@derwinjs/db 0.7.0 → 0.9.0

package/dist/kill-switch-evaluator.js

@@ -0,0 +1,389 @@
+/**
+ * createPrismaKillSwitchEvaluator — Prisma-backed implementation of the
+ * SDK KillSwitchEvaluator contract introduced by QAP-085 / QAP-086 / QAP-087.
+ *
+ * Sprint 8 Phase 4 (Policy Governance). Three independent triggers that
+ * halt auto-fix activity when recent telemetry indicates the platform is
+ * misbehaving:
+ *
+ *   1. SUCCESS_RATE_DROP   (QAP-085) — per-(classification, surface):
+ *      For each (classification, surface) seen in recent MERGED attempts
+ *      (last 30 days), compute success rate as
+ *      `(mergedClean + mergedWithEdits) / total`. If `total >= minSample`
+ *      AND `successRate < threshold`, trip a CLASSIFICATION-scope switch.
+ *
+ *   2. CONSECUTIVE_FAILURE (QAP-086) — per-project: count attempts in
+ *      the last `consecutiveFailureWindowHours` for the project ordered
+ *      by attemptedAt desc. If the FIRST N are all PRE_VERIFY_FAILED,
+ *      trip a PROJECT-scope switch.
+ *
+ *   3. REGRESSION_CASCADE  (QAP-087) — platform-wide: count attempts
+ *      across ALL projects where `autoRevertedAt` is within the last
+ *      `regressionCascadeWindowHours`. If `>=N`, trip a PLATFORM-scope
+ *      switch (projectId IS NULL).
+ *
+ * # History semantics
+ *
+ * Trips are history-preserving — when a trigger evaluates positive on a
+ * tuple that already has an engaged row, the existing row is preserved.
+ * When it evaluates positive on a tuple with only unblocked rows (or
+ * none), a new row is inserted. This means the audit trail shows every
+ * trip across time without losing prior unblock provenance.
+ *
+ * # Tenant isolation
+ *
+ * Every method scopes by projectId. Pattern D — wrong-project / unknown-
+ * project lookups for unblock return `not_found` (defense-in-depth
+ * against tenant enumeration). PLATFORM-scope switches have
+ * `projectId IS NULL` in storage; getEngaged unions per-project + platform
+ * rows so the dispatcher gate sees both.
+ */
+import { KillSwitchEvaluatorError, } from '@derwinjs/sdk';
+// ─── Defaults ────────────────────────────────────────────────────────────
+/**
+ * Default thresholds applied when a project's `killSwitchConfig` JSON
+ * column is null. Operators tighten / loosen these per-project once the
+ * project has trust history. Picked conservatively so the platform errs
+ * on the side of halting too eagerly rather than missing a real problem.
+ */
+export const DEFAULT_KILL_SWITCH_THRESHOLDS = {
+    // QAP-085 — SUCCESS_RATE_DROP
+    successRateDropPct: 0.4, // < 40% success in last N attempts → trip
+    successRateMinSample: 10, // need at least 10 attempts before evaluating
+    // QAP-086 — CONSECUTIVE_FAILURE
+    consecutiveFailureN: 5, // 5 PRE_VERIFY_FAILED in a row → trip
+    consecutiveFailureWindowHours: 24,
+    // QAP-087 — REGRESSION_CASCADE
+    regressionCascadeN: 3, // 3 new regressions across platform → trip
+    regressionCascadeWindowHours: 6,
+};
+/**
+ * Window over which SUCCESS_RATE_DROP looks for merged attempts. The
+ * trust telemetry roll-up uses a 30-day window everywhere else (see
+ * ClassificationTrust.attemptsLast30d), so we mirror it here.
+ */
+const SUCCESS_RATE_LOOKBACK_DAYS = 30;
+const MS_PER_HOUR = 60 * 60 * 1000;
+const MS_PER_DAY = 24 * MS_PER_HOUR;
+// ─── Helpers ─────────────────────────────────────────────────────────────
+/**
+ * Merge a project's killSwitchConfig JSON over the defaults. Only known
+ * keys are picked up; unknown keys are ignored. Non-finite / wrong-type
+ * values fall back to the default, so a malformed JSON column can't break
+ * the evaluator.
+ */
+function resolveThresholds(raw) {
+    const cfg = raw !== null && typeof raw === 'object' && !Array.isArray(raw)
+        ? raw
+        : {};
+    function num(key) {
+        const v = cfg[key];
+        if (typeof v === 'number' && Number.isFinite(v))
+            return v;
+        return DEFAULT_KILL_SWITCH_THRESHOLDS[key];
+    }
+    return {
+        successRateDropPct: num('successRateDropPct'),
+        successRateMinSample: num('successRateMinSample'),
+        consecutiveFailureN: num('consecutiveFailureN'),
+        consecutiveFailureWindowHours: num('consecutiveFailureWindowHours'),
+        regressionCascadeN: num('regressionCascadeN'),
+        regressionCascadeWindowHours: num('regressionCascadeWindowHours'),
+    };
+}
+// AttemptStatus values that count as "merged" for success-rate purposes.
+const MERGED_STATUSES = ['AUTO_MERGED', 'HUMAN_MERGED'];
+// AttemptStatus values that count as "failed-and-completed" for
+// success-rate purposes (post-merge regressions).
+const REGRESSED_STATUSES = ['REGRESSED_REVERTED'];
+function mapRow(row) {
+    // triggerMetrics is stored as JSONB; coerce the Prisma JsonValue back
+    // into a plain object for the contract type. Defense-in-depth: if a
+    // legacy / direct-DB row has a non-object scalar, surface an empty
+    // object rather than letting downstream code crash on `.foo`.
+    const metrics = row.triggerMetrics !== null &&
+        typeof row.triggerMetrics === 'object' &&
+        !Array.isArray(row.triggerMetrics)
+        ? row.triggerMetrics
+        : {};
+    return {
+        id: row.id,
+        projectId: row.projectId,
+        classification: row.classification,
+        surface: row.surface,
+        type: row.type,
+        scope: row.scope,
+        engaged: row.engaged,
+        engagedAt: row.engagedAt,
+        unblockedAt: row.unblockedAt,
+        unblockedBy: row.unblockedBy,
+        reason: row.reason,
+        triggerMetrics: metrics,
+        createdAt: row.createdAt,
+    };
+}
+// ─── Factory ─────────────────────────────────────────────────────────────
+export function createPrismaKillSwitchEvaluator(config) {
+    const { prisma } = config;
+    const now = config.now ?? (() => new Date());
+    /**
+     * Insert a new engaged switch row IFF no engaged row already exists for
+     * the (projectId, classification, surface, type, scope) tuple. Returns
+     * the row regardless (the existing or the newly inserted one) so the
+     * caller can include it in the evaluate() return list.
+     */
+    async function tripIfNotEngaged(args) {
+        // Find an existing engaged row for this tuple. We do NOT use
+        // findUnique because (type, scope, classification, surface, projectId)
+        // is not a unique constraint by design — we want the history-preserving
+        // append-on-retrip semantics.
+        const existing = await prisma.killSwitchState.findFirst({
+            where: {
+                projectId: args.projectId,
+                classification: args.classification,
+                surface: args.surface,
+                type: args.type,
+                scope: args.scope,
+                engaged: true,
+            },
+        });
+        if (existing !== null)
+            return existing;
+        const created = await prisma.killSwitchState.create({
+            data: {
+                projectId: args.projectId,
+                classification: args.classification,
+                surface: args.surface,
+                type: args.type,
+                scope: args.scope,
+                engaged: true,
+                reason: args.reason,
+                triggerMetrics: args.triggerMetrics,
+            },
+        });
+        return created;
+    }
+    // ── Trigger 1 — QAP-085 SUCCESS_RATE_DROP ──────────────────────────────
+    async function evaluateSuccessRateDrop(projectId, thresholds, at) {
+        const since = new Date(at.getTime() - SUCCESS_RATE_LOOKBACK_DAYS * MS_PER_DAY);
+        // Pull recent terminal-state attempts (merged or regressed-reverted).
+        // For each (classification, surface) tuple we compute success rate
+        // = merged / (merged + regressed). PRE_VERIFY_FAILED attempts never
+        // dispatched, so they are NOT in the denominator — they belong to
+        // the CONSECUTIVE_FAILURE trigger instead.
+        const attempts = await prisma.qAFixAttempt.findMany({
+            where: {
+                projectId,
+                attemptedAt: { gte: since },
+                dispatchStatus: {
+                    in: [...MERGED_STATUSES, ...REGRESSED_STATUSES],
+                },
+            },
+            select: {
+                dispatchStatus: true,
+                ticket: { select: { classification: true, surface: true } },
+            },
+        });
+        const tallies = new Map();
+        for (const a of attempts) {
+            const classification = a.ticket.classification;
+            const surface = a.ticket.surface;
+            if (classification.length === 0)
+                continue;
+            const key = `${classification}::${surface}`;
+            let t = tallies.get(key);
+            if (t === undefined) {
+                t = { classification, surface, total: 0, merged: 0 };
+                tallies.set(key, t);
+            }
+            t.total += 1;
+            if (MERGED_STATUSES.includes(a.dispatchStatus)) {
+                t.merged += 1;
+            }
+        }
+        const tripped = [];
+        for (const t of tallies.values()) {
+            if (t.total < thresholds.successRateMinSample)
+                continue;
+            const rate = t.merged / t.total;
+            if (rate >= thresholds.successRateDropPct)
+                continue;
+            const row = await tripIfNotEngaged({
+                projectId,
+                classification: t.classification,
+                surface: t.surface,
+                type: 'SUCCESS_RATE_DROP',
+                scope: 'CLASSIFICATION',
+                reason: `QAP-085: success rate ${(rate * 100).toFixed(1)}% over ${t.total.toString()} attempts ` +
+                    `is below threshold ${(thresholds.successRateDropPct * 100).toFixed(0)}% ` +
+                    `for ${t.classification} on ${t.surface}.`,
+                triggerMetrics: {
+                    classification: t.classification,
+                    surface: t.surface,
+                    total: t.total,
+                    merged: t.merged,
+                    successRate: rate,
+                    threshold: thresholds.successRateDropPct,
+                    windowDays: SUCCESS_RATE_LOOKBACK_DAYS,
+                },
+            });
+            tripped.push(row);
+        }
+        return tripped;
+    }
+    // ── Trigger 2 — QAP-086 CONSECUTIVE_FAILURE ─────────────────────────────
+    async function evaluateConsecutiveFailure(projectId, thresholds, at) {
+        const since = new Date(at.getTime() - thresholds.consecutiveFailureWindowHours * MS_PER_HOUR);
+        // Order by attemptedAt desc so we examine the most recent attempts
+        // first. We need at least N attempts in the window; if the first N
+        // (ordered by recency desc) are ALL PRE_VERIFY_FAILED, trip.
+        const recent = await prisma.qAFixAttempt.findMany({
+            where: {
+                projectId,
+                attemptedAt: { gte: since },
+            },
+            orderBy: { attemptedAt: 'desc' },
+            take: thresholds.consecutiveFailureN,
+            select: { id: true, dispatchStatus: true, attemptedAt: true },
+        });
+        if (recent.length < thresholds.consecutiveFailureN)
+            return [];
+        const allFailed = recent.every((a) => a.dispatchStatus === 'PRE_VERIFY_FAILED');
+        if (!allFailed)
+            return [];
+        const row = await tripIfNotEngaged({
+            projectId,
+            classification: null,
+            surface: null,
+            type: 'CONSECUTIVE_FAILURE',
+            scope: 'PROJECT',
+            reason: `QAP-086: ${thresholds.consecutiveFailureN.toString()} consecutive PRE_VERIFY_FAILED attempts ` +
+                `within ${thresholds.consecutiveFailureWindowHours.toString()}h.`,
+            triggerMetrics: {
+                consecutiveFailureN: thresholds.consecutiveFailureN,
+                windowHours: thresholds.consecutiveFailureWindowHours,
+                attemptIds: recent.map((a) => a.id),
+                oldestAttemptAt: recent[recent.length - 1]?.attemptedAt ?? null,
+            },
+        });
+        return [row];
+    }
+    // ── Trigger 3 — QAP-087 REGRESSION_CASCADE ──────────────────────────────
+    async function evaluateRegressionCascade(thresholds, at) {
+        const since = new Date(at.getTime() - thresholds.regressionCascadeWindowHours * MS_PER_HOUR);
+        // Platform-wide — count attempts across ALL projects that were
+        // auto-reverted within the window. autoRevertedAt is the field the
+        // Sprint 7 RegressionDetector flips when post-verify telemetry shows
+        // a regression.
+        const reverts = await prisma.qAFixAttempt.findMany({
+            where: {
+                autoRevertedAt: { gte: since, not: null },
+            },
+            select: { id: true, projectId: true, autoRevertedAt: true },
+        });
+        if (reverts.length < thresholds.regressionCascadeN)
+            return [];
+        const row = await tripIfNotEngaged({
+            projectId: null,
+            classification: null,
+            surface: null,
+            type: 'REGRESSION_CASCADE',
+            scope: 'PLATFORM',
+            reason: `QAP-087: ${reverts.length.toString()} regressions across the platform within ` +
+                `${thresholds.regressionCascadeWindowHours.toString()}h ` +
+                `(threshold ${thresholds.regressionCascadeN.toString()}).`,
+            triggerMetrics: {
+                regressionCount: reverts.length,
+                threshold: thresholds.regressionCascadeN,
+                windowHours: thresholds.regressionCascadeWindowHours,
+                attemptIds: reverts.map((r) => r.id),
+                affectedProjectIds: Array.from(new Set(reverts.map((r) => r.projectId))),
+            },
+        });
+        return [row];
+    }
+    return {
+        async evaluate(input) {
+            if (typeof input.projectId !== 'string' || input.projectId.length === 0) {
+                throw new KillSwitchEvaluatorError('invalid_input', 'KillSwitchEvaluator: projectId is required');
+            }
+            const at = now();
+            // Resolve thresholds: project override → defaults. Pattern D —
+            // unknown project resolves to defaults; the trigger queries simply
+            // return zero rows for an unknown projectId, so no trip.
+            const project = await prisma.project.findUnique({
+                where: { id: input.projectId },
+                select: { killSwitchConfig: true },
+            });
+            const thresholds = resolveThresholds(project?.killSwitchConfig ?? null);
+            // Run all three triggers. They are independent — one tripping
+            // doesn't short-circuit the others.
+            const tripped = [];
+            tripped.push(...(await evaluateSuccessRateDrop(input.projectId, thresholds, at)));
+            tripped.push(...(await evaluateConsecutiveFailure(input.projectId, thresholds, at)));
+            tripped.push(...(await evaluateRegressionCascade(thresholds, at)));
+            // Return the union of (newly-tripped switches) ∪ (already-engaged
+            // switches that match this project). The caller (dispatcher) cares
+            // about what's CURRENTLY engaged, not strictly about the set we
+            // tripped on this evaluate() call.
+            const engaged = await this.getEngaged({ projectId: input.projectId });
+            // De-duplicate by id — tripped rows for THIS evaluate call may
+            // already be in the engaged list from getEngaged.
+            const byId = new Map();
+            for (const r of tripped)
+                byId.set(r.id, mapRow(r));
+            for (const e of engaged)
+                byId.set(e.id, e);
+            return Array.from(byId.values());
+        },
+        async getEngaged(input) {
+            if (typeof input.projectId !== 'string' || input.projectId.length === 0) {
+                throw new KillSwitchEvaluatorError('invalid_input', 'KillSwitchEvaluator: projectId is required');
+            }
+            // Union: (engaged switches scoped to this project) OR
+            //        (engaged platform-wide switches, projectId IS NULL).
+            const rows = await prisma.killSwitchState.findMany({
+                where: {
+                    engaged: true,
+                    OR: [{ projectId: input.projectId }, { scope: 'PLATFORM' }],
+                },
+                orderBy: { engagedAt: 'desc' },
+            });
+            return rows.map(mapRow);
+        },
+        async unblock(input) {
+            if (typeof input.projectId !== 'string' || input.projectId.length === 0) {
+                throw new KillSwitchEvaluatorError('invalid_input', 'KillSwitchEvaluator: projectId is required');
+            }
+            if (typeof input.switchId !== 'string' || input.switchId.length === 0) {
+                throw new KillSwitchEvaluatorError('invalid_input', 'KillSwitchEvaluator: switchId is required');
+            }
+            if (typeof input.unblockedBy !== 'string' || input.unblockedBy.trim().length === 0) {
+                throw new KillSwitchEvaluatorError('invalid_input', 'KillSwitchEvaluator: unblockedBy is required');
+            }
+            // Pattern D — operator can only unblock a switch they have access to:
+            //   1. CLASSIFICATION / PROJECT switches must match projectId.
+            //   2. PLATFORM switches are unblockable from any project (any
+            //      operator with platform-admin rights — middleware enforces).
+            const existing = await prisma.killSwitchState.findFirst({
+                where: {
+                    id: input.switchId,
+                    OR: [{ projectId: input.projectId }, { scope: 'PLATFORM' }],
+                },
+                select: { id: true },
+            });
+            if (existing === null) {
+                throw new KillSwitchEvaluatorError('not_found', `KillSwitch ${input.switchId} not found in project ${input.projectId}`);
+            }
+            await prisma.killSwitchState.update({
+                where: { id: input.switchId },
+                data: {
+                    engaged: false,
+                    unblockedAt: now(),
+                    unblockedBy: input.unblockedBy,
+                },
+            });
+        },
+    };
+}
+//# sourceMappingURL=kill-switch-evaluator.js.map

package/dist/kill-switch-evaluator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"kill-switch-evaluator.js","sourceRoot":"","sources":["../src/kill-switch-evaluator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AAGH,OAAO,EACL,wBAAwB,GAKzB,MAAM,eAAe,CAAC;AAevB,4EAA4E;AAE5E;;;;;GAKG;AACH,MAAM,CAAC,MAAM,8BAA8B,GAAG;IAC5C,8BAA8B;IAC9B,kBAAkB,EAAE,GAAG,EAAE,0CAA0C;IACnE,oBAAoB,EAAE,EAAE,EAAE,8CAA8C;IACxE,gCAAgC;IAChC,mBAAmB,EAAE,CAAC,EAAE,sCAAsC;IAC9D,6BAA6B,EAAE,EAAE;IACjC,+BAA+B;IAC/B,kBAAkB,EAAE,CAAC,EAAE,2CAA2C;IAClE,4BAA4B,EAAE,CAAC;CACvB,CAAC;AAWX;;;;GAIG;AACH,MAAM,0BAA0B,GAAG,EAAE,CAAC;AACtC,MAAM,WAAW,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AACnC,MAAM,UAAU,GAAG,EAAE,GAAG,WAAW,CAAC;AAEpC,4EAA4E;AAE5E;;;;;GAKG;AACH,SAAS,iBAAiB,CAAC,GAAY;IACrC,MAAM,GAAG,GACP,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAC5D,CAAC,CAAE,GAA+B;QAClC,CAAC,CAAC,EAAE,CAAC;IACT,SAAS,GAAG,CAAC,GAA+B;QAC1C,MAAM,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;QACnB,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;YAAE,OAAO,CAAC,CAAC;QAC1D,OAAO,8BAA8B,CAAC,GAAG,CAAC,CAAC;IAC7C,CAAC;IACD,OAAO;QACL,kBAAkB,EAAE,GAAG,CAAC,oBAAoB,CAAC;QAC7C,oBAAoB,EAAE,GAAG,CAAC,sBAAsB,CAAC;QACjD,mBAAmB,EAAE,GAAG,CAAC,qBAAqB,CAAC;QAC/C,6BAA6B,EAAE,GAAG,CAAC,+BAA+B,CAAC;QACnE,kBAAkB,EAAE,GAAG,CAAC,oBAAoB,CAAC;QAC7C,4BAA4B,EAAE,GAAG,CAAC,8BAA8B,CAAC;KAClE,CAAC;AACJ,CAAC;AAED,yEAAyE;AACzE,MAAM,eAAe,GAAG,CAAC,aAAa,EAAE,cAAc,CAAU,CAAC;AACjE,gEAAgE;AAChE,kDAAkD;AAClD,MAAM,kBAAkB,GAAG,CAAC,oBAAoB,CAAU,CAAC;AAkB3D,SAAS,MAAM,CAAC,GAAkB;IAChC,sEAAsE;IACtE,oEAAoE;IACpE,mEAAmE;IACnE,8DAA8D;IAC9D,MAAM,OAAO,GACX,GAAG,CAAC,cAAc,KAAK,IAAI;QAC3B,OAAO,GAAG,CAAC,cAAc,KAAK,QAAQ;QACtC,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;QAChC,CAAC,CAAE,GAAG,CAAC,cAA0C;QACjD,CAAC,CAAC,EAAE,CAAC;IACT,OAAO;QACL,EAAE,EAAE,GAAG,CAAC,EAAE;QACV,SAAS,EAAE,GAAG,CAAC,SAAS;QACxB,cAAc,EAAE,GAAG,CAAC,cAAc;QAClC,OAAO,EAAE,GAAG,CAAC,OAAO;QACpB,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,KAAK,EAAE,GAAG,CAAC,KAAK;QAChB,OAAO,EAAE,GAAG,CAAC,OAAO;QACpB,SAAS,EAAE,GAAG,CAAC,SAAS;QACxB,WAAW,EAAE,GAAG,CAAC,WAAW;QAC5B,WAAW,EAAE,GAAG,CAAC,WAAW;QAC5B,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,cAAc,EAAE,OAAO;QACvB,SAAS,EAAE,GAAG,CAAC,SAAS;KACzB,CAAC;AACJ,CAAC;AAED,4EAA4E;AAE5E,MAAM,UAAU,+BAA+B,CAC7C,MAAuC;IAEvC,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,CAAC;IAC1B,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;IAE7C;;;;;OAKG;IACH,KAAK,UAAU,gBAAgB,CAAC,IAQ/B;QACC,6DAA6D;QAC7D,uEAAuE;QACvE,wEAAwE;QACxE,8BAA8B;QAC9B,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,SAAS,CAAC;YACtD,KAAK,EAAE;gBACL,SAAS,EAAE,IAAI,CAAC,SAAS;gBACzB,cAAc,EAAE,IAAI,CAAC,cAAc;gBACnC,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,OAAO,EAAE,IAAI;aACd;SACF,CAAC,CAAC;QACH,IAAI,QAAQ,KAAK,IAAI;YAAE,OAAO,QAAQ,CAAC;QACvC,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC;YAClD,IAAI,EAAE;gBACJ,SAAS,EAAE,IAAI,CAAC,SAAS;gBACzB,cAAc,EAAE,IAAI,CAAC,cAAc;gBACnC,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,OAAO,EAAE,IAAI;gBACb,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,cAAc,EAAE,IAAI,CAAC,cAAuC;aAC7D;SACF,CAAC,CAAC;QACH,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,0EAA0E;IAC1E,KAAK,UAAU,uBAAuB,CACpC,SAAiB,EACjB,UAAgC,EAChC,EAAQ;QAER,MAAM,KAAK,GAAG,IAAI,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,0BAA0B,GAAG,UAAU,CAAC,CAAC;QAC/E,sEAAsE;QACtE,mEAAmE;QACnE,oEAAoE;QACpE,kEAAkE;QAClE,2CAA2C;QAC3C,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC;YAClD,KAAK,EAAE;gBACL,SAAS;gBACT,WAAW,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE;gBAC3B,cAAc,EAAE;oBACd,EAAE,EAAE,CAAC,GAAG,eAAe,EAAE,GAAG,kBAAkB,CAAC;iBAChD;aACF;YACD,MAAM,EAAE;gBACN,cAAc,EAAE,IAAI;gBACpB,MAAM,EAAE,EAAE,MAAM,EAAE,EAAE,cAAc,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE;aAC5D;SACF,CAAC,CAAC;QAQH,MAAM,OAAO,GAAG,IAAI,GAAG,EAAiB,CAAC;QACzC,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACzB,MAAM,cAAc,GAAG,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC;YAC/C,MAAM,OAAO,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;YACjC,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAS;YAC1C,MAAM,GAAG,GAAG,GAAG,cAAc,KAAK,OAAO,EAAE,CAAC;YAC5C,IAAI,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACzB,IAAI,CAAC,KAAK,SAAS,EAAE,CAAC;gBACpB,CAAC,GAAG,EAAE,cAAc,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;gBACrD,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;YACtB,CAAC;YACD,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC;YACb,IAAK,eAAqC,CAAC,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,EAAE,CAAC;gBACtE,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC;YAChB,CAAC;QACH,CAAC;QAED,MAAM,OAAO,GAAoB,EAAE,CAAC;QACpC,KAAK,MAAM,CAAC,IAAI,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;YACjC,IAAI,CAAC,CAAC,KAAK,GAAG,UAAU,CAAC,oBAAoB;gBAAE,SAAS;YACxD,MAAM,IAAI,GAAG,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC;YAChC,IAAI,IAAI,IAAI,UAAU,CAAC,kBAAkB;gBAAE,SAAS;YACpD,MAAM,GAAG,GAAG,MAAM,gBAAgB,CAAC;gBACjC,SAAS;gBACT,cAAc,EAAE,CAAC,CAAC,cAAc;gBAChC,OAAO,EAAE,CAAC,CAAC,OAAO;gBAClB,IAAI,EAAE,mBAAmB;gBACzB,KAAK,EAAE,gBAAgB;gBACvB,MAAM,EACJ,yBAAyB,CAAC,IAAI,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,KAAK,CAAC,QAAQ,EAAE,YAAY;oBACxF,sBAAsB,CAAC,UAAU,CAAC,kBAAkB,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI;oBAC1E,OAAO,CAAC,CAAC,cAAc,OAAO,CAAC,CAAC,OAAO,GAAG;gBAC5C,cAAc,EAAE;oBACd,cAAc,EAAE,CAAC,CAAC,cAAc;oBAChC,OAAO,EAAE,CAAC,CAAC,OAAO;oBAClB,KAAK,EAAE,CAAC,CAAC,KAAK;oBACd,MAAM,EAAE,CAAC,CAAC,MAAM;oBAChB,WAAW,EAAE,IAAI;oBACjB,SAAS,EAAE,UAAU,CAAC,kBAAkB;oBACxC,UAAU,EAAE,0BAA0B;iBACvC;aACF,CAAC,CAAC;YACH,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACpB,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,2EAA2E;IAC3E,KAAK,UAAU,0BAA0B,CACvC,SAAiB,EACjB,UAAgC,EAChC,EAAQ;QAER,MAAM,KAAK,GAAG,IAAI,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,UAAU,CAAC,6BAA6B,GAAG,WAAW,CAAC,CAAC;QAC9F,mEAAmE;QACnE,mEAAmE;QACnE,6DAA6D;QAC7D,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC;YAChD,KAAK,EAAE;gBACL,SAAS;gBACT,WAAW,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE;aAC5B;YACD,OAAO,EAAE,EAAE,WAAW,EAAE,MAAM,EAAE;YAChC,IAAI,EAAE,UAAU,CAAC,mBAAmB;YACpC,MAAM,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE;SAC9D,CAAC,CAAC;QACH,IAAI,MAAM,CAAC,MAAM,GAAG,UAAU,CAAC,mBAAmB;YAAE,OAAO,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,mBAAmB,CAAC,CAAC;QAChF,IAAI,CAAC,SAAS;YAAE,OAAO,EAAE,CAAC;QAC1B,MAAM,GAAG,GAAG,MAAM,gBAAgB,CAAC;YACjC,SAAS;YACT,cAAc,EAAE,IAAI;YACpB,OAAO,EAAE,IAAI;YACb,IAAI,EAAE,qBAAqB;YAC3B,KAAK,EAAE,SAAS;YAChB,MAAM,EACJ,YAAY,UAAU,CAAC,mBAAmB,CAAC,QAAQ,EAAE,0CAA0C;gBAC/F,UAAU,UAAU,CAAC,6BAA6B,CAAC,QAAQ,EAAE,IAAI;YACnE,cAAc,EAAE;gBACd,mBAAmB,EAAE,UAAU,CAAC,mBAAmB;gBACnD,WAAW,EAAE,UAAU,CAAC,6BAA6B;gBACrD,UAAU,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACnC,eAAe,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,EAAE,WAAW,IAAI,IAAI;aAChE;SACF,CAAC,CAAC;QACH,OAAO,CAAC,GAAG,CAAC,CAAC;IACf,CAAC;IAED,2EAA2E;IAC3E,KAAK,UAAU,yBAAyB,CACtC,UAAgC,EAChC,EAAQ;QAER,MAAM,KAAK,GAAG,IAAI,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,UAAU,CAAC,4BAA4B,GAAG,WAAW,CAAC,CAAC;QAC7F,+DAA+D;QAC/D,mEAAmE;QACnE,qEAAqE;QACrE,gBAAgB;QAChB,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC;YACjD,KAAK,EAAE;gBACL,cAAc,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE;aAC1C;YACD,MAAM,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE;SAC5D,CAAC,CAAC;QACH,IAAI,OAAO,CAAC,MAAM,GAAG,UAAU,CAAC,kBAAkB;YAAE,OAAO,EAAE,CAAC;QAC9D,MAAM,GAAG,GAAG,MAAM,gBAAgB,CAAC;YACjC,SAAS,EAAE,IAAI;YACf,cAAc,EAAE,IAAI;YACpB,OAAO,EAAE,IAAI;YACb,IAAI,EAAE,oBAAoB;YAC1B,KAAK,EAAE,UAAU;YACjB,MAAM,EACJ,YAAY,OAAO,CAAC,MAAM,CAAC,QAAQ,EAAE,0CAA0C;gBAC/E,GAAG,UAAU,CAAC,4BAA4B,CAAC,QAAQ,EAAE,IAAI;gBACzD,cAAc,UAAU,CAAC,kBAAkB,CAAC,QAAQ,EAAE,IAAI;YAC5D,cAAc,EAAE;gBACd,eAAe,EAAE,OAAO,CAAC,MAAM;gBAC/B,SAAS,EAAE,UAAU,CAAC,kBAAkB;gBACxC,WAAW,EAAE,UAAU,CAAC,4BAA4B;gBACpD,UAAU,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpC,kBAAkB,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC;aACzE;SACF,CAAC,CAAC;QACH,OAAO,CAAC,GAAG,CAAC,CAAC;IACf,CAAC;IAED,OAAO;QACL,KAAK,CAAC,QAAQ,CAAC,KAA4B;YACzC,IAAI,OAAO,KAAK,CAAC,SAAS,KAAK,QAAQ,IAAI,KAAK,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACxE,MAAM,IAAI,wBAAwB,CAChC,eAAe,EACf,4CAA4C,CAC7C,CAAC;YACJ,CAAC;YACD,MAAM,EAAE,GAAG,GAAG,EAAE,CAAC;YAEjB,+DAA+D;YAC/D,mEAAmE;YACnE,yDAAyD;YACzD,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC;gBAC9C,KAAK,EAAE,EAAE,EAAE,EAAE,KAAK,CAAC,SAAS,EAAE;gBAC9B,MAAM,EAAE,EAAE,gBAAgB,EAAE,IAAI,EAAE;aACnC,CAAC,CAAC;YACH,MAAM,UAAU,GAAG,iBAAiB,CAAC,OAAO,EAAE,gBAAgB,IAAI,IAAI,CAAC,CAAC;YAExE,8DAA8D;YAC9D,oCAAoC;YACpC,MAAM,OAAO,GAAoB,EAAE,CAAC;YACpC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,uBAAuB,CAAC,KAAK,CAAC,SAAS,EAAE,UAAU,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC;YAClF,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,0BAA0B,CAAC,KAAK,CAAC,SAAS,EAAE,UAAU,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC;YACrF,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,yBAAyB,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC;YAEnE,kEAAkE;YAClE,mEAAmE;YACnE,gEAAgE;YAChE,mCAAmC;YACnC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,EAAE,SAAS,EAAE,KAAK,CAAC,SAAS,EAAE,CAAC,CAAC;YACtE,+DAA+D;YAC/D,kDAAkD;YAClD,MAAM,IAAI,GAAG,IAAI,GAAG,EAA2B,CAAC;YAChD,KAAK,MAAM,CAAC,IAAI,OAAO;gBAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;YACnD,KAAK,MAAM,CAAC,IAAI,OAAO;gBAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;YAC3C,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;QACnC,CAAC;QAED,KAAK,CAAC,UAAU,CAAC,KAA4B;YAC3C,IAAI,OAAO,KAAK,CAAC,SAAS,KAAK,QAAQ,IAAI,KAAK,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACxE,MAAM,IAAI,wBAAwB,CAChC,eAAe,EACf,4CAA4C,CAC7C,CAAC;YACJ,CAAC;YACD,sDAAsD;YACtD,8DAA8D;YAC9D,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,QAAQ,CAAC;gBACjD,KAAK,EAAE;oBACL,OAAO,EAAE,IAAI;oBACb,EAAE,EAAE,CAAC,EAAE,SAAS,EAAE,KAAK,CAAC,SAAS,EAAE,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;iBAC5D;gBACD,OAAO,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE;aAC/B,CAAC,CAAC;YACH,OAAQ,IAAwB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC/C,CAAC;QAED,KAAK,CAAC,OAAO,CAAC,KAIb;YACC,IAAI,OAAO,KAAK,CAAC,SAAS,KAAK,QAAQ,IAAI,KAAK,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACxE,MAAM,IAAI,wBAAwB,CAChC,eAAe,EACf,4CAA4C,CAC7C,CAAC;YACJ,CAAC;YACD,IAAI,OAAO,KAAK,CAAC,QAAQ,KAAK,QAAQ,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACtE,MAAM,IAAI,wBAAwB,CAChC,eAAe,EACf,2CAA2C,CAC5C,CAAC;YACJ,CAAC;YACD,IAAI,OAAO,KAAK,CAAC,WAAW,KAAK,QAAQ,IAAI,KAAK,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACnF,MAAM,IAAI,wBAAwB,CAChC,eAAe,EACf,8CAA8C,CAC/C,CAAC;YACJ,CAAC;YACD,sEAAsE;YACtE,+DAA+D;YAC/D,+DAA+D;YAC/D,mEAAmE;YACnE,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,SAAS,CAAC;gBACtD,KAAK,EAAE;oBACL,EAAE,EAAE,KAAK,CAAC,QAAQ;oBAClB,EAAE,EAAE,CAAC,EAAE,SAAS,EAAE,KAAK,CAAC,SAAS,EAAE,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;iBAC5D;gBACD,MAAM,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE;aACrB,CAAC,CAAC;YACH,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;gBACtB,MAAM,IAAI,wBAAwB,CAChC,WAAW,EACX,cAAc,KAAK,CAAC,QAAQ,yBAAyB,KAAK,CAAC,SAAS,EAAE,CACvE,CAAC;YACJ,CAAC;YACD,MAAM,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC;gBAClC,KAAK,EAAE,EAAE,EAAE,EAAE,KAAK,CAAC,QAAQ,EAAE;gBAC7B,IAAI,EAAE;oBACJ,OAAO,EAAE,KAAK;oBACd,WAAW,EAAE,GAAG,EAAE;oBAClB,WAAW,EAAE,KAAK,CAAC,WAAW;iBAC/B;aACF,CAAC,CAAC;QACL,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/path-tier-resolver.d.ts

@@ -0,0 +1,47 @@
+/**
+ * createPrismaPathTierResolver — Prisma-backed implementation of the SDK
+ * PathTierResolver contract introduced by QAP-080.
+ *
+ * Sprint 8 (Policy Governance, Phase 1). Resolves a list of paths to the
+ * **strictest** RiskTier among all rules that match any of the supplied
+ * paths. "Strictest" follows the RiskTier ladder: NEVER > HIGH > MEDIUM >
+ * LOW. Falls back to the project's `defaultTier` when no rule matches; if
+ * the project itself doesn't exist, falls back to LOW (defense-in-depth
+ * against tenant enumeration — wrong-project lookups must not throw or
+ * leak whether a Project row exists).
+ *
+ * No external glob library — `matchGlob` below is a small in-house helper
+ * that handles the three glob features we need (`**`, `*`, literals). We
+ * deliberately avoid pulling `minimatch` into @derwinjs/db to keep the
+ * dependency surface small for Sprint 8; if the Sprint 9 policy editor
+ * needs feature parity (negation, brace expansion, `?`), revisit then.
+ *
+ * Tenant isolation: every read scopes by projectId. setRules wraps DELETE
+ * + bulk INSERT in an interactive transaction so partial failures don't
+ * leave a half-applied ruleset.
+ */
+import type { PrismaClient } from './prisma.js';
+import { type PathTierResolver } from '@derwinjs/sdk';
+export interface PrismaPathTierResolverConfig {
+    /** Generated Prisma client. Pass an instance per process. */
+    prisma: PrismaClient;
+}
+/**
+ * Minimal glob → path matcher.
+ *
+ *   `**` — matches zero or more path segments (including `/`)
+ *   `*`  — matches zero or more chars within a single segment (no `/`)
+ *   anything else — literal
+ *
+ * Implemented by translating the glob to a RegExp. Anchored at both ends.
+ * This is intentionally a small subset — we don't support brace expansion,
+ * negation, character classes, or `?`. Add them when a real consumer
+ * needs them; YAGNI applies in Sprint 8.
+ *
+ * Throws PathTierResolverError(`invalid_pattern`) on a glob that produces
+ * an unparseable RegExp (extremely rare with the supported subset, but
+ * the guard exists so the contract's error-code surface is honored).
+ */
+export declare function matchGlob(pattern: string, path: string): boolean;
+export declare function createPrismaPathTierResolver(config: PrismaPathTierResolverConfig): PathTierResolver;
+//# sourceMappingURL=path-tier-resolver.d.ts.map

package/dist/path-tier-resolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"path-tier-resolver.d.ts","sourceRoot":"","sources":["../src/path-tier-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,EAGL,KAAK,gBAAgB,EAGtB,MAAM,eAAe,CAAC;AAIvB,MAAM,WAAW,4BAA4B;IAC3C,6DAA6D;IAC7D,MAAM,EAAE,YAAY,CAAC;CACtB;AA2BD;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CA0ChE;AAqBD,wBAAgB,4BAA4B,CAC1C,MAAM,EAAE,4BAA4B,GACnC,gBAAgB,CAuElB"}

package/dist/path-tier-resolver.js

@@ -0,0 +1,177 @@
+/**
+ * createPrismaPathTierResolver — Prisma-backed implementation of the SDK
+ * PathTierResolver contract introduced by QAP-080.
+ *
+ * Sprint 8 (Policy Governance, Phase 1). Resolves a list of paths to the
+ * **strictest** RiskTier among all rules that match any of the supplied
+ * paths. "Strictest" follows the RiskTier ladder: NEVER > HIGH > MEDIUM >
+ * LOW. Falls back to the project's `defaultTier` when no rule matches; if
+ * the project itself doesn't exist, falls back to LOW (defense-in-depth
+ * against tenant enumeration — wrong-project lookups must not throw or
+ * leak whether a Project row exists).
+ *
+ * No external glob library — `matchGlob` below is a small in-house helper
+ * that handles the three glob features we need (`**`, `*`, literals). We
+ * deliberately avoid pulling `minimatch` into @derwinjs/db to keep the
+ * dependency surface small for Sprint 8; if the Sprint 9 policy editor
+ * needs feature parity (negation, brace expansion, `?`), revisit then.
+ *
+ * Tenant isolation: every read scopes by projectId. setRules wraps DELETE
+ * + bulk INSERT in an interactive transaction so partial failures don't
+ * leave a half-applied ruleset.
+ */
+import { PathTierResolverError, RiskTierValues, } from '@derwinjs/sdk';
+// ─── Tier ordering ────────────────────────────────────────────────────────
+/**
+ * Strictness ladder. The resolver picks the maximum-strictness tier among
+ * all matching rules. NEVER is strictest (forbidden), LOW is loosest.
+ *
+ * NOTE: the SDK's RiskTier enum currently is `LOW | MEDIUM | HIGH | NEVER`.
+ * The Sprint 8 plan referenced `CRITICAL` in early drafts; we honor the
+ * existing schema enum and treat NEVER as the strictest tier (it means
+ * "auto-fix forbidden — must be human-only"). If a future migration
+ * renames NEVER to CRITICAL, update this ladder accordingly.
+ */
+const TIER_STRICTNESS = {
+    LOW: 0,
+    MEDIUM: 1,
+    HIGH: 2,
+    NEVER: 3,
+};
+function strictest(a, b) {
+    return TIER_STRICTNESS[a] >= TIER_STRICTNESS[b] ? a : b;
+}
+// ─── Glob matcher ─────────────────────────────────────────────────────────
+/**
+ * Minimal glob → path matcher.
+ *
+ *   `**` — matches zero or more path segments (including `/`)
+ *   `*`  — matches zero or more chars within a single segment (no `/`)
+ *   anything else — literal
+ *
+ * Implemented by translating the glob to a RegExp. Anchored at both ends.
+ * This is intentionally a small subset — we don't support brace expansion,
+ * negation, character classes, or `?`. Add them when a real consumer
+ * needs them; YAGNI applies in Sprint 8.
+ *
+ * Throws PathTierResolverError(`invalid_pattern`) on a glob that produces
+ * an unparseable RegExp (extremely rare with the supported subset, but
+ * the guard exists so the contract's error-code surface is honored).
+ */
+export function matchGlob(pattern, path) {
+    // Tokenize so we can distinguish `**` from two consecutive `*`.
+    let regexSrc = '';
+    let i = 0;
+    while (i < pattern.length) {
+        const ch = pattern.charAt(i);
+        if (ch === '*') {
+            if (pattern[i + 1] === '*') {
+                // `**` — match anything including `/`
+                regexSrc += '.*';
+                i += 2;
+                // Skip a trailing `/` in `**/` so the rule matches the empty
+                // prefix case (e.g., `**/foo.ts` should match `foo.ts`).
+                if (pattern[i] === '/') {
+                    regexSrc += '/?';
+                    i += 1;
+                }
+            }
+            else {
+                // single `*` — match within a segment
+                regexSrc += '[^/]*';
+                i += 1;
+            }
+        }
+        else if (/[.+?^${}()|[\]\\]/.test(ch)) {
+            regexSrc += '\\' + ch;
+            i += 1;
+        }
+        else {
+            regexSrc += ch;
+            i += 1;
+        }
+    }
+    let re;
+    try {
+        re = new RegExp('^' + regexSrc + '$');
+    }
+    catch (err) {
+        throw new PathTierResolverError('invalid_pattern', `PathTierResolver: invalid glob pattern ${JSON.stringify(pattern)}`, err);
+    }
+    return re.test(path);
+}
+// ─── Validation ──────────────────────────────────────────────────────────
+function validateRule(rule) {
+    if (typeof rule.pattern !== 'string' || rule.pattern.length === 0) {
+        throw new PathTierResolverError('invalid_pattern', 'PathTierResolver: rule.pattern must be a non-empty string');
+    }
+    if (!RiskTierValues.includes(rule.tier)) {
+        throw new PathTierResolverError('invalid_tier', `PathTierResolver: rule.tier must be one of ${RiskTierValues.join(', ')} (got ${rule.tier})`);
+    }
+}
+// ─── Factory ─────────────────────────────────────────────────────────────
+export function createPrismaPathTierResolver(config) {
+    const { prisma } = config;
+    return {
+        async resolveTier(input) {
+            const { projectId, paths } = input;
+            // Read project row for the fallback tier. findUnique (not findFirst)
+            // because Project.id is the unique key. Wrong-project / unknown-
+            // project returns null → fall back to LOW (no leak that the project
+            // doesn't exist).
+            const project = await prisma.project.findUnique({
+                where: { id: projectId },
+                select: { defaultTier: true },
+            });
+            const fallback = project?.defaultTier ?? 'LOW';
+            if (paths.length === 0) {
+                return fallback;
+            }
+            const rules = await prisma.pathTierRule.findMany({
+                where: { projectId },
+                orderBy: { priority: 'asc' },
+            });
+            let strictestSeen = null;
+            for (const rule of rules) {
+                const matched = paths.some((p) => matchGlob(rule.pattern, p));
+                if (matched) {
+                    strictestSeen = strictestSeen === null ? rule.tier : strictest(strictestSeen, rule.tier);
+                }
+            }
+            return strictestSeen ?? fallback;
+        },
+        async listRules(input) {
+            const rows = await prisma.pathTierRule.findMany({
+                where: { projectId: input.projectId },
+                orderBy: { priority: 'asc' },
+            });
+            return rows.map((row) => ({
+                pattern: row.pattern,
+                tier: row.tier,
+                ...(row.reason !== null ? { reason: row.reason } : {}),
+            }));
+        },
+        async setRules(input) {
+            const { projectId, rules } = input;
+            // Validate up-front so a bad rule fails fast before we touch the DB.
+            for (const rule of rules)
+                validateRule(rule);
+            // Atomic replace: DELETE + bulk INSERT inside one transaction.
+            await prisma.$transaction(async (tx) => {
+                await tx.pathTierRule.deleteMany({ where: { projectId } });
+                if (rules.length === 0)
+                    return;
+                await tx.pathTierRule.createMany({
+                    data: rules.map((rule, idx) => ({
+                        projectId,
+                        pattern: rule.pattern,
+                        tier: rule.tier,
+                        priority: idx,
+                        reason: rule.reason ?? null,
+                    })),
+                });
+            });
+        },
+    };
+}
+//# sourceMappingURL=path-tier-resolver.js.map

package/dist/path-tier-resolver.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"path-tier-resolver.js","sourceRoot":"","sources":["../src/path-tier-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAGH,OAAO,EACL,qBAAqB,EACrB,cAAc,GAIf,MAAM,eAAe,CAAC;AASvB,6EAA6E;AAE7E;;;;;;;;;GASG;AACH,MAAM,eAAe,GAA6B;IAChD,GAAG,EAAE,CAAC;IACN,MAAM,EAAE,CAAC;IACT,IAAI,EAAE,CAAC;IACP,KAAK,EAAE,CAAC;CACT,CAAC;AAEF,SAAS,SAAS,CAAC,CAAW,EAAE,CAAW;IACzC,OAAO,eAAe,CAAC,CAAC,CAAC,IAAI,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC1D,CAAC;AAED,6EAA6E;AAE7E;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,SAAS,CAAC,OAAe,EAAE,IAAY;IACrD,gEAAgE;IAChE,IAAI,QAAQ,GAAG,EAAE,CAAC;IAClB,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,OAAO,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QAC1B,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAC7B,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YACf,IAAI,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;gBAC3B,sCAAsC;gBACtC,QAAQ,IAAI,IAAI,CAAC;gBACjB,CAAC,IAAI,CAAC,CAAC;gBACP,6DAA6D;gBAC7D,yDAAyD;gBACzD,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;oBACvB,QAAQ,IAAI,IAAI,CAAC;oBACjB,CAAC,IAAI,CAAC,CAAC;gBACT,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,sCAAsC;gBACtC,QAAQ,IAAI,OAAO,CAAC;gBACpB,CAAC,IAAI,CAAC,CAAC;YACT,CAAC;QACH,CAAC;aAAM,IAAI,mBAAmB,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;YACxC,QAAQ,IAAI,IAAI,GAAG,EAAE,CAAC;YACtB,CAAC,IAAI,CAAC,CAAC;QACT,CAAC;aAAM,CAAC;YACN,QAAQ,IAAI,EAAE,CAAC;YACf,CAAC,IAAI,CAAC,CAAC;QACT,CAAC;IACH,CAAC;IAED,IAAI,EAAU,CAAC;IACf,IAAI,CAAC;QACH,EAAE,GAAG,IAAI,MAAM,CAAC,GAAG,GAAG,QAAQ,GAAG,GAAG,CAAC,CAAC;IACxC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,qBAAqB,CAC7B,iBAAiB,EACjB,0CAA0C,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,EACnE,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACvB,CAAC;AAED,4EAA4E;AAE5E,SAAS,YAAY,CAAC,IAAkB;IACtC,IAAI,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAClE,MAAM,IAAI,qBAAqB,CAC7B,iBAAiB,EACjB,2DAA2D,CAC5D,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACxC,MAAM,IAAI,qBAAqB,CAC7B,cAAc,EACd,8CAA8C,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,GAAG,CAC7F,CAAC;IACJ,CAAC;AACH,CAAC;AAED,4EAA4E;AAE5E,MAAM,UAAU,4BAA4B,CAC1C,MAAoC;IAEpC,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,CAAC;IAE1B,OAAO;QACL,KAAK,CAAC,WAAW,CAAC,KAA6C;YAC7D,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC;YAEnC,qEAAqE;YACrE,iEAAiE;YACjE,oEAAoE;YACpE,kBAAkB;YAClB,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC;gBAC9C,KAAK,EAAE,EAAE,EAAE,EAAE,SAAS,EAAE;gBACxB,MAAM,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE;aAC9B,CAAC,CAAC;YACH,MAAM,QAAQ,GAAa,OAAO,EAAE,WAAW,IAAI,KAAK,CAAC;YAEzD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACvB,OAAO,QAAQ,CAAC;YAClB,CAAC;YAED,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC;gBAC/C,KAAK,EAAE,EAAE,SAAS,EAAE;gBACpB,OAAO,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE;aAC7B,CAAC,CAAC;YAEH,IAAI,aAAa,GAAoB,IAAI,CAAC;YAC1C,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;gBAC9D,IAAI,OAAO,EAAE,CAAC;oBACZ,aAAa,GAAG,aAAa,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,aAAa,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;gBAC3F,CAAC;YACH,CAAC;YAED,OAAO,aAAa,IAAI,QAAQ,CAAC;QACnC,CAAC;QAED,KAAK,CAAC,SAAS,CAAC,KAA4B;YAC1C,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC;gBAC9C,KAAK,EAAE,EAAE,SAAS,EAAE,KAAK,CAAC,SAAS,EAAE;gBACrC,OAAO,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE;aAC7B,CAAC,CAAC;YACH,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;gBACxB,OAAO,EAAE,GAAG,CAAC,OAAO;gBACpB,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,GAAG,CAAC,GAAG,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACvD,CAAC,CAAC,CAAC;QACN,CAAC;QAED,KAAK,CAAC,QAAQ,CAAC,KAAmD;YAChE,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC;YAEnC,qEAAqE;YACrE,KAAK,MAAM,IAAI,IAAI,KAAK;gBAAE,YAAY,CAAC,IAAI,CAAC,CAAC;YAE7C,+DAA+D;YAC/D,MAAM,MAAM,CAAC,YAAY,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;gBACrC,MAAM,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,EAAE,KAAK,EAAE,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;gBAC3D,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;oBAAE,OAAO;gBAC/B,MAAM,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC;oBAC/B,IAAI,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;wBAC9B,SAAS;wBACT,OAAO,EAAE,IAAI,CAAC,OAAO;wBACrB,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,QAAQ,EAAE,GAAG;wBACb,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,IAAI;qBAC5B,CAAC,CAAC;iBACJ,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC;KACF,CAAC;AACJ,CAAC"}