It looks obviously correct to me, but I still have a question: do you
happen to have a Bazel BUILD file somewhere (we could also add it to
passt's contrib/ if it's not in any other repository) to check future
changes against it?
The primary BUILD file is in Google's internal repository, so I can't share that.
Unfortunately in my quick testing, the OSS bazel build doesn't actually catch the same layering check violations that Google's internal "Blaze" variant of bazel does.
So I'm not sure how helpful it would be.