@evolith/core-domain 1.0.0 → 1.0.1

package/rulesets/opa/knowledge-intake.rego

@@ -0,0 +1,98 @@
+package evolith.knowledge_intake
+
+violations[{"id": "KI-R01", "message": "Knowledge candidate must declare provenance and permitted retention rights."}] {
+  not input.source.class
+}
+
+violations[{"id": "KI-R01", "message": "Knowledge candidate must declare provenance and permitted retention rights."}] {
+  not input.source.locator
+}
+
+violations[{"id": "KI-R01", "message": "Knowledge candidate must declare provenance and permitted retention rights."}] {
+  not input.source.retrieved_at
+}
+
+violations[{"id": "KI-R01", "message": "Knowledge candidate must declare provenance and permitted retention rights."}] {
+  not input.source.rights_status
+}
+
+violations[{"id": "KI-R02", "message": "Knowledge candidate must be reviewed by @winston and have a next review date."}] {
+  input.review.owner != "@winston"
+}
+
+violations[{"id": "KI-R02", "message": "Knowledge candidate must be reviewed by @winston and have a next review date."}] {
+  not input.review.next_review_at
+}
+
+violations[{"id": "KI-R02", "message": "Knowledge candidate must have a review_freshness date."}] {
+  not input.review.review_freshness
+}
+
+violations[{"id": "KI-R03", "message": "Executable knowledge requires ADR, Native rule, OPA policy, and fixtures."}] {
+  input.promotion.status == "executable"
+  not input.promotion.adr
+}
+
+violations[{"id": "KI-R03", "message": "Executable knowledge requires ADR, Native rule, OPA policy, and fixtures."}] {
+  input.promotion.status == "executable"
+  not input.promotion.native_rule
+}
+
+violations[{"id": "KI-R03", "message": "Executable knowledge requires ADR, Native rule, OPA policy, and fixtures."}] {
+  input.promotion.status == "executable"
+  not input.promotion.opa_policy
+}
+
+violations[{"id": "KI-R03", "message": "Executable knowledge requires ADR, Native rule, OPA policy, and fixtures."}] {
+  input.promotion.status == "executable"
+  count(input.promotion.fixtures) == 0
+}
+
+violations[{"id": "KI-R04", "message": "Knowledge candidate must declare maturity."}] {
+  not input.assessment.maturity
+}
+
+violations[{"id": "KI-R04", "message": "Knowledge candidate must list preconditions."}] {
+  not input.assessment.preconditions
+}
+
+violations[{"id": "KI-R04", "message": "Knowledge candidate must list anti-patterns."}] {
+  not input.assessment.anti_patterns
+}
+
+violations[{"id": "KI-R04", "message": "Knowledge candidate must list alternatives."}] {
+  not input.assessment.alternatives
+}
+
+violations[{"id": "KI-R05", "message": "Knowledge candidate must link to a source registry entry via source_registry_id."}] {
+  input.source_registry_id == null
+}
+
+violations[{"id": "KI-R05", "message": "Knowledge candidate must link to a source registry entry via source_registry_id."}] {
+  not input.source_registry_id
+}
+
+violations[{"id": "KI-R06", "message": "Non-candidate promotion must record promoted_at and promoted_by."}] {
+  input.promotion.status != "candidate"
+  not input.promotion.promoted_at
+}
+
+violations[{"id": "KI-R06", "message": "Non-candidate promotion must record promoted_at and promoted_by."}] {
+  input.promotion.status != "candidate"
+  not input.promotion.promoted_by
+}
+
+violations[{"id": "KI-R07", "message": "Accepted or executable status requires a non-null ADR reference."}] {
+  input.promotion.status == "accepted"
+  input.promotion.adr == null
+}
+
+violations[{"id": "KI-R07", "message": "Accepted or executable status requires a non-null ADR reference."}] {
+  input.promotion.status == "executable"
+  input.promotion.adr == null
+}
+
+violations[{"id": "KI-R07", "message": "Retired status requires a non-null disposition reason."}] {
+  input.promotion.status == "retired"
+  input.promotion.disposition == null
+}

package/rulesets/opa/knowledge-intake.test.rego

@@ -0,0 +1,50 @@
+package evolith.knowledge_intake_test
+
+import data.evolith.knowledge_intake
+
+valid_candidate := {"source_registry_id": "SRC-TEST-001", "source": {"class": "book", "locator": "chapter", "retrieved_at": "2026-06-20", "rights_status": "citation-and-synthesis-only"}, "assessment": {"maturity": "proven", "preconditions": ["domain-modeling"], "anti_patterns": ["anemic"], "alternatives": ["event-sourcing"]}, "review": {"owner": "@winston", "next_review_at": "2026-12-20", "review_freshness": "2026-06-20"}, "promotion": {"status": "candidate", "fixtures": []}}
+
+test_candidate_with_provenance_has_no_violations {
+  violations := knowledge_intake.violations with input as valid_candidate
+  count(violations) == 0
+}
+
+test_missing_rights_is_rejected {
+  candidate := {"source_registry_id": "SRC-TEST-001", "source": {"class": "book", "locator": "chapter", "retrieved_at": "2026-06-20"}, "assessment": {"maturity": "proven", "preconditions": ["domain-modeling"], "anti_patterns": ["anemic"], "alternatives": ["event-sourcing"]}, "review": {"owner": "@winston", "next_review_at": "2026-12-20", "review_freshness": "2026-06-20"}, "promotion": {"status": "candidate", "fixtures": []}}
+  knowledge_intake.violations[_].id == "KI-R01" with input as candidate
+}
+
+test_executable_without_fixtures_is_rejected {
+  candidate := object.union(valid_candidate, {"promotion": {"status": "executable", "adr": "ADR-0100", "native_rule": "KI-R01", "opa_policy": "knowledge-intake.rego", "fixtures": []}})
+  knowledge_intake.violations[_].id == "KI-R03" with input as candidate
+}
+
+test_missing_maturity_is_rejected {
+  candidate := {"source_registry_id": "SRC-TEST-001", "source": {"class": "book", "locator": "chapter", "retrieved_at": "2026-06-20", "rights_status": "citation-and-synthesis-only"}, "assessment": {"preconditions": ["domain-modeling"], "anti_patterns": ["anemic"], "alternatives": ["event-sourcing"]}, "review": {"owner": "@winston", "next_review_at": "2026-12-20", "review_freshness": "2026-06-20"}, "promotion": {"status": "candidate", "fixtures": []}}
+  knowledge_intake.violations[_].id == "KI-R04" with input as candidate
+}
+
+test_missing_source_registry_link_is_rejected {
+  candidate := {"source": {"class": "book", "locator": "chapter", "retrieved_at": "2026-06-20", "rights_status": "citation-and-synthesis-only"}, "assessment": {"maturity": "proven", "preconditions": ["domain-modeling"], "anti_patterns": ["anemic"], "alternatives": ["event-sourcing"]}, "review": {"owner": "@winston", "next_review_at": "2026-12-20", "review_freshness": "2026-06-20"}, "promotion": {"status": "candidate", "fixtures": []}}
+  knowledge_intake.violations[_].id == "KI-R05" with input as candidate
+}
+
+test_missing_review_freshness_is_rejected {
+  candidate := {"source_registry_id": "SRC-TEST-001", "source": {"class": "book", "locator": "chapter", "retrieved_at": "2026-06-20", "rights_status": "citation-and-synthesis-only"}, "assessment": {"maturity": "proven", "preconditions": ["domain-modeling"], "anti_patterns": ["anemic"], "alternatives": ["event-sourcing"]}, "review": {"owner": "@winston", "next_review_at": "2026-12-20"}, "promotion": {"status": "candidate", "fixtures": []}}
+  knowledge_intake.violations[_].id == "KI-R02" with input as candidate
+}
+
+test_accepted_without_adr_is_rejected {
+  candidate := {"source_registry_id": "SRC-TEST-001", "source": {"class": "book", "locator": "chapter", "retrieved_at": "2026-06-20", "rights_status": "citation-and-synthesis-only"}, "assessment": {"maturity": "proven", "preconditions": ["domain-modeling"], "anti_patterns": ["anemic"], "alternatives": ["event-sourcing"]}, "review": {"owner": "@winston", "next_review_at": "2026-12-20", "review_freshness": "2026-06-20"}, "promotion": {"status": "accepted", "promoted_at": "2026-06-21", "promoted_by": "@winston", "adr": null, "fixtures": []}}
+  knowledge_intake.violations[_].id == "KI-R07" with input as candidate
+}
+
+test_retired_without_disposition_is_rejected {
+  candidate := {"source_registry_id": "SRC-TEST-001", "source": {"class": "book", "locator": "chapter", "retrieved_at": "2026-06-20", "rights_status": "citation-and-synthesis-only"}, "assessment": {"maturity": "proven", "preconditions": ["domain-modeling"], "anti_patterns": ["anemic"], "alternatives": ["event-sourcing"]}, "review": {"owner": "@winston", "next_review_at": "2026-12-20", "review_freshness": "2026-06-20"}, "promotion": {"status": "retired", "promoted_at": "2026-06-21", "promoted_by": "@winston", "disposition": null, "fixtures": []}}
+  knowledge_intake.violations[_].id == "KI-R07" with input as candidate
+}
+
+test_evaluated_without_promoted_at_is_rejected {
+  candidate := {"source_registry_id": "SRC-TEST-001", "source": {"class": "book", "locator": "chapter", "retrieved_at": "2026-06-20", "rights_status": "citation-and-synthesis-only"}, "assessment": {"maturity": "proven", "preconditions": ["domain-modeling"], "anti_patterns": ["anemic"], "alternatives": ["event-sourcing"]}, "review": {"owner": "@winston", "next_review_at": "2026-12-20", "review_freshness": "2026-06-20"}, "promotion": {"status": "evaluated", "promoted_by": "@winston", "fixtures": []}}
+  knowledge_intake.violations[_].id == "KI-R06" with input as candidate
+}

package/rulesets/opa/main.rego

@@ -0,0 +1,147 @@
+package evolith.main
+
+import data.evolith.version_pinning.violations as vp_violations
+import data.evolith.taxonomy.violations as taxonomy_violations
+import data.evolith.cli_readiness.violations as cli_violations
+import data.evolith.evidence.violations as evidence_violations
+import data.evolith.mcp.violations as mcp_violations
+import data.evolith.ci_cd.violations as ci_cd_violations
+import data.evolith.governance.violations as gov_violations
+import data.evolith.abac.violations as abac_violations
+import data.evolith.acl.violations as acl_violations
+import data.evolith.cicd_quality_gates.violations as cicd_qg_violations
+import data.evolith.cli_core_parity.violations as cli_cp_violations
+import data.evolith.cli_release_readiness.violations as cli_rr_violations
+import data.evolith.compliance_baseline.violations as cb_violations
+import data.evolith.dod.violations as dod_violations
+import data.evolith.engineering_manifesto.violations as em_violations
+import data.evolith.executive_scorecards.violations as exec_violations
+import data.evolith.gitflow_branching.violations as git_violations
+import data.evolith.hexagonal_architecture.violations as hxa_violations
+import data.evolith.knowledge_intake.violations as ki_violations
+import data.evolith.multi_runtime.violations as runt_violations
+import data.evolith.multi_tenancy.violations as mtn_violations
+import data.evolith.open_core_boundary.violations as ocb_violations
+import data.evolith.protocol_selection.violations as prot_violations
+import data.evolith.repository_taxonomy.violations as repo_tax_violations
+import data.evolith.satellite_contracts.violations as svc_violations
+import data.evolith.testing_pyramid.violations as tpy_violations
+import data.evolith.telemetry_evidence.violations as telemetry_violations
+import data.evolith.infrastructure.helm.violations as helm_violations
+import data.evolith.infrastructure.opa_sidecar.violations as opa_sidecar_violations
+
+violations[v] {
+	v := vp_violations[_]
+}
+
+violations[v] {
+	v := taxonomy_violations[_]
+}
+
+violations[v] {
+	v := cli_violations[_]
+}
+
+violations[v] {
+	v := evidence_violations[_]
+}
+
+violations[v] {
+	v := mcp_violations[_]
+}
+
+violations[v] {
+	v := ci_cd_violations[_]
+}
+
+violations[v] {
+	v := gov_violations[_]
+}
+
+violations[v] {
+	v := abac_violations[_]
+}
+
+violations[v] {
+	v := acl_violations[_]
+}
+
+violations[v] {
+	v := cicd_qg_violations[_]
+}
+
+violations[v] {
+	v := cli_cp_violations[_]
+}
+
+violations[v] {
+	v := cli_rr_violations[_]
+}
+
+violations[v] {
+	v := cb_violations[_]
+}
+
+violations[v] {
+	v := dod_violations[_]
+}
+
+violations[v] {
+	v := em_violations[_]
+}
+
+violations[v] {
+	v := exec_violations[_]
+}
+
+violations[v] {
+	v := git_violations[_]
+}
+
+violations[v] {
+	v := hxa_violations[_]
+}
+
+violations[v] {
+	v := ki_violations[_]
+}
+
+violations[v] {
+	v := runt_violations[_]
+}
+
+violations[v] {
+	v := mtn_violations[_]
+}
+
+violations[v] {
+	v := ocb_violations[_]
+}
+
+violations[v] {
+	v := prot_violations[_]
+}
+
+violations[v] {
+	v := repo_tax_violations[_]
+}
+
+violations[v] {
+	v := svc_violations[_]
+}
+
+violations[v] {
+	v := tpy_violations[_]
+}
+
+violations[v] {
+	v := telemetry_violations[_]
+}
+
+violations[v] {
+	v := helm_violations[_]
+}
+
+violations[v] {
+	v := opa_sidecar_violations[_]
+}

package/rulesets/opa/main_test.rego

@@ -0,0 +1,149 @@
+package evolith.main_test
+
+import data.evolith.main
+
+test_empty_violations {
+	violations := main.violations with data.evolith.version_pinning.violations as {}
+		with data.evolith.taxonomy.violations as {}
+		with data.evolith.cli_readiness.violations as {}
+		with data.evolith.evidence.violations as {}
+		with data.evolith.mcp.violations as {}
+		with data.evolith.ci_cd.violations as {}
+		with data.evolith.governance.violations as {}
+		with data.evolith.abac.violations as {}
+		with data.evolith.acl.violations as {}
+		with data.evolith.cicd_quality_gates.violations as {}
+		with data.evolith.cli_core_parity.violations as {}
+		with data.evolith.cli_release_readiness.violations as {}
+		with data.evolith.compliance_baseline.violations as {}
+		with data.evolith.dod.violations as {}
+		with data.evolith.engineering_manifesto.violations as {}
+		with data.evolith.executive_scorecards.violations as {}
+		with data.evolith.gitflow_branching.violations as {}
+		with data.evolith.hexagonal_architecture.violations as {}
+		with data.evolith.knowledge_intake.violations as {}
+		with data.evolith.multi_runtime.violations as {}
+		with data.evolith.multi_tenancy.violations as {}
+		with data.evolith.open_core_boundary.violations as {}
+		with data.evolith.protocol_selection.violations as {}
+		with data.evolith.repository_taxonomy.violations as {}
+		with data.evolith.satellite_contracts.violations as {}
+		with data.evolith.testing_pyramid.violations as {}
+
+	count(violations) == 0
+}
+
+test_single_source_violations {
+	violations := main.violations with data.evolith.version_pinning.violations as {{"id": "DEP-01", "message": "fail"}}
+		with data.evolith.taxonomy.violations as {}
+		with data.evolith.cli_readiness.violations as {}
+		with data.evolith.evidence.violations as {}
+		with data.evolith.mcp.violations as {}
+		with data.evolith.ci_cd.violations as {}
+		with data.evolith.governance.violations as {}
+		with data.evolith.abac.violations as {}
+		with data.evolith.acl.violations as {}
+		with data.evolith.cicd_quality_gates.violations as {}
+		with data.evolith.cli_core_parity.violations as {}
+		with data.evolith.cli_release_readiness.violations as {}
+		with data.evolith.compliance_baseline.violations as {}
+		with data.evolith.dod.violations as {}
+		with data.evolith.engineering_manifesto.violations as {}
+		with data.evolith.executive_scorecards.violations as {}
+		with data.evolith.gitflow_branching.violations as {}
+		with data.evolith.hexagonal_architecture.violations as {}
+		with data.evolith.knowledge_intake.violations as {}
+		with data.evolith.multi_runtime.violations as {}
+		with data.evolith.multi_tenancy.violations as {}
+		with data.evolith.open_core_boundary.violations as {}
+		with data.evolith.protocol_selection.violations as {}
+		with data.evolith.repository_taxonomy.violations as {}
+		with data.evolith.satellite_contracts.violations as {}
+		with data.evolith.testing_pyramid.violations as {}
+
+	count(violations) == 1
+	violations[_].id == "DEP-01"
+}
+
+test_multi_source_violations {
+	violations := main.violations with data.evolith.version_pinning.violations as {{"id": "DEP-01", "message": "fail1"}}
+		with data.evolith.taxonomy.violations as {}
+		with data.evolith.cli_readiness.violations as {}
+		with data.evolith.evidence.violations as {}
+		with data.evolith.mcp.violations as {}
+		with data.evolith.ci_cd.violations as {{"id": "DEP-04", "message": "fail2"}}
+		with data.evolith.governance.violations as {}
+		with data.evolith.abac.violations as {}
+		with data.evolith.acl.violations as {}
+		with data.evolith.cicd_quality_gates.violations as {}
+		with data.evolith.cli_core_parity.violations as {}
+		with data.evolith.cli_release_readiness.violations as {}
+		with data.evolith.compliance_baseline.violations as {}
+		with data.evolith.dod.violations as {}
+		with data.evolith.engineering_manifesto.violations as {}
+		with data.evolith.executive_scorecards.violations as {}
+		with data.evolith.gitflow_branching.violations as {}
+		with data.evolith.hexagonal_architecture.violations as {}
+		with data.evolith.knowledge_intake.violations as {}
+		with data.evolith.multi_runtime.violations as {}
+		with data.evolith.multi_tenancy.violations as {}
+		with data.evolith.open_core_boundary.violations as {}
+		with data.evolith.protocol_selection.violations as {}
+		with data.evolith.repository_taxonomy.violations as {}
+		with data.evolith.satellite_contracts.violations as {}
+		with data.evolith.testing_pyramid.violations as {}
+
+	count(violations) == 2
+	violations[_].id == "DEP-01"
+	violations[_].id == "DEP-04"
+}
+
+test_new_policy_violations {
+	violations := main.violations with data.evolith.version_pinning.violations as {}
+		with data.evolith.taxonomy.violations as {}
+		with data.evolith.cli_readiness.violations as {}
+		with data.evolith.evidence.violations as {}
+		with data.evolith.mcp.violations as {}
+		with data.evolith.ci_cd.violations as {}
+		with data.evolith.governance.violations as {}
+		with data.evolith.abac.violations as {{"id": "ABAC-01", "message": "abac fail"}}
+		with data.evolith.acl.violations as {{"id": "ACL-01", "message": "acl fail"}}
+		with data.evolith.cicd_quality_gates.violations as {{"id": "CICD-01", "message": "cicd fail"}}
+		with data.evolith.cli_core_parity.violations as {{"id": "CLI-PAR-01", "message": "parity fail"}}
+		with data.evolith.cli_release_readiness.violations as {{"id": "CLI-RR-01", "message": "release fail"}}
+		with data.evolith.compliance_baseline.violations as {{"id": "CB-VAL-01", "message": "compliance fail"}}
+		with data.evolith.dod.violations as {{"id": "DOD-01", "message": "dod fail"}}
+		with data.evolith.engineering_manifesto.violations as {{"id": "EM-S-01", "message": "manifesto fail"}}
+		with data.evolith.executive_scorecards.violations as {{"id": "DORA-01", "message": "dora fail"}}
+		with data.evolith.gitflow_branching.violations as {{"id": "GIT-01", "message": "gitflow fail"}}
+		with data.evolith.hexagonal_architecture.violations as {{"id": "HXA-01", "message": "hexagonal fail"}}
+		with data.evolith.knowledge_intake.violations as {{"id": "KI-R01", "message": "ki fail"}}
+		with data.evolith.multi_runtime.violations as {{"id": "RUNT-01", "message": "runtime fail"}}
+		with data.evolith.multi_tenancy.violations as {{"id": "MTN-01", "message": "tenancy fail"}}
+		with data.evolith.open_core_boundary.violations as {{"id": "OCB-01", "message": "ocb fail"}}
+		with data.evolith.protocol_selection.violations as {{"id": "PROT-01", "message": "protocol fail"}}
+		with data.evolith.repository_taxonomy.violations as {{"id": "TAX-05", "message": "taxonomy fail"}}
+		with data.evolith.satellite_contracts.violations as {{"id": "SVC-01", "message": "satellite fail"}}
+		with data.evolith.testing_pyramid.violations as {{"id": "TPY-01", "message": "testing fail"}}
+
+	count(violations) == 19
+	violations[_].id == "ABAC-01"
+	violations[_].id == "ACL-01"
+	violations[_].id == "CICD-01"
+	violations[_].id == "CLI-PAR-01"
+	violations[_].id == "CLI-RR-01"
+	violations[_].id == "CB-VAL-01"
+	violations[_].id == "DOD-01"
+	violations[_].id == "EM-S-01"
+	violations[_].id == "DORA-01"
+	violations[_].id == "GIT-01"
+	violations[_].id == "HXA-01"
+	violations[_].id == "KI-R01"
+	violations[_].id == "RUNT-01"
+	violations[_].id == "MTN-01"
+	violations[_].id == "OCB-01"
+	violations[_].id == "PROT-01"
+	violations[_].id == "TAX-05"
+	violations[_].id == "SVC-01"
+	violations[_].id == "TPY-01"
+}

package/rulesets/opa/mcp.rego

@@ -0,0 +1,61 @@
+package evolith.mcp
+
+smoke_keys := [k | input.core.evidence[k]; contains(k, "mcp")]
+
+violations[{"id": "MCP-01", "message": "Run .harness/scripts/mcp-smoke.mjs to generate evidence"}] {
+    count(smoke_keys) == 0
+}
+
+violations[{"id": "MCP-02", "message": "Run .harness/scripts/mcp-smoke.mjs to generate evidence"}] {
+    count(smoke_keys) == 0
+}
+
+violations[{"id": "MCP-03", "message": "Run .harness/scripts/mcp-smoke.mjs to generate evidence"}] {
+    count(smoke_keys) == 0
+}
+
+violations[{"id": "MCP-01", "message": "Evidence missing results field"}] {
+    count(smoke_keys) > 0
+    smoke := input.core.evidence[smoke_keys[0]]
+    not smoke.results
+}
+
+violations[{"id": "MCP-01", "message": "initialize response missing from evidence"}] {
+    count(smoke_keys) > 0
+    smoke := input.core.evidence[smoke_keys[0]]
+    smoke.results
+    not smoke.results["initialize"]
+}
+
+violations[{"id": "MCP-02", "message": "tools/list response missing from evidence"}] {
+    count(smoke_keys) > 0
+    smoke := input.core.evidence[smoke_keys[0]]
+    smoke.results
+    not smoke.results["tools/list"]
+}
+
+violations[{"id": "MCP-03", "message": "resources/list response missing from evidence"}] {
+    count(smoke_keys) > 0
+    smoke := input.core.evidence[smoke_keys[0]]
+    smoke.results
+    not smoke.results["resources/list"]
+}
+
+violations[{"id": "MCP-04", "message": "MCP server.ts not found"}] {
+    not input.core.cli.mcpServerSource
+}
+
+violations[{"id": "MCP-04", "message": "MCP transport config missing apiKey or local-only restriction"}] {
+    src := input.core.cli.mcpServerSource
+    not contains(src, "apiKey")
+    not contains(src, "local-only")
+    not contains(src, "localhost")
+}
+
+violations[{"id": "MCP-05", "message": "MCP tool calls SHOULD emit latency, success, failure, and error class metrics — no metrics instrumentation detected in MCP server source"}] {
+    src := input.core.cli.mcpServerSource
+    not contains(src, "latency")
+    not contains(src, "metrics")
+    not contains(src, "histogram")
+    not contains(src, "counter")
+}

package/rulesets/opa/mcp.test.rego

@@ -0,0 +1,27 @@
+package evolith.mcp_test
+
+import data.evolith.mcp
+
+test_complete_mcp_has_no_violations {
+  input := {"core": {"cli": {"mcpServerSource": "apiKey localhost"}, "evidence": {"mcp-smoke.json": {"results": {"initialize": {}, "tools/list": {}, "resources/list": {}}, "status": "passed"}}}}
+  violations := mcp.violations with input as input
+  count(violations) == 0
+}
+
+test_missing_mcp_evidence_is_rejected {
+  input := {"core": {"cli": {"mcpServerSource": ""}, "evidence": {}}}
+  violations := mcp.violations with input as input
+  violations[_].id == "MCP-01"
+}
+
+test_missing_server_source_is_rejected {
+  input := {"core": {"cli": {"mcpServerSource": ""}, "evidence": {"mcp-smoke.json": {"results": {"initialize": {}, "tools/list": {}, "resources/list": {}}, "status": "passed"}}}}
+  violations := mcp.violations with input as input
+  violations[_].id == "MCP-04"
+}
+
+test_missing_resources_list_is_rejected {
+  input := {"core": {"cli": {"mcpServerSource": "apiKey"}, "evidence": {"mcp-smoke.json": {"results": {"initialize": {}, "tools/list": {}}, "status": "passed"}}}}
+  violations := mcp.violations with input as input
+  violations[_].id == "MCP-03"
+}

package/rulesets/opa/multi-runtime.rego

@@ -0,0 +1,33 @@
+package evolith.multi_runtime
+
+violations[{"id": "RUNT-01", "message": "Runtime selection not documented or justified by workload profile"}] {
+    not input.satellite.runtime.selectionDocumented
+}
+
+violations[{"id": "RUNT-02", "message": "Web APIs/BFF not using Node.js/TypeScript — required for I/O-bound workloads"}] {
+    input.satellite.runtime.webApisNotNodeJs
+}
+
+violations[{"id": "RUNT-03", "message": "High compute/batch workloads not using .NET (C#) — required for compute-bound workloads"}] {
+    input.satellite.runtime.highComputeNotDotNet
+}
+
+violations[{"id": "RUNT-05", "message": "Direct runtime dependency detected — cross-runtime calls must go through protocol boundaries"}] {
+    input.satellite.runtime.hasDirectRuntimeDependency
+}
+
+violations[{"id": "RUNT-06", "message": "Synchronous inter-runtime communication not using gRPC"}] {
+    input.satellite.runtime.syncInteropNotGrpc
+}
+
+violations[{"id": "RUNT-04", "message": "Mobile workloads with hardware access (camera, GPS, sensors) must use Android/Kotlin — not cross-platform web wrappers"}] {
+    input.satellite.runtime.mobileHardwareNotKotlin
+}
+
+violations[{"id": "RUNT-07", "message": "Asynchronous inter-runtime communication must use a message broker (Kafka, RabbitMQ, NATS) — direct async calls between runtimes are prohibited"}] {
+    input.satellite.runtime.asyncInteropNotMessageBroker
+}
+
+violations[{"id": "RUNT-08", "message": "Inter-runtime contracts not centrally stored and versioned"}] {
+    not input.satellite.runtime.contractsCentralized
+}

package/rulesets/opa/multi-runtime.test.rego

@@ -0,0 +1,53 @@
+package evolith.multi_runtime_test
+
+import data.evolith.multi_runtime
+
+compliant_input := {"satellite": {"runtime": {
+  "selectionDocumented": true,
+  "webApisNotNodeJs": false,
+  "highComputeNotDotNet": false,
+  "hasDirectRuntimeDependency": false,
+  "syncInteropNotGrpc": false,
+  "contractsCentralized": true,
+}}}
+
+test_compliant_multi_runtime_has_no_violations {
+  violations := multi_runtime.violations with input as compliant_input
+  count(violations) == 0
+}
+
+test_runtime_selection_not_documented_is_rejected {
+  i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/runtime/selectionDocumented", "value": false}])
+  violations := multi_runtime.violations with input as i
+  violations[_].id == "RUNT-01"
+}
+
+test_web_apis_not_nodejs_is_rejected {
+  i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/runtime/webApisNotNodeJs", "value": true}])
+  violations := multi_runtime.violations with input as i
+  violations[_].id == "RUNT-02"
+}
+
+test_high_compute_not_dotnet_is_rejected {
+  i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/runtime/highComputeNotDotNet", "value": true}])
+  violations := multi_runtime.violations with input as i
+  violations[_].id == "RUNT-03"
+}
+
+test_direct_runtime_dependency_is_rejected {
+  i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/runtime/hasDirectRuntimeDependency", "value": true}])
+  violations := multi_runtime.violations with input as i
+  violations[_].id == "RUNT-05"
+}
+
+test_sync_interop_not_grpc_is_rejected {
+  i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/runtime/syncInteropNotGrpc", "value": true}])
+  violations := multi_runtime.violations with input as i
+  violations[_].id == "RUNT-06"
+}
+
+test_contracts_not_centralized_is_rejected {
+  i := json.patch(compliant_input, [{"op": "replace", "path": "/satellite/runtime/contractsCentralized", "value": false}])
+  violations := multi_runtime.violations with input as i
+  violations[_].id == "RUNT-08"
+}

package/rulesets/opa/multi-tenancy.rego

@@ -0,0 +1,33 @@
+package evolith.multi_tenancy
+
+violations[{"id": "MTN-01", "message": "Application-layer tenant filtering not applied — all queries must include tenant_id filter"}] {
+    not input.satellite.multiTenancy.applicationFiltering
+}
+
+violations[{"id": "MTN-02", "message": "Database-native tenant enforcement (RLS) not enabled as secondary failsafe"}] {
+    not input.satellite.multiTenancy.databaseEnforcement
+}
+
+violations[{"id": "MTN-03", "message": "Tenant context not propagated through all layers"}] {
+    not input.satellite.multiTenancy.tenantContextPropagation
+}
+
+violations[{"id": "MTN-04", "message": "Cross-tenant data access detected — strictly prohibited"}] {
+    input.satellite.multiTenancy.crossTenantAccess
+}
+
+violations[{"id": "MTN-05", "message": "Multi-tenant schema strategy not defined in evolith.yaml"}] {
+    not input.satellite.multiTenancy.schemaStrategyDefined
+}
+
+violations[{"id": "MTN-06", "message": "Tenant-scoped audit trail not maintained — all tenant data mutations must be logged with tenant context and actor"}] {
+    not input.satellite.multiTenancy.tenantAuditTrailEnabled
+}
+
+violations[{"id": "MTN-07", "message": "Tenant migration path not defined — schema changes affecting tenant isolation must have a documented migration path"}] {
+    not input.satellite.multiTenancy.tenantMigrationPathDefined
+}
+
+violations[{"id": "MTN-08", "message": "External APIs do not validate tenant context on every request"}] {
+    not input.satellite.multiTenancy.apiTenantValidation
+}