@cuzfrog/pi-module-gates 0.17.1 → 0.18.0

package/README.md

@@ -12,7 +12,7 @@ AI coding agents produce edits with limited context knowledge (myopia) — their
 **Module contracts as guardrails.** Each directory can contain a descriptor file that declares:
 
 - `readonly` — files and directories the agent must not touch
-- `frozen` — files where no new exports are allowed
+- `sealed` — files where no new exports are allowed (body still editable)
 - `visible` — the set of exports allowed to be added or modified in that module
 
 The extension intercepts agent `write`/`edit` operations and enforces these contracts. Violations are blocked with a clear reason.
@@ -26,7 +26,7 @@ The attempt to add 2 public helper functions is blocked, forcing the agent to re
 2. **System prompt** — Injects a hint so the agent knows to respect descriptor file conventions.
 3. **Gating** — On every write/edit, checks:
    - **Readonly gate** — is the target file locked?
-     **Fronzen gate** — is there any surface change to the target file?
+     **Sealed gate** — would the change add new exports to a file in the `sealed` list?
    - **Export gate** — would the change introduce an export not in the `visible` list?
    - **Module interface import gate** — external files can only import from the module not internal files, i.e. re-exports from `index.ts` or `mod.rs`. A child module may import from a parent module's internal files (not recommended but allowed). (Only Typescript/JavaScript and Rust are supported)
    - **Import gate** (not implemented yet) — would the change introduce an import violating visibility scope?
@@ -57,14 +57,14 @@ readonly: [mod.rs]
 Any prose for the agent to better understand the module.
 ```
 
-### Frozen constraints
+### Sealed constraints
 
 ```yaml
-frozen: [mod.rs]
+sealed: [mod.rs]
 ```
-Frozen files cannot change their surface size: no new exports or public entries are allowed.
+Sealed files cannot change their surface size: no new exports or public entries are allowed. The file body is still editable.
 
-A skill [module-freeze-all](src/skills/module-freeze-all) has been included to auto-freeze modules.
+A skill [module-seal-all](skills/module-seal-all) has been included to auto-seal modules.
 
 ### Visibility whitelist (under redesign)
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cuzfrog/pi-module-gates",
-  "version": "0.17.1",
+  "version": "0.18.0",
   "description": "pi extension that controls the entropy of the codebase by enforcing code module boundaries.",
   "keywords": [
     "pi-package"
@@ -22,7 +22,7 @@
     ]
   },
   "dependencies": {
-    "yaml": "2.8.1"
+    "yaml": "2.9.0"
   },
   "peerDependencies": {
     "@earendil-works/pi-coding-agent": "*"

package/skills/{module-freeze-all → module-seal-all}/SKILL.md

@@ -1,6 +1,6 @@
 ---
-name: module-freeze-all
-description: Auto-freeze all files in module descriptors so their module surface area cannot be increased.
+name: module-seal-all
+description: Auto-seal all files in module descriptors so their module surface area cannot be increased.
 disable-model-invocation: true
 argument-hint: <user-instructions>
 ---
@@ -9,26 +9,26 @@ argument-hint: <user-instructions>
 - Find out module descriptor filename in the context.
 - Find out source root in the context or from configurations.
 - Derive scripts args from user instructions.
-- Call the script to scans the source tree for module descriptors and auto-populates their `frozen` entries with code files in each module directory.
+- Call the script to scans the source tree for module descriptors and auto-populates their `sealed` entries with code files in each module directory.
 
 ## Script Usage
 
 ```bash
-node skills/module-freeze-all/scripts/freeze-all.mjs [options]
+node skills/module-seal-all/scripts/seal-all.mjs [options]
 ```
 
 Options:
 - `--root <dir>` - Source root directory (default: `src`)
 - `--dry-run` - Show what would change without writing files
-- `--create` - Create module descriptor files for directories without one (adds `frozen` only)
+- `--create` - Create module descriptor files for directories without one (adds `sealed` only)
 - `--descriptor-name <name>` - Module descriptor filename (default: `module.md`)
 
 ### Behavior
 
 1. Finds all module descriptor files under the source root.
 2. For each module directory, lists all direct files (not subdirectories, not module descriptor file itself)
-3. Adds those files to the `frozen` frontmatter field
-4. Preserves existing `frozen` entries, other fields in the frontmatter, and body prose
+3. Adds those files to the `sealed` frontmatter field
+4. Preserves existing `sealed` entries, other fields in the frontmatter, and body prose
 
 ## Extra user instructions:
 "$ARGUMENTS"

package/skills/module-seal-all/scripts/seal-all.d.mts

@@ -0,0 +1 @@
+export declare const SUPPORTED_EXTENSIONS: Set<string>;

package/skills/{module-freeze-all/scripts/freeze-all.mjs → module-seal-all/scripts/seal-all.mjs}

@@ -1,9 +1,9 @@
 #!/usr/bin/env node
 /**
- * Auto-freeze all files in module descriptors.
+ * Auto-seal all files in module descriptors.
  *
  * Scans module descriptor files under a source root and populates each
- * descriptor's `frozen` field with every direct code file in the module
+ * descriptor's `sealed` field with every direct code file in the module
  * directory. Files in nested sub-modules (directories with their own
  * descriptor) are excluded from the parent.
  */
@@ -47,7 +47,7 @@ function main() {
   const results = [];
 
   for (const [modDir, modFile] of allModuleDirs) {
-    const result = freezeModule(modDir, modFile, descriptorName, allModuleDirs);
+    const result = sealModule(modDir, modFile, descriptorName, allModuleDirs);
     if (result) results.push(result);
   }
 
@@ -69,7 +69,7 @@ function main() {
     console.log("Dry run — would modify:");
     for (const r of results) {
       const rel = relative(cwd, r.path);
-      console.log(`  ${rel}: freeze [${r.files.join(", ") || "(none)"}]`);
+      console.log(`  ${rel}: seal [${r.files.join(", ") || "(none)"}]`);
     }
     return;
   }
@@ -169,7 +169,7 @@ function walkDir(dir, visitor) {
 // Module processing
 // ---------------------------------------------------------------------------
 
-function freezeModule(modDir, descriptorFileName, descriptorName, allModuleDirs) {
+function sealModule(modDir, descriptorFileName, descriptorName, allModuleDirs) {
   const modPath = join(modDir, descriptorFileName);
   let raw;
   try {
@@ -179,15 +179,15 @@ function freezeModule(modDir, descriptorFileName, descriptorName, allModuleDirs)
   }
 
   const parsed = parseFrontmatter(raw);
-  const existingFrozen = normalizeFrozen(parsed.frontmatter.frozen);
+  const existingSealed = normalizeSealed(parsed.frontmatter.sealed);
   const directFiles = listDirectFiles(modDir, descriptorName, allModuleDirs);
-  const mergedFrozen = mergePreservingOrder(existingFrozen, directFiles);
+  const mergedSealed = mergePreservingOrder(existingSealed, directFiles);
 
-  if (arraysEqual(existingFrozen, mergedFrozen)) return undefined;
+  if (arraysEqual(existingSealed, mergedSealed)) return undefined;
 
-  const newContent = serializeModule(parsed, mergedFrozen);
+  const newContent = serializeModule(parsed, mergedSealed);
 
-  return { path: modPath, content: newContent, files: mergedFrozen };
+  return { path: modPath, content: newContent, files: mergedSealed };
 }
 
 function createModuleDescriptor(dir, descriptorName) {
@@ -283,8 +283,8 @@ function parseInlineList(raw) {
   return inner.split(",").map((s) => s.trim().replace(/^['"]|['"]$/g, ""));
 }
 
-function serializeModule(parsed, frozen) {
-  const fm = { ...parsed.frontmatter, frozen };
+function serializeModule(parsed, sealed) {
+  const fm = { ...parsed.frontmatter, sealed };
 
   let yaml = parsed.prelude;
   for (const [key, value] of Object.entries(fm)) {
@@ -344,7 +344,7 @@ function listDirectFiles(modDir, descriptorName, allModuleDirs) {
 // Helpers
 // ---------------------------------------------------------------------------
 
-function normalizeFrozen(value) {
+function normalizeSealed(value) {
   if (Array.isArray(value)) return value.map(String);
   return [];
 }
@@ -366,4 +366,4 @@ function arraysEqual(a, b) {
 
 if (import.meta.url === pathToFileURL(resolve(process.argv[1] ?? "")).href) {
   main();
-}
+}

package/src/MODULE.md

@@ -1,6 +1,5 @@
 ---
-frozen:
+sealed:
   - config.ts
   - index.ts
----
-
+---

package/src/context/MODULE.md

@@ -1,6 +1,5 @@
 ---
-frozen:
+sealed:
   - system-prompt.ts
   - index.ts
----
-
+---

package/src/context/system-prompt.template.md

@@ -1,5 +1,5 @@
 ## Module gates (boundary enforcement)
-This project uses `{{descriptorFileName}}`(case-insensitive) files to declare visibility, readonly and frozen rules that you should follow.
+This project uses `{{descriptorFileName}}`(case-insensitive) files to declare visibility, readonly and sealed rules that you should follow.
 If you cannot comply, reconsider your design or raise to the user with tradeoffs if necessary.
 Each `{{descriptorFileName}}` gates its branching point in the tree.
 A `{{descriptorFileName}}` with a `visible` list means only entries in the list are allowed to be visible outside the module.
@@ -13,5 +13,5 @@ A `{{descriptorFileName}}` with a `visible` list means only entries in the list
 - `external files`: files not in the module directory and subdirectories;
 - `module interface`: the file representing the module surface, e.g. `index.ts` in Typescript, `mod.rs` in Rust;
 - `readonly`: files are readonly;
-- `frozen`: files cannot add new exports, but still editable;
+- `sealed`: files cannot add new exports, but the body is still editable; the export surface is sealed;
 - `visible`: visible from outside the module; files not in the module directory are outside the module;

package/src/gates/MODULE.md

@@ -1,8 +1,7 @@
 ---
-frozen:
+sealed:
   - export-gate.ts
-  - frozen-gate.ts
+  - sealed-gate.ts
   - readonly-gate.ts
   - index.ts
----
-
+---

package/src/gates/checkers/MODULE.md

@@ -1,8 +1,7 @@
 ---
-frozen:
+sealed:
   - index.ts
   - registry.ts
   - rust.ts
   - typescript.ts
----
-
+---

package/src/gates/checkers/go.ts

@@ -13,7 +13,33 @@ const goChecker: ExportChecker = {
 registerChecker(goChecker);
 
 function extractExports(src: string): Signature[] {
-  return [...src.matchAll(
-    /^(?:func\s+(?!\()|type\s+|var\s+|const\s+)([\p{Lu}]\w*)/gmu,
-  )].map((m) => ({ name: m[1] }));
+  const out: Signature[] = [];
+
+  for (const m of src.matchAll(
+    /^(?:func\s+(?:\([^)]*\)\s+)?|type\s+|var\s+|const\s+)([\p{Lu}]\w*)/gmu,
+  )) {
+    out.push({ name: m[1] });
+  }
+
+  for (const block of src.matchAll(/(?:^|\n)(?:var|const)\s*\(([\s\S]*?)\)/g)) {
+    const inner = block[1];
+    for (const line of inner.split(/\n/)) {
+      const trimmed = line.trim();
+      if (!trimmed) continue;
+      const m = /^([\p{Lu}]\w*)(?:\s*(?::\s*[\w.\[\]any, |]+)?=\s*[\s\S]*|\s*$)/u.exec(trimmed);
+      if (m) out.push({ name: m[1] });
+    }
+  }
+
+  for (const iface of src.matchAll(/(?:^|\n)type\s+[\p{Lu}]\w*\s+interface\s*\{([\s\S]*?)\}/gu)) {
+    const inner = iface[1];
+    for (const line of inner.split(/\n/)) {
+      const trimmed = line.trim();
+      if (!trimmed) continue;
+      const m = /^([\p{Lu}]\w*)\s*\(/u.exec(trimmed);
+      if (m) out.push({ name: m[1] });
+    }
+  }
+
+  return out;
 }

package/src/gates/checkers/java.ts

@@ -14,6 +14,6 @@ registerChecker(javaChecker);
 
 function extractExports(src: string): Signature[] {
   return [...src.matchAll(
-    /^public\s+(?:class|interface|enum|@interface|record)\s+(\w+)/gm,
-  )].map((m) => ({ modifier: "public", name: m[1] }));
+    /^(?:@\w+(?:\([^)]*\))?\s+)*public\s+(?:(?:abstract|final|sealed|non-sealed|static)\s+)*(class|interface|enum|@interface|record)\s+(\w+)/gm,
+  )].map((m) => ({ modifier: "public", name: m[2] }));
 }

package/src/gates/checkers/kotlin.ts

@@ -13,14 +13,26 @@ const kotlinChecker: ExportChecker = {
 registerChecker(kotlinChecker);
 
 function extractExports(src: string): Signature[] {
-  const re = /^(?:(public|internal|protected|private)\s+)?(?:(?:data|sealed|enum|abstract|open)\s+)?(?:class|interface|object|fun|val|var|typealias)\s+(\w+)/gm;
+  const declRe = /^(?:@\w+(?:\([^)]*\))?\s+)*(?:(public|internal|private)\s+)?(?:(?:data|sealed|enum|abstract|open|final|inline|value|annotation|expect|actual|external)\s+)*(?:companion\s+)?(?:class|interface|object|fun|val|var|typealias)\s+(\w+)/m;
   const results: Signature[] = [];
-  for (const m of src.matchAll(re)) {
-    if (m[1] === "private") continue;
-    results.push({
-      modifier: m[1] || undefined,
-      name: m[2],
-    });
+  let depth = 0;
+  for (const rawLine of src.split("\n")) {
+    const line = rawLine.replace(/\/\/.*$/, "").replace(/\/\*.*?\*\//g, "");
+    if (depth === 0) {
+      const m = declRe.exec(line);
+      if (m) {
+        const visibility = m[1];
+        const name = m[2];
+        if (visibility === "private") {
+          // skip
+        } else {
+          results.push({ modifier: visibility, name });
+        }
+      }
+    }
+    depth += (line.match(/\{/g) || []).length;
+    depth -= (line.match(/\}/g) || []).length;
+    if (depth < 0) depth = 0;
   }
   return results;
 }

package/src/gates/checkers/rust.ts

@@ -5,8 +5,12 @@ import type { Signature } from "../../types.ts";
 const rustChecker: ExportChecker = {
   extensions: [".rs"],
   getNewExports(before: string, after: string): Signature[] {
-    const beforeNames = new Set(extractPubItems(before).map((s) => s.name));
-    return extractPubItems(after).filter((sig) => !beforeNames.has(sig.name));
+    const beforeNames = new Set(
+      [...extractPubItems(before), ...extractPubUses(before)].map((s) => s.name),
+    );
+    return [...extractPubItems(after), ...extractPubUses(after)].filter(
+      (sig) => !beforeNames.has(sig.name),
+    );
   },
 };
 
@@ -14,6 +18,71 @@ registerChecker(rustChecker);
 
 function extractPubItems(src: string): Signature[] {
   return [...src.matchAll(
-    /^(pub(?:\([^)]*\))?)\s+(?:fn|struct|enum|trait|type|const|mod)\s+(\w+)/gm,
+    /^(pub(?:\([^)]*\))?)(?:\s+(?:unsafe|async|const|extern(?:\s+"[^"]+")?))*\s+(?:fn|struct|enum|trait|type|const|mod|static)\s+(\w+)/gm,
   )].map((m) => ({ modifier: m[1], name: m[2] }));
 }
+
+function extractPubUses(src: string): Signature[] {
+  const out: Signature[] = [];
+  const re = /^(pub(?:\([^)]*\))?)\s+use\s+([\s\S]*?);/gm;
+  for (const m of src.matchAll(re)) {
+    const modifier = m[1];
+    const body = m[2];
+    for (const name of extractUseNames(body)) {
+      out.push({ modifier, name });
+    }
+  }
+  return out;
+}
+
+function extractUseNames(body: string): string[] {
+  const trimmed = body.trim();
+  const groupMatch = /^(.+?)::\s*\{([\s\S]*)\}\s*$/.exec(trimmed);
+  if (groupMatch) {
+    const prefix = groupMatch[1].split("::").pop() ?? "";
+    return extractGroupItems(groupMatch[2], prefix);
+  }
+  const last = trimmed.split("::").pop() ?? "";
+  if (last === "self") {
+    const segments = trimmed.split("::");
+    segments.pop();
+    const fallback = segments.pop() ?? "";
+    return fallback ? [fallback] : [];
+  }
+  const parsed = parseRenamed(last);
+  return parsed && parsed !== "*" ? [parsed] : [];
+}
+
+function extractGroupItems(inner: string, prefix: string): string[] {
+  const out: string[] = [];
+  let depth = 0;
+  let buf = "";
+  for (const ch of inner) {
+    if (ch === "{") depth++;
+    else if (ch === "}") depth--;
+    if (ch === "," && depth === 0) {
+      pushItem(buf, out, prefix);
+      buf = "";
+    } else {
+      buf += ch;
+    }
+  }
+  pushItem(buf, out, prefix);
+  return out;
+}
+
+function pushItem(raw: string, out: string[], prefix: string): void {
+  const item = raw.trim();
+  if (!item || item === "*") return;
+  if (item === "self") {
+    if (prefix) out.push(prefix);
+    return;
+  }
+  out.push(parseRenamed(item));
+}
+
+function parseRenamed(item: string): string {
+  const asIdx = item.lastIndexOf(" as ");
+  const tail = asIdx >= 0 ? item.slice(asIdx + 4) : item;
+  return tail.split("::").pop() ?? "";
+}

package/src/gates/checkers/scala.ts

@@ -13,14 +13,26 @@ const scalaChecker: ExportChecker = {
 registerChecker(scalaChecker);
 
 function extractExports(src: string): Signature[] {
-  const re = /^(?:(private(?:\[[^\]]*\])?|protected(?:\[[^\]]*\])?)\s+)?(?:class|object|trait|def|val|var|type|given|extension)\s+(\w+)/gm;
+  const declRe = /^(?:@\w+(?:\([^)]*\))?\s+)*(?:(private(?:\[[^\]]*\])?|protected(?:\[[^\]]*\])?|public)\s+)?(?:(?:sealed|final|abstract|lazy|opaque|implicit)\s+)*(?:case\s+)?(?:class|object|trait|def|val|var|type|enum|given|extension)\s+(\w+)/m;
   const results: Signature[] = [];
-  for (const m of src.matchAll(re)) {
-    if (m[1] === "private" || m[1] === "protected") continue;
-    results.push({
-      modifier: m[1] || undefined,
-      name: m[2],
-    });
+  let depth = 0;
+  for (const rawLine of src.split("\n")) {
+    const line = rawLine.replace(/\/\/.*$/, "");
+    if (depth === 0) {
+      const m = declRe.exec(line);
+      if (m) {
+        const visibility = m[1];
+        const name = m[2];
+        if (visibility === "private" || visibility === "protected") {
+          // skip bare private/protected
+        } else {
+          results.push({ modifier: visibility, name });
+        }
+      }
+    }
+    depth += (line.match(/\{/g) || []).length;
+    depth -= (line.match(/\}/g) || []).length;
+    if (depth < 0) depth = 0;
   }
   return results;
 }

package/src/gates/checkers/typescript.ts

@@ -12,39 +12,55 @@ const tsChecker: ExportChecker = {
 
 registerChecker(tsChecker);
 
+const ANNOTATION_PREFIX = String.raw`(?:@[^\n]*\n)*[ \t]*`;
+const DECL_KEYWORD = String.raw`(?:function(?:\s*\*)?|class|const|let|var|type|interface|enum)`;
+const DECL_KEYWORD_NEG = String.raw`(?:function\s*\*?|class|const|let|var|type|interface|enum|abstract|async|declare)`;
+
 function extractExports(src: string): Signature[] {
-  const results: Signature[] = [
-    ...src.matchAll(
-      /^export\s+(?:default\s+)?(?:\w+\s+)*(?:function(?:\s*\*)?|class|const|let|var|type|interface|enum)\s+(\w+)/gm,
-    ),
-  ].map((m) => ({ name: m[1] }));
+  const results: Signature[] = [];
+
+  for (const m of src.matchAll(
+    new RegExp(`^${ANNOTATION_PREFIX}export\\s+(?:default\\s+)?(?:\\w+\\s+)*${DECL_KEYWORD}\\s+(\\w+)`, "gm"),
+  )) {
+    results.push({ name: m[1] });
+  }
 
   for (const m of src.matchAll(
-    /^export\s*(?:type\s+)?\{\s*([^}]+)\s*\}\s*from/gm,
+    new RegExp(`^${ANNOTATION_PREFIX}export\\s*(?:type\\s+)?\\{\\s*([^}]+?)\\s*\\}(?:\\s+from\\b)?`, "gm"),
   )) {
     const inner = m[1];
     for (const entry of inner.split(",")) {
-      const trimmed = entry.trim();
+      let trimmed = entry.trim();
       if (!trimmed) continue;
-      const asMatch = trimmed.match(/^(\w+)\s+as\s+(\w+)$/);
-      if (asMatch) {
-        results.push({ name: asMatch[2] });
-      } else {
-        results.push({ name: trimmed });
+      if (trimmed.startsWith("type ")) {
+        trimmed = trimmed.slice(5).trim();
+        if (!trimmed) continue;
       }
+      const asMatch = trimmed.match(/^(\w+)\s+as\s+(\w+)$/);
+      results.push({ name: asMatch ? asMatch[2] : trimmed });
     }
   }
 
-  for (const m of src.matchAll(/^export\s*\*\s*as\s+(\w+)\s+from/gm)) {
+  for (const m of src.matchAll(
+    new RegExp(`^${ANNOTATION_PREFIX}export\\s+(?:type\\s+)?\\*\\s+from`, "gm"),
+  )) {
+    results.push({ name: "*" });
+  }
+
+  for (const m of src.matchAll(
+    new RegExp(`^${ANNOTATION_PREFIX}export\\s*\\*\\s+as\\s+(\\w+)\\s+from`, "gm"),
+  )) {
     results.push({ name: m[1] });
   }
 
-  for (const m of src.matchAll(/^export\s*\*\s+from/gm)) {
-    results.push({ name: "*" });
+  for (const m of src.matchAll(
+    new RegExp(`^${ANNOTATION_PREFIX}export\\s*=\\s*(\\w+)`, "gm"),
+  )) {
+    results.push({ name: m[1] });
   }
 
   for (const m of src.matchAll(
-    /^export\s+default\s+(?!function|class|const|let|var|type|interface|enum|abstract|async|declare)([a-zA-Z_]\w*)/gm,
+    new RegExp(`^${ANNOTATION_PREFIX}export\\s+default\\s+(?!${DECL_KEYWORD_NEG})([a-zA-Z_]\\w*)`, "gm"),
   )) {
     results.push({ name: m[1] });
   }

package/src/gates/index.ts

@@ -1,4 +1,4 @@
 export { checkReadonly } from "./readonly-gate.ts";
-export { checkFrozen } from "./frozen-gate.ts";
+export { checkSealed } from "./sealed-gate.ts";
 export { checkExports } from "./export-gate.ts";
-export { checkModuleInterfaceImports } from "./module-interface-import-gate.ts";
+export { checkModuleInterfaceImports } from "./module-interface-import-gate.ts";

package/src/gates/run-gates.ts

@@ -5,7 +5,7 @@ import type { ModuleGateConfig } from "../config.ts";
 import { readFileSafe, applyEdits, isWithinSourceRoot, findOwningModule } from "../utils.ts";
 import {
   checkReadonly,
-  checkFrozen,
+  checkSealed,
   checkExports,
   checkModuleInterfaceImports,
 } from "./index.ts";
@@ -57,9 +57,9 @@ export function runGates(
     return { block: true, reason: formatDenial(filePath, readonlyResult.reason, absPath, index, cwd, config.moduleDescriptorFileName) };
   }
 
-  const frozenResult = checkFrozen(filePath, before, after, index, cwd, config.moduleDescriptorFileName);
-  if (frozenResult.blocked) {
-    return { block: true, reason: formatDenial(filePath, frozenResult.reason, absPath, index, cwd, config.moduleDescriptorFileName) };
+  const sealedResult = checkSealed(filePath, before, after, index, cwd, config.moduleDescriptorFileName);
+  if (sealedResult.blocked) {
+    return { block: true, reason: formatDenial(filePath, sealedResult.reason, absPath, index, cwd, config.moduleDescriptorFileName) };
   }
 
   const exportResult = checkExports(filePath, before, after, index, cwd, config.moduleDescriptorFileName);

package/src/gates/{frozen-gate.ts → sealed-gate.ts}

@@ -3,18 +3,18 @@ import type { ModuleIndex } from "../types.ts";
 import { getAncestorContracts, matchesPattern } from "../utils.ts";
 import { getChecker } from "./checkers/registry.ts";
 
-export type FrozenCheckResult =
+export type SealedCheckResult =
   | { blocked: true; reason: string }
   | { blocked: false };
 
-export function checkFrozen(
+export function checkSealed(
   filePath: string,
   beforeContent: string,
   afterContent: string,
   index: ModuleIndex,
   cwd: string,
   descriptorFileName: string,
-): FrozenCheckResult {
+): SealedCheckResult {
   const absFile = path.resolve(cwd, filePath);
 
   const checker = getChecker(absFile);
@@ -23,7 +23,7 @@ export function checkFrozen(
   const ancestors = getAncestorContracts(absFile, index);
 
   for (const contract of ancestors) {
-    for (const pattern of contract.frozen) {
+    for (const pattern of contract.sealed) {
       if (matchesPattern(absFile, pattern, contract.modulePath)) {
         const newExports = checker.getNewExports(beforeContent, afterContent);
         if (newExports.length === 0) return { blocked: false };
@@ -32,11 +32,11 @@ export function checkFrozen(
         const names = newExports.map((s) => s.name).join(", ");
         return {
           blocked: true,
-          reason: `Frozen rule: file is frozen in ${relModuleMd}. Cannot add new exports: ${names}`,
+          reason: `Sealed rule: file is sealed in ${relModuleMd}. Cannot add new exports: ${names}`,
         };
       }
     }
   }
 
   return { blocked: false };
-}
+}

package/src/graph/MODULE.md

@@ -1,9 +1,7 @@
 ---
-frozen:
+sealed:
   - frontmatter-parser.ts
   - module-index-builder.ts
   - validation.ts
   - index.ts
----
-
-
+---

package/src/graph/frontmatter-parser.ts

@@ -5,7 +5,7 @@ export type VisibleEntryRaw = string | { path: string; modifier?: string };
 export type ModuleFrontmatter = {
   visible?: VisibleEntryRaw[];
   readonly?: string[];
-  frozen?: string[];
+  sealed?: string[];
 };
 
 export function parseVisibleEntry(raw: VisibleEntryRaw): Signature {

package/src/graph/module-index-builder.ts

@@ -70,7 +70,7 @@ function buildContracts(
           ? frontmatter.visible.map(parseVisibleEntry)
           : null,
       readonly: readonlyEntries,
-      frozen: frontmatter.frozen ?? [],
+      sealed: frontmatter.sealed ?? [],
       prose: body.trim(),
     });
   }

package/src/types.ts

@@ -9,7 +9,7 @@ export type ModuleContract = {
   modulePath: string;
   visible: Signature[] | null;
   readonly: string[];
-  frozen: string[];
+  sealed: string[];
   prose: string;
 };
 

package/src/utils.ts

@@ -42,10 +42,10 @@ export function isWithinSourceRoot(absPath: string, resolvedRoot: string): boole
 export function getAncestorContracts(
   absFile: string,
   index: ModuleIndex,
-): { modulePath: string; readonly: string[]; frozen: string[] }[] {
+): { modulePath: string; readonly: string[]; sealed: string[] }[] {
   return index.contracts
     .filter((c) => absFile.startsWith(c.modulePath + path.sep) || absFile === c.modulePath)
-    .map(({ modulePath, readonly, frozen }) => ({ modulePath, readonly, frozen }));
+    .map(({ modulePath, readonly, sealed }) => ({ modulePath, readonly, sealed }));
 }
 
 export function matchesPattern(

package/skills/module-freeze-all/scripts/freeze-all.d.mts

@@ -1 +0,0 @@
-export declare const SUPPORTED_EXTENSIONS: Set<string>;