Policy Lint Checklist

Use this checklist before promoting a bundle to production.

Structural checks

• bundle_version increased
• policies[] and rules[] valid
• algorithms/config fields valid for each rule

Matching checks

• selectors match intended paths/methods
• no accidental broad pathPrefix: "/" without intent
• fallback_limit behavior understood and tested

Descriptor checks

• all descriptor keys are actually forwarded/present
• cardinality is bounded and operationally safe

Safety checks

• canary/shadow rollout plan exists
• rollback bundle is prepared
• kill-switch scopes are narrow

Runtime checks

• validate with CLI and representative requests
• monitor reject reasons and retry-after distribution post-rollout