// Package netpol implements Kubernetes NetworkPolicy enforcement for flock.
//
// # Model
//
// NetworkPolicy is a Kubernetes-native API (`networking.k8s.io/v1`) that
// describes which pods may receive traffic (Ingress) and / or initiate
// traffic (Egress). The semantics are isolation by selection: a pod that is
// selected by *any* NetworkPolicy in a given direction becomes default-deny
// in that direction, plus the union of all "allow" rules from every policy
// that selects it. A pod selected by no policy is unrestricted.
//
// flock enforces these semantics with nftables. Each agent is responsible
// for the pods scheduled on its own node — peer addresses (from
// podSelector / namespaceSelector / ipBlock peers) come from a cluster-wide
// informer set so the agent can resolve peers that live elsewhere.
//
// # Pipeline
//
// The work is split into four stages with hard boundaries between them so
// each can be tested in isolation:
//
//  1. Informers (informers.go) — watch NetworkPolicies, Namespaces, and
//     all Pods in the cluster. Maintain indices the translator can query.
//
//  2. Translator (translator.go) — pure function from
//     (NetworkPolicy set, Namespace set, Pod set, local-node pod set) to
//     []Rule. No I/O, no hidden state — straightforward to fuzz and unit
//     test. Implements the default-deny semantics and the peer-resolution
//     rules from the NetworkPolicy spec.
//
//  3. Renderer (render.go) — pure function from []Rule to an nft script
//     (string). Output is deterministic so the apply stage can de-dupe.
//
//  4. Apply (apply_linux.go) — shell out to `nft -f -` for an atomic
//     reconfiguration. nftables guarantees the whole script applies as a
//     single transaction; partial failures roll back automatically.
//
// # Why nftables (and not eBPF)
//
// Atomic ruleset transactions, kernel-native, no userspace ebpf-loader to
// maintain, and behaviour an operator can read directly with
// `nft list ruleset`. The cost is that we walk per-pod chains in software,
// which is fine at the cluster sizes flock targets.
package netpol