From 70b34fe69ba1a5b6f8d9bb23c87e2133e5e646ad Mon Sep 17 00:00:00 2001
From: rdwj <wjackson@redhat.com>
Date: Wed, 6 May 2026 22:02:11 -0500
Subject: [PATCH] Add .fips-template.yaml to opt into fips-agents patch flow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Without this manifest, fips-agents-cli refuses to run `fips-agents
patch` against sandbox projects — the CLI's hardcoded fallback has
no built-in category set for the 'sandbox' project type, so it now
emits a friendly ✗ error pointing here (see
fips-agents/fips-agents-cli#50). The presence of this file is what
makes the patch flow work for projects scaffolded from this template.

Schema: schema_version: 1, three categories (chart, docs, build) and
a 10-entry never_patch list separating template-managed scaffolding
from the user's runtime, tests, deploy values, and repo settings.

Conservative defaults — sandbox/** (the runtime) and tests/** are in
never_patch on the agent-template precedent: users may have
customized these and we don't silently overwrite them. If we later
decide users should track upstream runtime changes via patch, that's
a follow-up that adds a 'runtime' category covering sandbox/**/*.py
with ask_before_patch: true.

Companion to fips-agents/fips-agents-cli#48 (the loader, shipped in
v0.12.0). Older CLI installs ignore the file — non-breaking.

Assisted-by: Claude Code (Opus 4.7)
---
 .fips-template.yaml | 65 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)
 create mode 100644 .fips-template.yaml

diff --git a/.fips-template.yaml b/.fips-template.yaml
new file mode 100644
index 0000000..a50a2b6
--- /dev/null
+++ b/.fips-template.yaml
@@ -0,0 +1,65 @@
+# fips-agents-cli template manifest.
+#
+# This file declares which paths in the code-sandbox template are managed
+# by the template (and so should be offered as patches by `fips-agents
+# patch`) and which belong to the user. The CLI reads this file from
+# the repo root after cloning, before computing drift in
+# `fips-agents patch check`.
+#
+# Without this manifest, `fips-agents patch` does not work for sandbox
+# projects — the CLI raises a clean error pointing the user here. The
+# presence of this file is what opts the sandbox template into the
+# patch flow. See:
+#   https://github.com/fips-agents/fips-agents-cli/issues/45
+
+schema_version: 1
+
+patch:
+  categories:
+
+    chart:
+      description: Helm chart templates and ACM policies
+      patterns:
+        - chart/templates/**/*
+        - chart/Chart.yaml
+        - chart/README.md
+        - chart/policies/**/*
+      ask_before_patch: true
+
+    docs:
+      description: Documentation files
+      patterns:
+        - CLAUDE.md
+        - CONTRIBUTING.md
+        - SECURITY.md
+        - docs/**/*
+      ask_before_patch: false
+
+    build:
+      description: Build and deployment files
+      patterns:
+        - Makefile
+        - Containerfile
+        - .gitignore
+        - .gitleaks.toml
+      ask_before_patch: true
+
+  never_patch:
+    # The sandbox runtime — executor, guardrails, seccomp wiring, audit,
+    # pipeline, profiles. Users may have customized these and shouldn't
+    # be silently overwritten.
+    - sandbox/**
+    # User's tests
+    - tests/**/*.py
+    # User's deploy values (default + named profiles)
+    - chart/values.yaml
+    - chart/values-ctf.yaml
+    - chart/values-standalone.yaml
+    # User's project metadata
+    - pyproject.toml
+    - README.md
+    - LICENSE
+    # Environment files
+    - .env*
+    # Per-project repo settings (CODEOWNERS, CI workflows)
+    - .github/**