Allow omitting def in profile rule definitions

[Copilot]

Profile rules with no configurable options required def: {} as a no-op placeholder. A rule with no def should be valid and treated as an empty object.

Changes:

• validators.go: Removed the nil check in validateRule() that rejected rules with a missing def (the TODO comment there already acknowledged this intent)
• util_test.go: Updated the "invalid with no definition" test case to expect success, confirming that omitting def produces a rule with a nil Def field (equivalent to {})
• pkg/engine/v1/rtengine/engine_test.go: Added a "nil ruleDef treated as empty map" test case to confirm that Eval handles a nil ruleDef correctly end-to-end

Users can now write:

repository:
  - type: stacklok/secret_scanning

instead of requiring:

repository:
  - type: stacklok/secret_scanning
    def: {}

(*structpb.Struct).AsMap() safely returns an empty map on a nil receiver, so all downstream schema validation continues to work correctly. The RuleTypeEngine.Eval already guards schema validation with if ruleDef != nil, and the rego evaluator handles nil input gracefully.

Testing

• Updated TestParseYAML to assert a profile with no def parses successfully and produces a nil Def field on the rule
• Added TestGitProvider/nil_ruleDef_treated_as_empty_map in pkg/engine/v1/rtengine/engine_test.go to verify Eval works correctly when ruleDef is nil
• Ran go test ./pkg/profiles/... ./pkg/api/protobuf/go/minder/v1/... ./pkg/engine/v1/rtengine/... — all tests pass

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Allow nil def in profile definition</issue_title>
<issue_description>### Describe the issue

If a profile uses a rule type but does not need to specify any options, then one should be able to:

repository:
  - type: stacklok/secret_scanning

but def is required, so one must:

repository:
  - type: stacklok/secret_scanning
    def: {}

To Reproduce

No response

What version are you using?

No response</issue_description>

<agent_instructions>Please implement this feature, treating a missing def as an empty object. Include unit tests.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes Allow nil def in profile definition #4817

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[evankanderson]

This is going to need some manual testing. (And coveralls.io is down).

[evankanderson]

I tested this on a staging instance; charmingly, the validation about invalid values actually happens on the client side, so you need a new minder CLI in order to be able to see it. I will probably see about doing a CLI release shortly to pick up this and some other improvements.

[evankanderson]

Tested this manually; the validation happens both client and server side, so a new client is needed. Will probably merge on Monday.

[JAORMX]

lgtm

[evankanderson]

This also needs to test that Eval in pkg/engine/v1/rtengine can properly handle if ruleDef is null rather than an empty map.

[Copilot]

This also needs to test that Eval in pkg/engine/v1/rtengine can properly handle if ruleDef is null rather than an empty map.

Added a "nil ruleDef treated as empty map" test case in pkg/engine/v1/rtengine/engine_test.go (commit 6f82e18). It calls rte.Eval with Def: nil and confirms no error is returned. The engine already guards the schema validation with if ruleDef != nil, and the rego evaluator handles nil gracefully, so both paths work correctly.

[evankanderson]

Verified that this works with schema validation using the following ruletype and profile:

test-rule-schema.yaml

version: v1
type: rule-type
name: test-rule-schema
display_name: Test rules with required schema fields
context:
  provider: github
description: required
guidance: required
def:
  in_entity: repository
  rule_schema:
    type: object
    properties:
      required_field:
        type: string
        # No default set
    required: ["required_field"]
  ingest:
    type: rest
    rest:
      endpoint: "/repos/{{.Entity.Owner}}/{{.Entity.Name}}"
      parse: json
  eval:
    type: jq
    jq:
    - ingested:
        def: '.delete_branch_on_merge'
      constant: true

policy.yaml

version: v1
type: profile
name: test-schema
context:
  provider: github
repository:
  - type: test-rule-schema

[evankanderson]

@JAORMX, it looks like I need your approval again. Sorry for the go-round, but I wanted to verify that this didn't have negative effects, and the extra test case along with manual testing makes me more confident.