vaultkit 1.0.6 → 1.0.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c99e29a96bcd6b84bf3de1322b79f256118f5025918ef7573563d66f42ad9b93
-  data.tar.gz: bb09e5336124994c39127859bc9cb978b86cb6c4d5a2a610080f608f262f4c6a
+  metadata.gz: 3cc5f978b053f8fe4ac4e146a50b90e2fecc93b884073816c760bb0d99502b96
+  data.tar.gz: 26b63ecee6b659f0bf0f645455963f712aac27df77850e142dabc894d5b8070a
 SHA512:
-  metadata.gz: 1899ddef1628cf6d67e394b5d2c7e616e25a6c17e7ee86c609beff0cf02c8339e2611e2b78a55438312a59e3e51389cf5163e55089efc5a4a498548077837f63
-  data.tar.gz: 0a2b23c898735fc6b706549d8e45872bc976a00bc4750843115f3eaf825b587595a40ed5095b72dc57f8c61e292ef489e478754bd92f5459e57aa97bf5048e73
+  metadata.gz: ba3984df812852cab48f7a530d77d021a8ecbb43432cd212f3ed7d0cd14c71705fce6894f05d3b7db84569168cd4004609fe9f9a702ca2b90c6130c59dcf3402
+  data.tar.gz: 7d5c1ca12d0fb08798c6c85bfa2fc10fd6db0667129f7d2fa51e72542dae471c734511f3480e1b73ba3c070903985fb5c42bb789905c1dea3aa4e383d3a6b599

data/lib/vkit/cli/base_cli.rb

@@ -169,13 +169,40 @@ module Vkit
         )
       end
 
+      # REGISTRY
+      desc "registry SUBCOMMAND ...ARGS", "Manage local registry.yaml"
+      subcommand "registry", Class.new(Thor) {
+
+        desc "export", "Export runtime registry to datasets/registry.yaml"
+        option :dir, type: :string, default: "."
+        option :out, type: :string, desc: "Custom output path"
+        option :force, type: :boolean, default: false
+        def export
+          Commands::RegistryExportCommand.new.call(
+            dir: options[:dir],
+            out: options[:out],
+            force: options[:force]
+          )
+        end
+
+        desc "diff", "Diff local registry.yaml against runtime registry"
+        option :dir, type: :string, default: "."
+        option :format, type: :string, default: "human", enum: %w[human json]
+        def diff
+          Commands::RegistryDiffCommand.new.call(
+            dir: options[:dir],
+            format: options[:format]
+          )
+        end
+      }
+
       # POLICY
       desc "policy SUBCOMMAND ...ARGS", "Manage policy bundles"
       subcommand "policy", Class.new(Thor) {
 
         desc "bundle", "Compile YAML policies into a JSON policy bundle"
         option :policies_dir, type: :string, default: "config/policies"
-        option :registry_dir, type: :string, default: "config"
+        option :registry_dir, type: :string, default: "datasets"
         option :out, type: :string, default: "dist/policy_bundle.json"
         option :org, type: :string
         option :version, type: :string

data/lib/vkit/cli/commands/fetch_command.rb

@@ -16,8 +16,7 @@ module Vkit
               body: {}
             )
 
-            rows = response.dig("rows", "rows") || []
-            meta = response.dig("rows", "meta") || {}
+            rows, meta = normalize_response(response)
 
             print_result(rows, meta, format)
           end
@@ -42,6 +41,24 @@ module Vkit
             raise "Unknown format: #{format}"
           end
         end
+
+        def normalize_response(response)
+          rows =
+            if response["rows"].is_a?(Array)
+              response["rows"]
+            else
+              response.dig("rows", "rows") || []
+            end
+        
+          meta =
+            if response["meta"].is_a?(Hash)
+              response["meta"]
+            else
+              response.dig("rows", "meta") || {}
+            end
+        
+          [rows, meta]
+        end
       end
     end
   end

data/lib/vkit/cli/commands/init_command.rb

@@ -59,15 +59,25 @@ module Vkit
           FileUtils.mkdir_p(File.join(dir, "datasets"))
           FileUtils.mkdir_p(File.join(dir, "dist"))
           FileUtils.mkdir_p(File.join(dir, ".vkit"))
-
+        
           registry_path = File.join(dir, "datasets", "registry.yaml")
-          unless File.exist?(registry_path)
+        
+          if File.exist?(registry_path)
+            puts "ℹ️  datasets/registry.yaml already exists — leaving unchanged."
+          else
             File.write(
               registry_path,
-              "# Dataset registry\n# Populate with: vkit scan <datasource> --apply\n"
+              <<~YAML
+                # VaultKit Dataset Registry
+                #
+                # Populate with:
+                #   vkit scan <datasource> --apply
+                #   vkit registry export
+                #
+              YAML
             )
           end
-
+        
           gitignore_path = File.join(dir, ".gitignore")
           unless File.exist?(gitignore_path)
             File.write(
@@ -75,7 +85,7 @@ module Vkit
               "dist/\n.vkit/\n"
             )
           end
-        end
+        end        
       end
     end
   end

data/lib/vkit/cli/commands/policy_bundle_command.rb

@@ -67,22 +67,21 @@ module Vkit
         private
 
         def git_sha
-          `git rev-parse HEAD`.strip
-        rescue
+          out = `git rev-parse HEAD 2>/dev/null`.strip
+          return out unless out.empty?
+        
           Time.now.to_i.to_s
         end
-
+        
         def git_repo
-          `git config --get remote.origin.url`.strip
-        rescue
-          nil
+          out = `git config --get remote.origin.url 2>/dev/null`.strip
+          out.empty? ? nil : out
         end
-
+        
         def git_ref
-          `git rev-parse --abbrev-ref HEAD`.strip
-        rescue
-          nil
-        end
+          out = `git rev-parse --abbrev-ref HEAD 2>/dev/null`.strip
+          out.empty? ? nil : out
+        end        
       end
     end
   end

data/lib/vkit/cli/commands/registry_diff_command.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+require "yaml"
+require "json"
+require_relative "../../core/registry_diff"
+require_relative "../../core/registry_diff_printer"
+
+module Vkit
+  module CLI
+    module Commands
+      class RegistryDiffCommand < BaseCommand
+        DEFAULT_PATH = File.join("datasets", "registry.yaml")
+
+        def call(dir:, format: "human")
+          ensure_project!(dir)
+
+          dir  = File.expand_path(dir)
+          path = File.join(dir, DEFAULT_PATH)
+
+          unless File.exist?(path)
+            puts "❌ No local registry.yaml found."
+            exit 2
+          end
+
+          with_auth do
+            user = credential_store.user
+            org  = user["organization_slug"]
+
+            local = YAML.safe_load(
+              File.read(path),
+              permitted_classes: [],
+              permitted_symbols: [],
+              aliases: false
+            )
+            runtime = authenticated_client.get(
+              "/api/v1/orgs/#{org}/registries/export"
+            )
+
+            diff = Vkit::Core::RegistryDiff.compute(
+              local: local,
+              remote: runtime
+            )
+
+            if format == "json"
+              puts JSON.pretty_generate(diff)
+              exit diff["datasets"].empty? ? 0 : 1
+            else
+              Vkit::Core::RegistryDiffPrinter.print(diff)
+              exit diff["datasets"].empty? ? 0 : 1
+            end
+          end
+
+        rescue StandardError => e
+          puts "❌ Error: #{e.message}"
+          exit 2
+        end
+
+        private
+
+        def ensure_project!(dir)
+          raise "Not a VaultKit project (missing .vkit/)" unless Dir.exist?(File.join(dir, ".vkit"))
+        end
+      end
+    end
+  end
+end

data/lib/vkit/cli/commands/registry_export_command.rb

@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+
+require "yaml"
+require_relative "base_command"
+
+module Vkit
+  module CLI
+    module Commands
+      class RegistryExportCommand < BaseCommand
+        DEFAULT_PATH = File.join("datasets", "registry.yaml")
+
+        def call(dir:, out: nil, force: false)
+          with_auth do
+            ensure_project!(dir)
+
+            dir = File.expand_path(dir)
+            path = out ? File.expand_path(out, dir) : File.join(dir, DEFAULT_PATH)
+
+            if File.exist?(path) && !force
+              decision = handle_existing_registry(dir: dir, path: path)
+              return if decision == :abort
+            end            
+
+            user = credential_store.user
+            org  = user["organization_slug"]
+
+            registry_data = authenticated_client.get(
+              "/api/v1/orgs/#{org}/registries/export"
+            )
+
+            FileUtils.mkdir_p(File.dirname(path))
+            File.write(path, registry_data.to_yaml)
+
+            puts "✅ Registry exported to:"
+            puts "   #{relative(dir, path)}"
+          end
+        rescue StandardError => e
+          puts "❌ Error: #{e.message}"
+          exit 1
+        end
+
+        private
+
+        def ensure_project!(dir)
+          raise "Not a VaultKit project (missing .vkit/)" unless Dir.exist?(File.join(dir, ".vkit"))
+        end
+
+        def handle_existing_registry(dir:, path:)
+          puts "\n⚠️  Existing registry.yaml detected at:"
+          puts "   #{relative(dir, path)}\n\n"
+        
+          puts "Choose an option:"
+          puts "  1) Overwrite entirely"
+          puts "  2) Show diff"
+          puts "  3) Abort"
+          print "\nEnter choice [1-3]: "
+        
+          choice = STDIN.gets&.strip
+        
+          case choice
+          when "1"
+            puts "\nOverwriting existing registry..."
+            :overwrite
+        
+          when "2"
+            show_diff(dir: dir)
+            puts "\nAborting."
+            :abort
+        
+          else
+            puts "\nAborting."
+            :abort
+          end
+        end        
+
+        def relative(root, abs)
+          abs.sub(root + File::SEPARATOR, "")
+        end
+
+        def show_diff(dir:)
+          Vkit::CLI::Commands::RegistryDiffCommand.new.call(dir: dir)
+        end        
+      end
+    end
+  end
+end

data/lib/vkit/cli/commands/request_command.rb

@@ -80,11 +80,20 @@ module Vkit
             exit 0
 
           when "ok"
-            rows = result["rows"] || []
+            rows = result["rows"]
+            meta = result["meta"] || {}
+
+            unless rows.is_a?(Array)
+              raise "Invalid response: expected rows to be an array"
+            end
 
             puts "✅ OK — #{rows.size} rows"
-            puts "ℹ️  Query Metadata:"
-            puts JSON.pretty_generate(result["meta"] || {})
+
+            if meta.any?
+              puts "ℹ️  Query Metadata:"
+              puts JSON.pretty_generate(meta)
+            end
+
             puts
             puts "ℹ️  Data Rows:"
             Vkit::Core::TableFormatter.render(rows)

data/lib/vkit/core/ansi.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Vkit
+  module Core
+    module Ansi
+      COLORS = {
+        red:    31,
+        green:  32,
+        yellow: 33,
+        blue:   34,
+        gray:   90
+      }.freeze
+
+      def self.color(text, color)
+        return text unless $stdout.tty?
+
+        code = COLORS[color]
+        "\e[#{code}m#{text}\e[0m"
+      end
+
+      def self.green(text)  = color(text, :green)
+      def self.red(text)    = color(text, :red)
+      def self.yellow(text) = color(text, :yellow)
+      def self.blue(text)   = color(text, :blue)
+      def self.gray(text)   = color(text, :gray)
+    end
+  end
+end

data/lib/vkit/core/registry_diff.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+module Vkit
+  module Core
+    class RegistryDiff
+      def self.compute(local:, remote:)
+        local ||= {}
+        remote ||= {}
+
+        local_datasets  = normalize(local)
+        remote_datasets = normalize(remote)
+
+        out = { "datasets" => [] }
+
+        all_names = (local_datasets.keys | remote_datasets.keys).sort
+
+        all_names.each do |name|
+          local_fields  = local_datasets[name] || []
+          remote_fields = remote_datasets[name] || []
+
+          changes = diff_fields(local_fields, remote_fields)
+
+          next if changes.values.all?(&:empty?)
+
+          out["datasets"] << {
+            "name" => name,
+            "changes" => changes
+          }
+        end
+
+        out
+      end
+
+      def self.normalize(registry)
+        return {} unless registry.is_a?(Hash)
+      
+        # CASE 1: runtime export format
+        if registry.key?("datasets")
+          return Array(registry["datasets"]).each_with_object({}) do |ds, h|
+            h[ds["name"]] =
+              Array(ds["fields"]).map do |f|
+                {
+                  "name" => f["name"].to_s,
+                  "type" => f["type"].to_s,
+                  "sensitivity" => f["sensitivity"].to_s,
+                  "tags" => Array(f["tags"]).map(&:to_s).sort
+                }
+              end.sort_by { |f| f["name"] }
+          end
+        end
+      
+        # CASE 2: local YAML format
+        registry.each_with_object({}) do |(dataset_name, ds), h|
+          fields = ds["fields"] || {}
+      
+          normalized_fields =
+            fields.map do |field_name, meta|
+              {
+                "name" => field_name.to_s,
+                "type" => meta["type"].to_s,
+                "sensitivity" => meta["sensitivity"].to_s,
+                "tags" => [meta["category"]].compact.map(&:to_s).sort
+              }
+            end.sort_by { |f| f["name"] }
+      
+          h[dataset_name.to_s] = normalized_fields
+        end
+      end
+      
+
+      def self.diff_fields(local, remote)
+        l = local.each_with_object({}) { |f, h| h[f["name"]] = f }
+        r = remote.each_with_object({}) { |f, h| h[f["name"]] = f }
+
+        {
+          "added_fields" =>
+            (r.keys - l.keys).map { |k| r[k] },
+
+          "removed_fields" =>
+            (l.keys - r.keys).map { |k| l[k] },
+
+          "changed_fields" =>
+            (l.keys & r.keys).filter_map do |k|
+              next if l[k] == r[k]
+              { "name" => k, "local" => l[k], "remote" => r[k] }
+            end
+        }
+      end
+
+      private_class_method :diff_fields, :normalize
+    end
+  end
+end

data/lib/vkit/core/registry_diff_printer.rb

@@ -0,0 +1,110 @@
+# frozen_string_literal: true
+
+require_relative "ansi"
+
+module Vkit
+  module Core
+    class RegistryDiffPrinter
+      def self.print(diff)
+        datasets = diff["datasets"] || []
+
+        summary = summarize(datasets)
+
+        if summary[:total_changes].zero?
+          puts Ansi.green("✓ No differences between local registry and runtime.")
+          return
+        end
+
+        print_summary(summary)
+        puts
+
+        datasets.each do |ds|
+          changes = ds["changes"]
+          next if changes.values.all?(&:empty?)
+
+          puts Ansi.blue("Dataset: #{ds['name']}")
+          puts
+
+          print_added(changes["added_fields"])
+          print_removed(changes["removed_fields"])
+          print_changed(changes["changed_fields"])
+
+          puts "-" * 50
+        end
+      end
+
+      def self.summarize(datasets)
+        datasets.each_with_object(
+          datasets_changed: 0,
+          added: 0,
+          removed: 0,
+          changed: 0,
+          total_changes: 0
+        ) do |ds, acc|
+          changes = ds["changes"] || {}
+
+          a = Array(changes["added_fields"]).size
+          r = Array(changes["removed_fields"]).size
+          c = Array(changes["changed_fields"]).size
+
+          next if a + r + c == 0
+
+          acc[:datasets_changed] += 1
+          acc[:added] += a
+          acc[:removed] += r
+          acc[:changed] += c
+          acc[:total_changes] += (a + r + c)
+        end
+      end
+
+      def self.print_summary(summary)
+        line = [
+          "#{summary[:datasets_changed]} datasets changed",
+          "#{summary[:added]} added",
+          "#{summary[:removed]} removed",
+          "#{summary[:changed]} modified"
+        ].join(" | ")
+
+        puts Ansi.yellow(line)
+      end
+
+      def self.print_added(fields)
+        return if fields.empty?
+
+        puts Ansi.green("  + Added Fields:")
+        fields.each do |f|
+          puts Ansi.green("    + #{f['name']} (#{f['type']})")
+        end
+        puts
+      end
+
+      def self.print_removed(fields)
+        return if fields.empty?
+
+        puts Ansi.red("  - Removed Fields:")
+        fields.each do |f|
+          puts Ansi.red("    - #{f['name']} (#{f['type']})")
+        end
+        puts
+      end
+
+      def self.print_changed(fields)
+        return if fields.empty?
+
+        puts Ansi.yellow("  ~ Changed Fields:")
+        fields.each do |f|
+          puts Ansi.yellow("    ~ #{f['name']}")
+          puts Ansi.gray("        From: #{f['from']}")
+          puts Ansi.gray("        To:   #{f['to']}")
+        end
+        puts
+      end
+
+      private_class_method :summarize,
+                           :print_summary,
+                           :print_added,
+                           :print_removed,
+                           :print_changed
+    end
+  end
+end

data/lib/vkit/policy/bundle_compiler.rb

@@ -104,7 +104,31 @@ module Vkit
 
       def self.extract_masking(p)
         return unless p.dig("action", "mask")
-        p["masking"]
+      
+        raw =
+          p["masking"] ||
+          p.dig("action", "masking") || {}
+      
+        default_method =
+          normalize_mask_method(raw["default_method"]) if raw["default_method"]
+      
+        rules =
+          case raw["rules"]
+          when Hash
+            raw["rules"].each_with_object({}) do |(field, method), acc|
+              acc[field.to_s] = normalize_mask_method(method)
+            end
+          else
+            {}
+          end
+      
+        result = {}
+        result["default_method"] = default_method if default_method
+        result["rules"] = rules if rules.any?
+      
+        return if result.empty?
+      
+        result
       end
 
       def self.normalize_registry(raw)
@@ -139,6 +163,16 @@ module Vkit
         end
       end
 
+      def self.normalize_mask_method(method)
+        case method.to_s
+        when "redact"   then "full"
+        when "hash"     then "hash"
+        when "truncate" then "partial"
+        when "nullify"  then "full"
+        else "full"
+        end
+      end
+
       # Canonicalization
       def self.canonical_json(obj)
         JSON.generate(sort_keys_deep(obj))

data/lib/vkit/policy/packs/ai_safety/policies/03_mask_sensitive_by_default_for_agents.yaml

@@ -13,3 +13,6 @@ action:
   mask: true
   reason: "Agents should not receive raw sensitive fields by default."
   ttl: "4h"
+
+masking:
+  default_method: redact

data/lib/vkit/policy/packs/financial_compliance/policies/02_mask_payment_tokens.yaml

@@ -11,4 +11,7 @@ context: {}
 action:
   mask: true
   reason: "Payment tokens/card-related data must never be exposed in raw form."
-  ttl: "24h"
+  ttl: 24h
+
+masking:
+  default_method: redact

data/lib/vkit/policy/packs/starter/policies/02_mask_pii_by_default.yaml

@@ -1,13 +1,16 @@
 id: mask_pii_by_default
 description: "Mask PII fields by default unless explicitly allowed."
 
+priority: 80
+
 match:
   fields:
-    sensitivity: pii
-
-priority: 80
+    contains: ["pii"]
 
 action:
   mask: true
   reason: "PII is masked by default for safety."
-  ttl: "1h"
+  ttl: 1h
+
+masking:
+  default_method: redact

data/lib/vkit/policy/policy_validator.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Vkit
   module Policy
     class PolicyValidator
@@ -28,7 +30,7 @@ module Vkit
           MSG
         end
 
-        validate_action!(action, prefix)
+        validate_action!(action, policy, prefix)
         true
       end
 
@@ -41,7 +43,7 @@ module Vkit
         MSG
       end
 
-      def self.validate_action!(action, prefix)
+      def self.validate_action!(action, policy, prefix)
         intents = ACTION_KEYS.select { |k| action[k] == true }
 
         if intents.empty?
@@ -81,7 +83,8 @@ module Vkit
           require_string!(action, "approver_role", prefix)
 
         when "mask"
-          # masking config can be validated later
+          # masking is optional, but if present must be valid
+          validate_masking!(policy, prefix) if policy.key?("masking")
 
         when "allow"
           # nothing required
@@ -124,6 +127,73 @@ module Vkit
           MSG
         end
       end
+
+      # Masking validation (aligned with compiler + runtime)
+      def self.validate_masking!(policy, prefix)
+        masking = policy["masking"]
+        return unless masking
+
+        unless masking.is_a?(Hash)
+          raise ValidationError, "#{prefix}masking must be a mapping."
+        end
+
+        allowed_keys = %w[default_method rules]
+        unknown_keys = masking.keys - allowed_keys
+
+        if unknown_keys.any?
+          raise ValidationError, <<~MSG
+            #{prefix}Unknown keys in masking: #{unknown_keys.join(', ')}
+
+            Allowed keys:
+              - default_method
+              - rules
+          MSG
+        end
+
+        if masking["default_method"]
+          validate_mask_method!(
+            masking["default_method"],
+            prefix,
+            "masking.default_method"
+          )
+        end
+
+        if masking["rules"]
+          unless masking["rules"].is_a?(Hash)
+            raise ValidationError,
+              "#{prefix}masking.rules must be a mapping of field → method."
+          end
+
+          masking["rules"].each do |field, method|
+            validate_mask_method!(
+              method,
+              prefix,
+              "masking.rules.#{field}"
+            )
+          end
+        end
+      end
+
+      def self.validate_mask_method!(method, prefix, path)
+        allowed = %w[redact hash truncate nullify full partial]
+
+        unless allowed.include?(method.to_s)
+          raise ValidationError, <<~MSG
+            #{prefix}Invalid masking method at #{path}.
+
+            Allowed values:
+              - redact
+              - hash
+              - truncate
+              - nullify
+              - full
+              - partial
+
+            Got:
+              #{method.inspect}
+          MSG
+        end
+      end
     end
   end
 end

data/lib/vkit/policy/schema/policy_bundle.schema.json

@@ -264,19 +264,15 @@
             "type": "object",
             "additionalProperties": false,
             "properties": {
-              "fields": {
-                "type": "array",
-                "items": {
-                  "type": "object",
-                  "required": ["name", "method"],
-                  "additionalProperties": false,
-                  "properties": {
-                    "name": { "type": "string" },
-                    "method": {
-                      "type": "string",
-                      "enum": ["redact", "hash", "truncate", "nullify"]
-                    }
-                  }
+              "default_method": {
+                "type": "string",
+                "enum": ["full", "hash", "partial"]
+              },
+              "rules": {
+                "type": "object",
+                "additionalProperties": {
+                  "type": "string",
+                  "enum": ["full", "hash", "partial"]
                 }
               }
             }

data/lib/vkit/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Vkit
-  VERSION = "1.0.6"
+  VERSION = "1.0.8"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: vaultkit
 version: !ruby/object:Gem::Version
-  version: 1.0.6
+  version: 1.0.8
 platform: ruby
 authors:
 - Nnamdi Ogundu
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-02-16 00:00:00.000000000 Z
+date: 2026-02-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -61,6 +61,8 @@ files:
 - lib/vkit/cli/commands/policy_pack_upgrade_command.rb
 - lib/vkit/cli/commands/policy_revoke_command.rb
 - lib/vkit/cli/commands/policy_validate_command.rb
+- lib/vkit/cli/commands/registry_diff_command.rb
+- lib/vkit/cli/commands/registry_export_command.rb
 - lib/vkit/cli/commands/request_command.rb
 - lib/vkit/cli/commands/requests_list_command.rb
 - lib/vkit/cli/commands/reset_command.rb
@@ -70,9 +72,12 @@ files:
 - lib/vkit/cli/policy_bundle_validator.rb
 - lib/vkit/cli/policy_pack/manager.rb
 - lib/vkit/cli/requests_cli.rb
+- lib/vkit/core/ansi.rb
 - lib/vkit/core/auth_client.rb
 - lib/vkit/core/credential_resolver.rb
 - lib/vkit/core/credential_store.rb
+- lib/vkit/core/registry_diff.rb
+- lib/vkit/core/registry_diff_printer.rb
 - lib/vkit/core/table_formatter.rb
 - lib/vkit/policy/bundle_compiler.rb
 - lib/vkit/policy/packs/ai_safety/metadata.yaml