@aporthq/aport-agent-guardrails 1.0.15 → 1.0.16

package/bin/agent-guardrails

@@ -6,7 +6,7 @@
 #   agent-guardrails openclaw ap_xxx    # openclaw with agent_id (pass-through)
 #   agent-guardrails --framework=langchain
 #   agent-guardrails -f crewai
-# Supported: openclaw | langchain | crewai | cursor | claude-code (n8n coming soon)
+# Supported: openclaw | langchain | crewai | cursor | claude-code | deerflow | n8n
 #
 # Backward compatibility: All arguments after the framework are passed through to
 # the framework script. For OpenClaw, bin/openclaw receives them (e.g. agent_id).
@@ -60,7 +60,7 @@ if [[ -z "$framework" ]] && [[ ${#REST[@]} -gt 0 ]]; then
   # Check if first arg looks like a framework name (lowercase alphanumeric + hyphen)
   if [[ "$first_arg" =~ ^[a-z0-9-]+$ ]]; then
     # Valid framework names
-    valid_frameworks=(openclaw langchain crewai cursor claude-code n8n)
+    valid_frameworks=(openclaw langchain crewai cursor claude-code n8n deerflow)
     for valid_fw in "${valid_frameworks[@]}"; do
       if [[ "$first_arg" == "$valid_fw" ]]; then
         framework="$first_arg"
@@ -90,14 +90,14 @@ if [[ -z "$framework" ]]; then
           noninteractive="${APORT_NONINTERACTIVE:-${CI:-}}"
           if [[ -n "$noninteractive" ]]; then
             echo "[aport] ERROR: Multiple frameworks detected: $detected_list" >&2
-            echo "  Set APORT_FRAMEWORK or use --framework=openclaw | langchain | crewai | cursor | claude-code" >&2
+            echo "  Set APORT_FRAMEWORK or use --framework=openclaw | langchain | crewai | cursor | claude-code | deerflow | n8n" >&2
             exit 1
           fi
           echo ""
           echo "  APort Agent Guardrails — Framework setup"
           echo "  ─────────────────────────────────────────"
           echo "  Multiple frameworks detected: $detected_list"
-          echo "  Choose one: openclaw | langchain | crewai | cursor | claude-code"
+          echo "  Choose one: openclaw | langchain | crewai | cursor | claude-code | deerflow | n8n"
           echo "  Example: npx @aporthq/agent-guardrails --framework=openclaw"
           echo ""
           read -p "  Framework [${framework:-openclaw}]: " choice
@@ -113,14 +113,14 @@ if [[ -z "$framework" ]]; then
   noninteractive="${APORT_NONINTERACTIVE:-${CI:-}}"
   if [[ -n "$noninteractive" ]]; then
     echo "[aport] ERROR: No framework detected in current directory." >&2
-    echo "  Set APORT_FRAMEWORK or use --framework=openclaw | langchain | crewai | cursor | claude-code" >&2
+    echo "  Set APORT_FRAMEWORK or use --framework=openclaw | langchain | crewai | cursor | claude-code | deerflow | n8n" >&2
     exit 1
   fi
   echo ""
   echo "  APort Agent Guardrails — Framework setup"
   echo "  ─────────────────────────────────────────"
   echo "  No framework detected in current directory."
-  echo "  Choose: openclaw | langchain | crewai | cursor | claude-code"
+  echo "  Choose: openclaw | langchain | crewai | cursor | claude-code | deerflow | n8n"
   echo "  Example: npx @aporthq/agent-guardrails openclaw"
   echo "           npx @aporthq/agent-guardrails --framework=langchain"
   echo ""
@@ -143,7 +143,7 @@ if [[ "$framework" == "n8n" ]]; then
   echo "[aport] Note: n8n custom node is not yet available. This setup only runs the passport wizard and writes config." >&2
 fi
 
-# Run framework script if it exists and is executable (safe with empty REST)
+# Run framework-specific script if it exists (cursor, claude-code have custom logic)
 if [[ -x "$script" ]]; then
   exec "$script" ${REST+"${REST[@]}"}
 fi
@@ -153,6 +153,14 @@ if [[ "$framework" == "openclaw" ]]; then
   exec "$SCRIPT_DIR/openclaw" ${REST+"${REST[@]}"}
 fi
 
+# Generic handler: works for any framework with a next-steps.d/<framework>.txt data file
+# (crewai, langchain, deerflow, n8n, and any future framework)
+generic_script="$FRAMEWORKS_DIR/generic.sh"
+if [[ -x "$generic_script" ]]; then
+  export APORT_FRAMEWORK="$framework"
+  exec "$generic_script" ${REST+"${REST[@]}"}
+fi
+
 echo "[aport] ERROR: Unknown or unsupported framework: $framework" >&2
-echo "  Supported: openclaw, langchain, crewai, cursor, claude-code (n8n coming soon)" >&2
+echo "  Supported: openclaw, langchain, crewai, cursor, claude-code, deerflow, n8n" >&2
 exit 1

package/bin/aport-cursor-hook.sh

@@ -87,28 +87,30 @@ elif [ "$HOOK_EVENT" = "beforeMCPExecution" ] || { [ -n "$TOOL_NAME" ] && echo "
 
 elif [ -n "$TOOL_NAME" ]; then
     # preToolUse: Cursor tool names — Shell, Read, Write, Grep, Delete, Task, MCP:<name>
-    case "$TOOL_NAME" in
-        Shell)
+    # Normalize: trim whitespace, lowercase (patterns must match TOOL_NORM)
+    TOOL_NORM="$(echo "$TOOL_NAME" | tr -d '[:space:]' | tr '[:upper:]' '[:lower:]')"
+    case "$TOOL_NORM" in
+        shell)
             GUARDRAIL_TOOL="bash"
             CONTEXT_JSON="$(safe_jq "$INPUT" '{command: (.tool_input.command // "")}')"
             ;;
-        Read | Grep)
-            # Read-family: allow without calling evaluator
+        read | grep | glob | semanticsearch)
+            # Read-family: allow without calling evaluator (matches Claude Code behavior)
             exit 0
             ;;
-        Write)
+        write | strreplace | editnotebook)
             GUARDRAIL_TOOL="write"
             CONTEXT_JSON="$(safe_jq "$INPUT" '{file_path: (.tool_input.file_path // .tool_input.path // "")}')"
             ;;
-        Delete)
+        delete)
             GUARDRAIL_TOOL="write"
             CONTEXT_JSON="$(safe_jq "$INPUT" '{file_path: (.tool_input.file_path // .tool_input.path // "")}')"
             ;;
-        Task)
+        task)
             GUARDRAIL_TOOL="session.create"
             CONTEXT_JSON="$(safe_jq "$INPUT" '{description: (.tool_input.description // .tool_input.prompt // "")}')"
             ;;
-        MCP:*)
+        mcp:*)
             GUARDRAIL_TOOL="mcp.tool"
             CONTEXT_JSON="$(safe_jq "$INPUT" '{tool_name: (.tool_name // ""), tool_input: (.tool_input // {})}')"
             ;;

package/bin/aport-resolve-paths.sh

@@ -24,6 +24,35 @@ resolve_aport_paths() {
         . "$_resolve_script_dir/../bin/lib/validation.sh" 2> /dev/null || true
     fi
 
+    # 0) AGENTS.md enforcement block (repo-scoped, highest priority after explicit env)
+    #    Only checked when no explicit env var is set — OPENCLAW_PASSPORT_FILE always wins.
+    if [ -z "${OPENCLAW_PASSPORT_FILE:-}" ]; then
+        local _agentsmd_lib="$_resolve_script_dir/lib/agentsmd.sh"
+        [ ! -f "$_agentsmd_lib" ] && _agentsmd_lib="$_resolve_script_dir/../bin/lib/agentsmd.sh"
+        if [ -f "$_agentsmd_lib" ]; then
+            # shellcheck source=lib/agentsmd.sh
+            . "$_agentsmd_lib"
+            if resolve_agentsmd_enforcement 2> /dev/null; then
+                if [ -n "$AGENTSMD_AGENT_ID" ]; then
+                    export APORT_AGENT_ID="$AGENTSMD_AGENT_ID"
+                fi
+                if [ -n "$AGENTSMD_PASSPORT" ] && [ -f "$AGENTSMD_PASSPORT" ]; then
+                    passport_path="$AGENTSMD_PASSPORT"
+                    data_dir="$(dirname "$AGENTSMD_PASSPORT")"
+                    export OPENCLAW_PASSPORT_FILE="$passport_path"
+                    if [ -z "${OPENCLAW_DECISION_FILE:-}" ]; then
+                        export OPENCLAW_DECISION_FILE="${data_dir}/decision.json"
+                    fi
+                    export OPENCLAW_AUDIT_LOG="${data_dir}/audit.log"
+                    PASSPORT_FILE="$passport_path"
+                    DECISION_FILE="${OPENCLAW_DECISION_FILE}"
+                    AUDIT_LOG="${data_dir}/audit.log"
+                    return 0
+                fi
+            fi
+        fi
+    fi
+
     # 1) Explicit path set and file exists → use it (plugin or wrapper)
     if [ -n "${OPENCLAW_PASSPORT_FILE:-}" ] && [ -f "$OPENCLAW_PASSPORT_FILE" ]; then
         # Validate env-provided path if validator is available
@@ -47,7 +76,7 @@ resolve_aport_paths() {
     # 3) No env → probe framework-specific default paths (where each framework stores data), then OpenClaw legacy
     else
         config_dir=""
-        for candidate in "$HOME/.claude" "$HOME/.cursor" "$HOME/.openclaw" "$HOME/.aport/langchain" "$HOME/.aport/crewai" "$HOME/.n8n"; do
+        for candidate in "$HOME/.claude" "$HOME/.cursor" "$HOME/.openclaw" "$HOME/.aport/langchain" "$HOME/.aport/crewai" "$HOME/.aport/deerflow" "$HOME/.n8n"; do
             if [ -f "${candidate}/aport/passport.json" ]; then
                 config_dir="$candidate"
                 break

package/bin/frameworks/generic.sh

@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+# Generic framework setup. Works for any framework that only needs:
+#   1. Config dir + passport wizard
+#   2. Framework-specific "next steps" text (from next-steps.d/<framework>.txt)
+#
+# Frameworks with custom logic (cursor, claude-code, openclaw) keep their own scripts.
+# To add a new framework: create next-steps.d/<name>.txt and add to valid_frameworks
+# in bin/agent-guardrails. No new shell script needed.
+
+LIB="$(cd "$(dirname "${BASH_SOURCE[0]:-.}")/../lib" && pwd)"
+FRAMEWORKS_DIR="$(cd "$(dirname "${BASH_SOURCE[0]:-.}")" && pwd)"
+# shellcheck source=../lib/common.sh
+source "$LIB/common.sh"
+# shellcheck source=../lib/passport.sh
+source "$LIB/passport.sh"
+# shellcheck source=../lib/config.sh
+source "$LIB/config.sh"
+
+framework="${APORT_FRAMEWORK:?APORT_FRAMEWORK must be set by the dispatcher}"
+
+run_setup() {
+    log_info "Setting up APort guardrails for $framework..."
+    config_dir="$(write_config_template "$framework")"
+    mkdir -p "$config_dir/aport"
+    chmod 700 "$config_dir/aport"
+    export APORT_FRAMEWORK="$framework"
+    run_passport_wizard "$@"
+    # Harden permissions on passport (contains policy/capabilities)
+    [ -f "$config_dir/aport/passport.json" ] && chmod 600 "$config_dir/aport/passport.json"
+
+    # Print framework-specific next steps from data file
+    next_steps="$FRAMEWORKS_DIR/next-steps.d/$framework.txt"
+    if [ -f "$next_steps" ]; then
+        echo ""
+        # Substitute $config_dir in the template
+        sed "s|\$config_dir|$config_dir|g" "$next_steps"
+        echo ""
+    else
+        echo ""
+        echo "  Config written to: $config_dir"
+        echo "  Install: pip install aport-agent-guardrails"
+        echo "  See: docs/frameworks/$framework.md"
+        echo ""
+    fi
+
+    # Check if Python package is installed (skip in CI/tests)
+    if [[ -z "${APORT_SKIP_ADAPTER_CHECK:-}" ]]; then
+        if command -v pip &> /dev/null || command -v pip3 &> /dev/null; then
+            pip_cmd="pip"
+            command -v pip3 &> /dev/null && pip_cmd="pip3"
+            if ! $pip_cmd show aport-agent-guardrails &> /dev/null; then
+                echo "[aport] NOTE: Python package not installed. Run:" >&2
+                echo "  $pip_cmd install aport-agent-guardrails" >&2
+                echo "  Or: uv add aport-agent-guardrails" >&2
+            fi
+        fi
+    fi
+}
+
+run_setup "$@"

package/bin/frameworks/next-steps.d/crewai.txt

@@ -0,0 +1,13 @@
+  Next steps (CrewAI):
+  ───────────────────
+  1. Install the Python adapter (required for runtime enforcement):
+     pip install aport-agent-guardrails-crewai
+     aport-crewai setup
+  2. Config written to: $config_dir
+  3. Register the guardrail before running your crew:
+
+     from aport_guardrails_crewai import register_aport_guardrail
+     register_aport_guardrail()
+     crew.kickoff()
+
+  Or: @with_aport_guardrail on your entry point. See: docs/frameworks/crewai.md

package/bin/frameworks/next-steps.d/deerflow.txt

@@ -0,0 +1,14 @@
+  Next steps (DeerFlow):
+  ──────────────────────
+  1. Install the guardrails package:
+     uv add aport-agent-guardrails
+
+  2. Add to your DeerFlow config.yaml:
+
+     guardrails:
+       enabled: true
+       passport: $config_dir/aport/passport.json
+       provider:
+         use: aport_guardrails.providers.generic:OAPGuardrailProvider
+
+  See: docs/frameworks/deerflow.md

package/bin/frameworks/next-steps.d/langchain.txt

@@ -0,0 +1,12 @@
+  Next steps (LangChain):
+  ───────────────────────
+  1. Install the Python adapter (required for runtime enforcement):
+     pip install aport-agent-guardrails-langchain
+     aport-langchain setup
+  2. Config written to: $config_dir
+  3. Add to your agent:
+
+     from aport_guardrails_langchain import APortCallback
+     agent = initialize_agent(..., callbacks=[APortCallback()])
+
+  See: docs/frameworks/langchain.md

package/bin/frameworks/next-steps.d/n8n.txt

@@ -0,0 +1,9 @@
+  APort n8n support: coming soon. This setup only writes config; custom node not yet available.
+
+  Next steps (n8n):
+  ────────────────
+  1. Install custom node to ~/.n8n/custom/ (or use HTTP Request node to APort API).
+  2. In your workflow: add APort Guardrail node before action nodes; branch on allow/deny.
+  3. Store agent_id or passport in n8n credentials.
+
+  See: docs/frameworks/n8n.md

package/bin/lib/config.sh

@@ -16,6 +16,7 @@ get_config_dir() {
         n8n) echo "${APORT_N8N_CONFIG_DIR:-$HOME/.n8n}" ;;
         cursor) echo "${APORT_CURSOR_CONFIG_DIR:-$HOME/.cursor}" ;;
         claude-code) echo "${APORT_CLAUDE_CODE_CONFIG_DIR:-$HOME/.claude}" ;;
+        deerflow) echo "${APORT_DEERFLOW_CONFIG_DIR:-$HOME/.aport/deerflow}" ;;
         *) echo "${APORT_CONFIG_DIR:-$HOME/.aport}" ;;
     esac
 }

package/docs/frameworks/deerflow.md

@@ -0,0 +1,168 @@
+# APort Agent Guardrail — DeerFlow
+
+DeerFlow is a LangGraph-based AI super agent system by ByteDance with sandbox execution, persistent memory, and subagent delegation. The **APort Agent Guardrail for DeerFlow** plugs into DeerFlow's native **middleware chain** via the `GuardrailMiddleware`: every tool call (including dynamically-loaded MCP tools) is evaluated against your passport and policy before execution.
+
+## How DeerFlow agent guardrails work
+
+- **Middleware:** DeerFlow uses an `AgentMiddleware` chain with `wrap_tool_call` / `awrap_tool_call`. The `GuardrailMiddleware` sits between `DanglingToolCallMiddleware` and `ToolErrorHandlingMiddleware` in the chain.
+- **Provider protocol:** DeerFlow defines a generic `GuardrailProvider` protocol. Any class with `evaluate(request)` and `aevaluate(request)` methods works. APort's `OAPGuardrailProvider` implements this protocol.
+- **Deny handling:** Denied tool calls return a `ToolMessage` with `status="error"` and OAP reason codes (e.g. `oap.command_not_allowed`). The agent sees the denial and can adapt.
+- **Fail-closed:** If the provider raises an exception, the tool call is blocked by default.
+
+- **Integration:** DeerFlow `GuardrailMiddleware` (in `_build_runtime_middlewares`)
+- **Config:** `config.yaml` guardrails section + `~/.aport/deerflow/config.yaml` for APort settings
+- **Provider class path:** `aport_guardrails.providers.generic:OAPGuardrailProvider`
+
+## Two ways to use APort
+
+| Use case | What it is | When to use it |
+|----------|------------|----------------|
+| **Guardrails (CLI/setup)** | One-line installer: runs the **passport wizard**, writes config, prints next steps. Does not run your app. | Getting started: create passport and config so the provider can find them. |
+| **Core (library)** | The **OAPGuardrailProvider** loaded by DeerFlow's `resolve_variable` from your `config.yaml`. Evaluates every tool call. | Integrating into your app: add the guardrails section to config.yaml. |
+
+You typically use **both**: run the CLI once to create passport and config, then add the guardrails section to your DeerFlow `config.yaml`.
+
+---
+
+## Setup (Guardrails — create passport and config)
+
+**Python (recommended)**
+
+```bash
+pip install aport-agent-guardrails
+aport setup --framework deerflow
+```
+
+**Node/npx (alternative)**
+
+```bash
+npx @aporthq/aport-agent-guardrails deerflow
+```
+
+**Hosted passport (production)**
+
+```bash
+npx @aporthq/aport-agent-guardrails deerflow ap_fa2f6d53bb5b4c98b9af0124285b6e0f
+```
+
+The setup creates:
+- Config directory: `~/.aport/deerflow/`
+- Passport file: `~/.aport/deerflow/aport/passport.json`
+- Config file: `~/.aport/deerflow/config.yaml`
+
+## Using the library (Core) in your DeerFlow app
+
+### Step 1: Install the package
+
+```bash
+uv add aport-agent-guardrails
+# or: pip install aport-agent-guardrails
+```
+
+### Step 2: Add guardrails to config.yaml
+
+Add this section to your DeerFlow `config.yaml`:
+
+```yaml
+guardrails:
+  enabled: true
+  fail_closed: true
+  passport: ~/.aport/deerflow/aport/passport.json
+  provider:
+    use: aport_guardrails.providers.generic:OAPGuardrailProvider
+```
+
+That's it. Every tool call is now evaluated before execution.
+
+### Step 3 (optional): Use a hosted passport
+
+For production, use a hosted passport ID instead of a local file:
+
+```yaml
+guardrails:
+  enabled: true
+  passport: ap_fa2f6d53bb5b4c98b9af0124285b6e0f
+  provider:
+    use: aport_guardrails.providers.generic:OAPGuardrailProvider
+```
+
+---
+
+## How it works under the hood
+
+1. DeerFlow's `_build_runtime_middlewares()` reads `guardrails` from `config.yaml`
+2. It loads `OAPGuardrailProvider` via `resolve_variable` (same mechanism as models and sandbox providers)
+3. `GuardrailMiddleware` wraps every tool call:
+   - Builds a `GuardrailRequest` with tool name, arguments, and passport reference
+   - Calls `provider.evaluate(request)` (sync) or `provider.aevaluate(request)` (async)
+   - If denied: returns a `ToolMessage` with error status and OAP reason codes
+   - If allowed: calls the original tool handler
+4. `OAPGuardrailProvider` maps the tool name to an OAP policy pack ID and calls the core `Evaluator`
+5. The `Evaluator` resolves the passport (local file or hosted API) and evaluates the tool call
+
+## Tool-to-policy mapping
+
+| DeerFlow tool | OAP policy pack |
+|---|---|
+| `bash`, `write_file`, `str_replace` | `system.command.execute.v1` |
+| `web_search`, `web_fetch`, `image_search` | `web.fetch.v1` |
+| `read_file`, `ls` | `data.file.read.v1` |
+| `present_file`, `view_image` | `data.export.create.v1` |
+| `ask_clarification`, `task` | `agent.session.create.v1` |
+| MCP tools (dynamic) | `mcp.tool.execute.v1` |
+
+## Evaluation modes
+
+| Mode | Config | Network | Use case |
+|---|---|---|---|
+| **Local** | `mode: local` in APort config | None | Dev, CI, air-gapped |
+| **API** | `mode: api` in APort config | API call to aport.io | Full OAP features, signed decisions |
+| **Hosted passport** | `passport: ap_xxx` in DeerFlow config | API call | Production, managed passports |
+
+## Built-in AllowlistProvider (no APort needed)
+
+DeerFlow ships with a zero-dependency `AllowlistProvider` for simple deny/allow:
+
+```yaml
+guardrails:
+  enabled: true
+  provider:
+    use: deerflow.guardrails.builtin:AllowlistProvider
+    config:
+      denied_tools: ["bash", "write_file"]
+```
+
+## Custom provider (bring your own)
+
+Any class with `evaluate` and `aevaluate` methods works:
+
+```python
+class MyGuardrail:
+    name = "my-company"
+    def evaluate(self, request):
+        from deerflow.guardrails.provider import GuardrailDecision, GuardrailReason
+        if request.tool_name == "bash":
+            return GuardrailDecision(allow=False, reasons=[GuardrailReason(code="oap.denied", message="bash blocked")])
+        return GuardrailDecision(allow=True, reasons=[GuardrailReason(code="oap.allowed")])
+    async def aevaluate(self, request):
+        return self.evaluate(request)
+```
+
+```yaml
+guardrails:
+  enabled: true
+  provider:
+    use: my_module:MyGuardrail
+```
+
+## Kill switch
+
+- **Local:** Set `"status": "suspended"` in your passport JSON file
+- **Hosted:** Log in to aport.io, click Suspend — all agents using that passport deny within 30 seconds
+
+## References
+
+- [DeerFlow GitHub issue #1213](https://github.com/bytedance/deer-flow/issues/1213)
+- [OAP Specification](https://doi.org/10.5281/zenodo.18901595)
+- [Verification methods](../VERIFICATION_METHODS.md)
+- [Hosted passport setup](../HOSTED_PASSPORT_SETUP.md)

package/external/aport-policies/README.md

@@ -23,6 +23,12 @@ Policy packs are **pre-built, OAP-compliant policy definitions** that provide in
 | **`agent.session.create.v1`** | `agent.session.create` | L0 | Session limits, duration restrictions, concurrent session controls |
 | **`agent.tool.register.v1`** | `agent.tool.register` | L0 | Tool naming conventions, capability declarations, registration limits |
 
+### ✅ **Task Completion**
+
+| Policy Pack | Capability | Min Assurance | Key Features |
+|-------------|------------|---------------|--------------|
+| **`deliverable.task.complete.v1`** | `deliverable.task.complete` | L0 | Summary word count, acceptance criteria attestations, tests passing, different reviewer, blocked pattern scan |
+
 ### 💳 **Finance & Payments**
 
 | Policy Pack | Capability | Min Assurance | Key Features |

package/external/aport-policies/deliverable.task.complete.v1/README.md

@@ -0,0 +1,95 @@
+# deliverable.task.complete.v1
+
+Task Completion Gate — pre-action governance for an agent marking a task complete.
+
+## Purpose
+
+Enforces that the agent has provided required deliverable evidence before "done" is authorized:
+
+- Summary (optional, configurable min word count)
+- Acceptance criteria attestations (one per passport-defined criterion, with evidence)
+- Test status (optional, require passing tests)
+- Reviewer identity (optional, require different agent for multi-agent pipelines)
+- Output scan (optional, block patterns like TODO, FIXME)
+
+## Required Context
+
+| Field | Type | Required |
+|-------|------|----------|
+| `task_id` | string | Yes |
+| `output_type` | "code" \| "document" \| "analysis" \| "plan" \| "data" \| "other" | Yes |
+| `criteria_attestations` | array of `{ criterion_id, met, evidence }` | Yes |
+| `summary` | string | If `require_summary` |
+| `tests_passing` | boolean | If `require_tests_passing` |
+| `reviewer_agent_id` | string | If `require_different_reviewer` |
+| `author_agent_id` | string | If `require_different_reviewer` |
+| `output_content` | string | If `scan_output` and scanning |
+
+## Passport Limits
+
+Configure under `limits["deliverable.task.complete"]`:
+
+```json
+{
+  "require_summary": true,
+  "min_summary_words": 20,
+  "require_tests_passing": false,
+  "require_different_reviewer": false,
+  "scan_output": false,
+  "blocked_patterns": [],
+  "acceptance_criteria": [
+    { "id": "output_produced", "description": "A concrete output artifact must be produced" },
+    { "id": "no_placeholders", "description": "Output must not contain TODO, FIXME, or placeholder text" }
+  ]
+}
+```
+
+**Note:** `blocked_patterns` is in passport limits (not API context). At evaluation, only the first 100 patterns are checked; passports with more are truncated silently. Passport issuance APIs may validate this; the validator caps at 100 for DoS protection.
+
+## Security Rationale (Validator Design)
+
+- **`met !== true` (strict)** — We use strict equality, not truthy `!met`. PRD v1.2 fix: `met: "true"` or `met: 1` must not pass; only `met: true` is valid.
+- **Missing `author_agent_id` → deny** — When `require_different_reviewer` is true, both `reviewer_agent_id` and `author_agent_id` must be present. Omitting `author_agent_id` would bypass the cross-agent check; we intentionally deny instead of skipping.
+- **Custom validators over expressions** — Safer `undefined` handling and no expression-engine quirks. Expressions can mis-evaluate empty strings or `undefined`; validators give explicit control over deny codes.
+
+## Deny Codes
+
+| Code | Meaning |
+|------|---------|
+| `oap.criteria_not_met` | An attestation has `met: false` |
+| `oap.evidence_missing` | An attestation has empty evidence |
+| `oap.criteria_incomplete` | Missing attestation for a passport criterion |
+| `oap.summary_insufficient` | Summary absent or below `min_summary_words` |
+| `oap.tests_not_passing` | `tests_passing` required but false or missing |
+| `oap.self_review_not_allowed` | Same agent for reviewer and author, or either missing |
+| `oap.blocked_pattern_detected` | Output contains a blocked pattern |
+
+## Verification
+
+```bash
+POST /api/verify/policy/deliverable.task.complete.v1
+Content-Type: application/json
+
+{
+  "context": {
+    "agent_id": "ap_xxx",
+    "task_id": "task-123",
+    "output_type": "code",
+    "author_agent_id": "ap_xxx",
+    "summary": "Implemented OAuth2 refresh token flow...",
+    "tests_passing": true,
+    "criteria_attestations": [
+      { "criterion_id": "output_produced", "met": true, "evidence": "PR #47" },
+      { "criterion_id": "no_placeholders", "met": true, "evidence": "grep -r TODO src/ returned 0" }
+    ]
+  }
+}
+```
+
+## Tests
+
+Run unit tests:
+
+```bash
+pnpm test:unit policies/deliverable.task.complete.v1/tests/deliverable-task-complete-policy.test.ts
+```