feat(policy): add policy develop init

app/cli/cmd/policy.go

@@ -0,0 +1,30 @@
+//
+// Copyright 2025 The Chainloop Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+)
+
+func newPolicyCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "policy",
+		Short: "Craft chainloop policies",
+	}
+
+	cmd.AddCommand(newPolicyDevelopCmd())
+	return cmd
+}

app/cli/cmd/policy_develop.go

@@ -0,0 +1,31 @@
+//
+// Copyright 2025 The Chainloop Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+)
+
+func newPolicyDevelopCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:     "develop",
+		Aliases: []string{"dev"},
+		Short:   "Tools for policy development",
+	}
+
+	cmd.AddCommand(newPolicyDevelopInitCmd())
+	return cmd
+}

app/cli/cmd/policy_develop_init.go

@@ -0,0 +1,79 @@
+//
+// Copyright 2025 The Chainloop Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cmd
+
+import (
+	"fmt"
+
+	"github.com/chainloop-dev/chainloop/app/cli/internal/action"
+	"github.com/spf13/cobra"
+)
+
+func newPolicyDevelopInitCmd() *cobra.Command {
+	var (
+		force       bool
+		embedded    bool
+		name        string
+		description string
+	)
+
+	cmd := &cobra.Command{
+		Use:   "init [directory]",
+		Short: "Initialize a new policy",
+		Long: `Initialize a new policy by creating template policy files in the specified directory.
+By default, it creates chainloop-policy.yaml and chainloop-policy.rego files.`,
+		Example: `  
+  # Initialize in current directory with separate files
+  chainloop policy develop init
+
+  # Initialize in specific directory with embedded format
+  chainloop policy develop init ./policies --embedded`,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			// Default to current directory if not specified
+			dir := "."
+			if len(args) > 0 {
+				dir = args[0]
+			}
+
+			opts := &action.PolicyInitOpts{
+				Force:       force,
+				Embedded:    embedded,
+				Name:        name,
+				Description: description,
+			}
+
+			policyInit, err := action.NewPolicyInit(opts, actionOpts)
+			if err != nil {
+				return fmt.Errorf("failed to initialize policy: %w", err)
+			}
+
+			if err := policyInit.Run(cmd.Context(), dir); err != nil {
+				return newGracefulError(err)
+			}
+
+			logger.Info().Msg("Initialized policy files")
+
+			return nil
+		},
+	}
+
+	cmd.Flags().BoolVarP(&force, "force", "f", false, "overwrite existing files")
+	cmd.Flags().BoolVar(&embedded, "embedded", false, "initialize an embedded policy (single YAML file)")
+	cmd.Flags().StringVar(&name, "name", "", "name of the policy")
+	cmd.Flags().StringVar(&description, "description", "", "description of the policy")
+
+	return cmd
+}

app/cli/cmd/root.go

@@ -242,7 +242,7 @@ func NewRootCmd(l zerolog.Logger) *cobra.Command {
 	rootCmd.AddCommand(newWorkflowCmd(), newAuthCmd(), NewVersionCmd(),
 		newAttestationCmd(), newArtifactCmd(), newConfigCmd(),
 		newIntegrationCmd(), newOrganizationCmd(), newCASBackendCmd(),
-		newReferrerDiscoverCmd(),
+		newReferrerDiscoverCmd(), newPolicyCmd(),
 	)
 
 	// Load plugins if we are not running a subcommand

app/cli/documentation/cli-reference.mdx

@@ -2700,6 +2700,178 @@ Options inherited from parent commands
 -y, --yes                       Skip confirmation
 ```
 
+## chainloop policy
+
+Craft chainloop policies
+
+Options
+
+```
+-h, --help   help for policy
+```
+
+Options inherited from parent commands
+
+```
+--artifact-cas string       URL for the Artifacts Content Addressable Storage API ($CHAINLOOP_ARTIFACT_CAS_API) (default "api.cas.chainloop.dev:443")
+--artifact-cas-ca string    CUSTOM CA file for the Artifacts CAS API (optional) ($CHAINLOOP_ARTIFACT_CAS_API_CA)
+-c, --config string             Path to an existing config file (default is $HOME/.config/chainloop/config.toml)
+--control-plane string      URL for the Control Plane API ($CHAINLOOP_CONTROL_PLANE_API) (default "api.cp.chainloop.dev:443")
+--control-plane-ca string   CUSTOM CA file for the Control Plane API (optional) ($CHAINLOOP_CONTROL_PLANE_API_CA)
+--debug                     Enable debug/verbose logging mode
+-i, --insecure                  Skip TLS transport during connection to the control plane ($CHAINLOOP_API_INSECURE)
+-n, --org string                organization name
+-o, --output string             Output format, valid options are json and table (default "table")
+-t, --token string              API token. NOTE: Alternatively use the env variable CHAINLOOP_TOKEN
+-y, --yes                       Skip confirmation
+```
+
+### chainloop policy develop
+
+Tools for policy development
+
+Options
+
+```
+-h, --help   help for develop
+```
+
+Options inherited from parent commands
+
+```
+--artifact-cas string       URL for the Artifacts Content Addressable Storage API ($CHAINLOOP_ARTIFACT_CAS_API) (default "api.cas.chainloop.dev:443")
+--artifact-cas-ca string    CUSTOM CA file for the Artifacts CAS API (optional) ($CHAINLOOP_ARTIFACT_CAS_API_CA)
+-c, --config string             Path to an existing config file (default is $HOME/.config/chainloop/config.toml)
+--control-plane string      URL for the Control Plane API ($CHAINLOOP_CONTROL_PLANE_API) (default "api.cp.chainloop.dev:443")
+--control-plane-ca string   CUSTOM CA file for the Control Plane API (optional) ($CHAINLOOP_CONTROL_PLANE_API_CA)
+--debug                     Enable debug/verbose logging mode
+-i, --insecure                  Skip TLS transport during connection to the control plane ($CHAINLOOP_API_INSECURE)
+-n, --org string                organization name
+-o, --output string             Output format, valid options are json and table (default "table")
+-t, --token string              API token. NOTE: Alternatively use the env variable CHAINLOOP_TOKEN
+-y, --yes                       Skip confirmation
+```
+
+#### chainloop policy develop help
+
+Help about any command
+
+Synopsis
+
+Help provides help for any command in the application.
+Simply type develop help [path to command] for full details.
+
+```
+chainloop policy develop help [command] [flags]
+```
+
+Options
+
+```
+-h, --help   help for help
+```
+
+Options inherited from parent commands
+
+```
+--artifact-cas string       URL for the Artifacts Content Addressable Storage API ($CHAINLOOP_ARTIFACT_CAS_API) (default "api.cas.chainloop.dev:443")
+--artifact-cas-ca string    CUSTOM CA file for the Artifacts CAS API (optional) ($CHAINLOOP_ARTIFACT_CAS_API_CA)
+-c, --config string             Path to an existing config file (default is $HOME/.config/chainloop/config.toml)
+--control-plane string      URL for the Control Plane API ($CHAINLOOP_CONTROL_PLANE_API) (default "api.cp.chainloop.dev:443")
+--control-plane-ca string   CUSTOM CA file for the Control Plane API (optional) ($CHAINLOOP_CONTROL_PLANE_API_CA)
+--debug                     Enable debug/verbose logging mode
+-i, --insecure                  Skip TLS transport during connection to the control plane ($CHAINLOOP_API_INSECURE)
+-n, --org string                organization name
+-o, --output string             Output format, valid options are json and table (default "table")
+-t, --token string              API token. NOTE: Alternatively use the env variable CHAINLOOP_TOKEN
+-y, --yes                       Skip confirmation
+```
+
+#### chainloop policy develop init
+
+Initialize a new policy
+
+Synopsis
+
+Initialize a new policy by creating template policy files in the specified directory.
+By default, it creates chainloop-policy.yaml and chainloop-policy.rego files.
+
+```
+chainloop policy develop init [directory] [flags]
+```
+
+Examples
+
+```
+
+Initialize in current directory with separate files
+chainloop policy develop init
+
+Initialize in specific directory with embedded format
+chainloop policy develop init ./policies --embedded
+```
+
+Options
+
+```
+--description string   description of the policy
+--embedded             initialize an embedded policy (single YAML file)
+-f, --force                overwrite existing files
+-h, --help                 help for init
+--name string          name of the policy
+```
+
+Options inherited from parent commands
+
+```
+--artifact-cas string       URL for the Artifacts Content Addressable Storage API ($CHAINLOOP_ARTIFACT_CAS_API) (default "api.cas.chainloop.dev:443")
+--artifact-cas-ca string    CUSTOM CA file for the Artifacts CAS API (optional) ($CHAINLOOP_ARTIFACT_CAS_API_CA)
+-c, --config string             Path to an existing config file (default is $HOME/.config/chainloop/config.toml)
+--control-plane string      URL for the Control Plane API ($CHAINLOOP_CONTROL_PLANE_API) (default "api.cp.chainloop.dev:443")
+--control-plane-ca string   CUSTOM CA file for the Control Plane API (optional) ($CHAINLOOP_CONTROL_PLANE_API_CA)
+--debug                     Enable debug/verbose logging mode
+-i, --insecure                  Skip TLS transport during connection to the control plane ($CHAINLOOP_API_INSECURE)
+-n, --org string                organization name
+-o, --output string             Output format, valid options are json and table (default "table")
+-t, --token string              API token. NOTE: Alternatively use the env variable CHAINLOOP_TOKEN
+-y, --yes                       Skip confirmation
+```
+
+### chainloop policy help
+
+Help about any command
+
+Synopsis
+
+Help provides help for any command in the application.
+Simply type policy help [path to command] for full details.
+
+```
+chainloop policy help [command] [flags]
+```
+
+Options
+
+```
+-h, --help   help for help
+```
+
+Options inherited from parent commands
+
+```
+--artifact-cas string       URL for the Artifacts Content Addressable Storage API ($CHAINLOOP_ARTIFACT_CAS_API) (default "api.cas.chainloop.dev:443")
+--artifact-cas-ca string    CUSTOM CA file for the Artifacts CAS API (optional) ($CHAINLOOP_ARTIFACT_CAS_API_CA)
+-c, --config string             Path to an existing config file (default is $HOME/.config/chainloop/config.toml)
+--control-plane string      URL for the Control Plane API ($CHAINLOOP_CONTROL_PLANE_API) (default "api.cp.chainloop.dev:443")
+--control-plane-ca string   CUSTOM CA file for the Control Plane API (optional) ($CHAINLOOP_CONTROL_PLANE_API_CA)
+--debug                     Enable debug/verbose logging mode
+-i, --insecure                  Skip TLS transport during connection to the control plane ($CHAINLOOP_API_INSECURE)
+-n, --org string                organization name
+-o, --output string             Output format, valid options are json and table (default "table")
+-t, --token string              API token. NOTE: Alternatively use the env variable CHAINLOOP_TOKEN
+-y, --yes                       Skip confirmation
+```
+
 ## chainloop version
 
 Command line version

app/cli/internal/action/policy_develop_init.go

@@ -0,0 +1,58 @@
+//
+// Copyright 2025 The Chainloop Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package action
+
+import (
+	"context"
+	"fmt"
+
+	policy "github.com/chainloop-dev/chainloop/app/cli/internal/policy/init"
+)
+
+type PolicyInitOpts struct {
+	Force       bool
+	Embedded    bool
+	Name        string
+	Description string
+}
+
+type PolicyInit struct {
+	*ActionsOpts
+	opts *PolicyInitOpts
+}
+
+func NewPolicyInit(opts *PolicyInitOpts, actionOpts *ActionsOpts) (*PolicyInit, error) {
+	return &PolicyInit{
+		ActionsOpts: actionOpts,
+		opts:        opts,
+	}, nil
+}
+
+func (action *PolicyInit) Run(_ context.Context, dir string) error {
+	initOpts := &policy.InitOptions{
+		Dir:         dir,
+		Embedded:    action.opts.Embedded,
+		Force:       action.opts.Force,
+		Name:        action.opts.Name,
+		Description: action.opts.Description,
+	}
+
+	if err := policy.Initialize(initOpts); err != nil {
+		return fmt.Errorf("initializing policy: %w", err)
+	}
+
+	return nil
+}