init.lua

-- purpose of this file is to have JUST ONE entrypoint to the module
-- so it can be required without any extra knowledge,
-- but also that the real file can have own name so it is easier to find

-- this file is loaded in a sandbox that has only APIcast load path and this policy available,
-- so there should be no namespace clash other than with APIcast itself.
return require('policy_name')

policy_name.lua

local _M = required('apicast.policy').new()

local dep = require('vendor.dependency_name')

return _M

structure

1) must work both locally and when copied to a container
2) should NOT impose any naming rules for the source code
3) should have JUST ONE well-known entrypoint to load the code
4) should vendor all dependencies
5) must have a manifest file on well-known or guessable location
6) must be unique to each policy - policies are self contained and share nothing with other policies
7) must have unique policy_name


Example:

policy_name/
policy_name/init.lua
policy_name/policy_name.lua
policy_name/vendor/dependency_name.lua
policy_name/apicast-policy.json

Would be installed like into folder :

./policies/policy_name/policy_version/

so each {policy_name,policy_version} tuple has own directory.


And APIcast loader would take care of finding the proper policy based on the name and version in the chain: 
[ { "name": "policy_name", "version": "policy_version" } ]

would call `policy_chain.load('policy_name', 'policy_version')`
which would require the policy code in sandbox and return the policy object.