero-trust-mesh `allowTo` default to `[]`
+
+**Rationale**: Existing templates already wrap service, host, and IP resources in `.Values.allowTo` conditionals. Emptying the active list removes sample resources without changing template behavior.
+
+**Alternatives considered**:
+
+- Add new template guards: rejected because `.Values.allowTo` is already the correct guard.
+- Remove examples entirely from `values.yaml`: rejected because consumers still need discoverable rule shapes.
+
+## Decision: Add base parent override `zeroTrustMesh.allowTo: []`
+
+**Rationale**: `charts/base` currently vendors `zero-trust-mesh-0.1.0.tgz`, so changing the source chart values alone does not affect renders from base. A parent value under the dependency alias overrides the packaged subchart default.
+
+**Alternatives considered**:
+
+- Repackage the subchart immediately: rejected for this change because the parent override fixes current base renders without changing dependency packaging.
+- Rely on `zeroTrustMesh.enabled=false`: insufficient because the reported issue happens when consumers enable the subchart from base.
+
+## Decision: Use focused shell render assertions
+
+**Rationale**: The bug is visible in rendered manifests. Small shell assertions catch the exact accidental resources and fit the repository's existing Helm render validation style.
+
+**Alternatives considered**:
+
+- Snapshot the entire Helm output: rejected as too brittle for chart metadata and unrelated resource ordering.
+- Add template-unit framework dependency: rejected as unnecessary for this small values contract regression.