Evaluation of rules in Gitano
-----------------------------

Rules in gitano are a "first match wins" mechanism of controlling access to a
repository.  There are two sources of rules for a respository.  The first set
of rules considered is the rules explicitly stated in the repository in
question.  Those rules are stored in the refs/gitano/admin branch of the
repository, access to which is being considered.  The second source of rules is
the core.rules file in the gitano-admin repository's master branch.

Gitano defines a set of magical user/group names which always start 'gitano/'
and since the admin layout does not allow for users or groups to be created

By default, the core.rules file (which is *never* automatically rewritten by
the gitano tools and thus can have commentary etc in it) defines a few useful
rules which form the basis of a gitano install.

The default set of core.rules gitano will install in a fresh gitano-admin
repository are:

---8<----
GrantClone(User "gitano/any")
GrantWrite(User "gitano/owner")
Callout("main")
---8<----

If evaluation ever falls off the end of the core rules then Gitano evaluates
the built in stop-gap rule of 'Deny(User "gitano/any")' which effectively
denies everything to everyone. This means that if the rule evaluator falls off
the end of the repository-specific rules then as a last ditch effort we deny
all access.