@google/gemini-cli-core 0.30.0-preview.5 → 0.31.0-preview.0

package/dist/src/policy/config.d.ts

@@ -1,33 +1,42 @@
 /**
  * @license
- * Copyright 2025 Google LLC
+ * Copyright 2026 Google LLC
  * SPDX-License-Identifier: Apache-2.0
  */
+import { Storage } from '../config/storage.js';
 import { type PolicyEngineConfig, type ApprovalMode, type PolicySettings } from './types.js';
 import type { PolicyEngine } from './policy-engine.js';
 import { type PolicyFileError } from './toml-loader.js';
 import { type MessageBus } from '../confirmation-bus/message-bus.js';
 export declare const DEFAULT_CORE_POLICIES_DIR: string;
 export declare const DEFAULT_POLICY_TIER = 1;
-export declare const USER_POLICY_TIER = 2;
-export declare const ADMIN_POLICY_TIER = 3;
+export declare const WORKSPACE_POLICY_TIER = 2;
+export declare const USER_POLICY_TIER = 3;
+export declare const ADMIN_POLICY_TIER = 4;
+export declare const ALWAYS_ALLOW_PRIORITY: number;
+export declare const MCP_EXCLUDED_PRIORITY: number;
+export declare const EXCLUDE_TOOLS_FLAG_PRIORITY: number;
+export declare const ALLOWED_TOOLS_FLAG_PRIORITY: number;
+export declare const TRUSTED_MCP_SERVER_PRIORITY: number;
+export declare const ALLOWED_MCP_SERVER_PRIORITY: number;
 /**
- * Gets the list of directories to search for policy files, in order of decreasing priority
- * (Admin -> User -> Default).
+ * Gets the list of directories to search for policy files, in order of increasing priority
+ * (Default -> User -> Project -> Admin).
  *
  * @param defaultPoliciesDir Optional path to a directory containing default policies.
  * @param policyPaths Optional user-provided policy paths (from --policy flag).
  *   When provided, these replace the default user policies directory.
+ * @param workspacePoliciesDir Optional path to a directory containing workspace policies.
  */
-export declare function getPolicyDirectories(defaultPoliciesDir?: string, policyPaths?: string[]): string[];
+export declare function getPolicyDirectories(defaultPoliciesDir?: string, policyPaths?: string[], workspacePoliciesDir?: string): string[];
 /**
- * Determines the policy tier (1=default, 2=user, 3=admin) for a given directory.
+ * Determines the policy tier (1=default, 2=user, 3=workspace, 4=admin) for a given directory.
  * This is used by the TOML loader to assign priority bands.
  */
-export declare function getPolicyTier(dir: string, defaultPoliciesDir?: string): number;
+export declare function getPolicyTier(dir: string, defaultPoliciesDir?: string, workspacePoliciesDir?: string): number;
 /**
  * Formats a policy file error for console logging.
  */
 export declare function formatPolicyError(error: PolicyFileError): string;
 export declare function createPolicyEngineConfig(settings: PolicySettings, approvalMode: ApprovalMode, defaultPoliciesDir?: string): Promise<PolicyEngineConfig>;
-export declare function createPolicyUpdater(policyEngine: PolicyEngine, messageBus: MessageBus): void;
+export declare function createPolicyUpdater(policyEngine: PolicyEngine, messageBus: MessageBus, storage: Storage): void;

package/dist/src/policy/config.js

@@ -1,6 +1,6 @@
 /**
  * @license
- * Copyright 2025 Google LLC
+ * Copyright 2026 Google LLC
  * SPDX-License-Identifier: Apache-2.0
  */
 import * as fs from 'node:fs/promises';
@@ -18,43 +18,60 @@ import { coreEvents } from '../utils/events.js';
 import { debugLogger } from '../utils/debugLogger.js';
 import { SHELL_TOOL_NAMES } from '../utils/shell-utils.js';
 import { SHELL_TOOL_NAME } from '../tools/tool-names.js';
+import { isNodeError } from '../utils/errors.js';
 import { isDirectorySecure } from '../utils/security.js';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 export const DEFAULT_CORE_POLICIES_DIR = path.join(__dirname, 'policies');
 // Policy tier constants for priority calculation
 export const DEFAULT_POLICY_TIER = 1;
-export const USER_POLICY_TIER = 2;
-export const ADMIN_POLICY_TIER = 3;
+export const WORKSPACE_POLICY_TIER = 2;
+export const USER_POLICY_TIER = 3;
+export const ADMIN_POLICY_TIER = 4;
+// Specific priority offsets and derived priorities for dynamic/settings rules.
+// These are added to the tier base (e.g., USER_POLICY_TIER).
+// Workspace tier (2) + high priority (950/1000) = ALWAYS_ALLOW_PRIORITY
+// This ensures user "always allow" selections are high priority
+// within the workspace tier but still lose to user/admin policies.
+export const ALWAYS_ALLOW_PRIORITY = WORKSPACE_POLICY_TIER + 0.95;
+export const MCP_EXCLUDED_PRIORITY = USER_POLICY_TIER + 0.9;
+export const EXCLUDE_TOOLS_FLAG_PRIORITY = USER_POLICY_TIER + 0.4;
+export const ALLOWED_TOOLS_FLAG_PRIORITY = USER_POLICY_TIER + 0.3;
+export const TRUSTED_MCP_SERVER_PRIORITY = USER_POLICY_TIER + 0.2;
+export const ALLOWED_MCP_SERVER_PRIORITY = USER_POLICY_TIER + 0.1;
 /**
- * Gets the list of directories to search for policy files, in order of decreasing priority
- * (Admin -> User -> Default).
+ * Gets the list of directories to search for policy files, in order of increasing priority
+ * (Default -> User -> Project -> Admin).
  *
  * @param defaultPoliciesDir Optional path to a directory containing default policies.
  * @param policyPaths Optional user-provided policy paths (from --policy flag).
  *   When provided, these replace the default user policies directory.
+ * @param workspacePoliciesDir Optional path to a directory containing workspace policies.
  */
-export function getPolicyDirectories(defaultPoliciesDir, policyPaths) {
+export function getPolicyDirectories(defaultPoliciesDir, policyPaths, workspacePoliciesDir) {
     const dirs = [];
-    // Default tier (lowest priority)
-    dirs.push(defaultPoliciesDir ?? DEFAULT_CORE_POLICIES_DIR);
-    // User tier (middle priority)
+    // Admin tier (highest priority)
+    dirs.push(Storage.getSystemPoliciesDir());
+    // User tier (second highest priority)
     if (policyPaths && policyPaths.length > 0) {
         dirs.push(...policyPaths);
     }
     else {
         dirs.push(Storage.getUserPoliciesDir());
     }
-    // Admin tier (highest priority)
-    dirs.push(Storage.getSystemPoliciesDir());
-    // Reverse so highest priority (Admin) is first
-    return dirs.reverse();
+    // Workspace Tier (third highest)
+    if (workspacePoliciesDir) {
+        dirs.push(workspacePoliciesDir);
+    }
+    // Default tier (lowest priority)
+    dirs.push(defaultPoliciesDir ?? DEFAULT_CORE_POLICIES_DIR);
+    return dirs;
 }
 /**
- * Determines the policy tier (1=default, 2=user, 3=admin) for a given directory.
+ * Determines the policy tier (1=default, 2=user, 3=workspace, 4=admin) for a given directory.
  * This is used by the TOML loader to assign priority bands.
  */
-export function getPolicyTier(dir, defaultPoliciesDir) {
+export function getPolicyTier(dir, defaultPoliciesDir, workspacePoliciesDir) {
     const USER_POLICIES_DIR = Storage.getUserPoliciesDir();
     const ADMIN_POLICIES_DIR = Storage.getSystemPoliciesDir();
     const normalizedDir = path.resolve(dir);
@@ -70,6 +87,10 @@ export function getPolicyTier(dir, defaultPoliciesDir) {
     if (normalizedDir === normalizedUser) {
         return USER_POLICY_TIER;
     }
+    if (workspacePoliciesDir &&
+        normalizedDir === path.resolve(workspacePoliciesDir)) {
+        return WORKSPACE_POLICY_TIER;
+    }
     if (normalizedDir === normalizedAdmin) {
         return ADMIN_POLICY_TIER;
     }
@@ -111,12 +132,12 @@ async function filterSecurePolicyDirectories(dirs) {
     return results.filter((dir) => dir !== null);
 }
 export async function createPolicyEngineConfig(settings, approvalMode, defaultPoliciesDir) {
-    const policyDirs = getPolicyDirectories(defaultPoliciesDir, settings.policyPaths);
+    const policyDirs = getPolicyDirectories(defaultPoliciesDir, settings.policyPaths, settings.workspacePoliciesDir);
     const securePolicyDirs = await filterSecurePolicyDirectories(policyDirs);
     const normalizedAdminPoliciesDir = path.resolve(Storage.getSystemPoliciesDir());
     // Load policies from TOML files
     const { rules: tomlRules, checkers: tomlCheckers, errors, } = await loadPoliciesFromToml(securePolicyDirs, (p) => {
-        const tier = getPolicyTier(p, defaultPoliciesDir);
+        const tier = getPolicyTier(p, defaultPoliciesDir, settings.workspacePoliciesDir);
         // If it's a user-provided path that isn't already categorized as ADMIN,
         // treat it as USER tier.
         if (settings.policyPaths?.some((userPath) => path.resolve(userPath) === path.resolve(p))) {
@@ -143,19 +164,21 @@ export async function createPolicyEngineConfig(settings, approvalMode, defaultPo
     //
     // Priority bands (tiers):
     // - Default policies (TOML): 1 + priority/1000 (e.g., priority 100 → 1.100)
-    // - User policies (TOML): 2 + priority/1000 (e.g., priority 100 → 2.100)
-    // - Admin policies (TOML): 3 + priority/1000 (e.g., priority 100 → 3.100)
+    // - Workspace policies (TOML): 2 + priority/1000 (e.g., priority 100 → 2.100)
+    // - User policies (TOML): 3 + priority/1000 (e.g., priority 100 → 3.100)
+    // - Admin policies (TOML): 4 + priority/1000 (e.g., priority 100 → 4.100)
     //
-    // This ensures Admin > User > Default hierarchy is always preserved,
+    // This ensures Admin > User > Workspace > Default hierarchy is always preserved,
     // while allowing user-specified priorities to work within each tier.
     //
-    // Settings-based and dynamic rules (all in user tier 2.x):
-    //   2.95: Tools that the user has selected as "Always Allow" in the interactive UI
-    //   2.9:  MCP servers excluded list (security: persistent server blocks)
-    //   2.4:  Command line flag --exclude-tools (explicit temporary blocks)
-    //   2.3:  Command line flag --allowed-tools (explicit temporary allows)
-    //   2.2:  MCP servers with trust=true (persistent trusted servers)
-    //   2.1:  MCP servers allowed list (persistent general server allows)
+    // Settings-based and dynamic rules (mixed tiers):
+    //   MCP_EXCLUDED_PRIORITY:        MCP servers excluded list (security: persistent server blocks)
+    //   EXCLUDE_TOOLS_FLAG_PRIORITY:  Command line flag --exclude-tools (explicit temporary blocks)
+    //   ALLOWED_TOOLS_FLAG_PRIORITY:  Command line flag --allowed-tools (explicit temporary allows)
+    //   TRUSTED_MCP_SERVER_PRIORITY:  MCP servers with trust=true (persistent trusted servers)
+    //   ALLOWED_MCP_SERVER_PRIORITY:  MCP servers allowed list (persistent general server allows)
+    //   ALWAYS_ALLOW_PRIORITY:        Tools that the user has selected as "Always Allow" in the interactive UI
+    //                                 (Workspace tier 2.x - scoped to the project)
     //
     // TOML policy priorities (before transformation):
     //   10: Write tools default to ASK_USER (becomes 1.010 in default tier)
@@ -165,31 +188,31 @@ export async function createPolicyEngineConfig(settings, approvalMode, defaultPo
     //   70: Plan mode explicit ALLOW override (becomes 1.070 in default tier)
     //   999: YOLO mode allow-all (becomes 1.999 in default tier)
     // MCP servers that are explicitly excluded in settings.mcp.excluded
-    // Priority: 2.9 (highest in user tier for security - persistent server blocks)
+    // Priority: MCP_EXCLUDED_PRIORITY (highest in user tier for security - persistent server blocks)
     if (settings.mcp?.excluded) {
         for (const serverName of settings.mcp.excluded) {
             rules.push({
                 toolName: `${serverName}__*`,
                 decision: PolicyDecision.DENY,
-                priority: 2.9,
+                priority: MCP_EXCLUDED_PRIORITY,
                 source: 'Settings (MCP Excluded)',
             });
         }
     }
     // Tools that are explicitly excluded in the settings.
-    // Priority: 2.4 (user tier - explicit temporary blocks)
+    // Priority: EXCLUDE_TOOLS_FLAG_PRIORITY (user tier - explicit temporary blocks)
     if (settings.tools?.exclude) {
         for (const tool of settings.tools.exclude) {
             rules.push({
                 toolName: tool,
                 decision: PolicyDecision.DENY,
-                priority: 2.4,
+                priority: EXCLUDE_TOOLS_FLAG_PRIORITY,
                 source: 'Settings (Tools Excluded)',
             });
         }
     }
     // Tools that are explicitly allowed in the settings.
-    // Priority: 2.3 (user tier - explicit temporary allows)
+    // Priority: ALLOWED_TOOLS_FLAG_PRIORITY (user tier - explicit temporary allows)
     if (settings.tools?.allowed) {
         for (const tool of settings.tools.allowed) {
             // Check for legacy format: toolName(args)
@@ -208,7 +231,7 @@ export async function createPolicyEngineConfig(settings, approvalMode, defaultPo
                             rules.push({
                                 toolName,
                                 decision: PolicyDecision.ALLOW,
-                                priority: 2.3,
+                                priority: ALLOWED_TOOLS_FLAG_PRIORITY,
                                 argsPattern: new RegExp(pattern),
                                 source: 'Settings (Tools Allowed)',
                             });
@@ -221,7 +244,7 @@ export async function createPolicyEngineConfig(settings, approvalMode, defaultPo
                     rules.push({
                         toolName,
                         decision: PolicyDecision.ALLOW,
-                        priority: 2.3,
+                        priority: ALLOWED_TOOLS_FLAG_PRIORITY,
                         source: 'Settings (Tools Allowed)',
                     });
                 }
@@ -234,14 +257,14 @@ export async function createPolicyEngineConfig(settings, approvalMode, defaultPo
                 rules.push({
                     toolName,
                     decision: PolicyDecision.ALLOW,
-                    priority: 2.3,
+                    priority: ALLOWED_TOOLS_FLAG_PRIORITY,
                     source: 'Settings (Tools Allowed)',
                 });
             }
         }
     }
     // MCP servers that are trusted in the settings.
-    // Priority: 2.2 (user tier - persistent trusted servers)
+    // Priority: TRUSTED_MCP_SERVER_PRIORITY (user tier - persistent trusted servers)
     if (settings.mcpServers) {
         for (const [serverName, serverConfig] of Object.entries(settings.mcpServers)) {
             if (serverConfig.trust) {
@@ -250,20 +273,20 @@ export async function createPolicyEngineConfig(settings, approvalMode, defaultPo
                 rules.push({
                     toolName: `${serverName}__*`,
                     decision: PolicyDecision.ALLOW,
-                    priority: 2.2,
+                    priority: TRUSTED_MCP_SERVER_PRIORITY,
                     source: 'Settings (MCP Trusted)',
                 });
             }
         }
     }
     // MCP servers that are explicitly allowed in settings.mcp.allowed
-    // Priority: 2.1 (user tier - persistent general server allows)
+    // Priority: ALLOWED_MCP_SERVER_PRIORITY (user tier - persistent general server allows)
     if (settings.mcp?.allowed) {
         for (const serverName of settings.mcp.allowed) {
             rules.push({
                 toolName: `${serverName}__*`,
                 decision: PolicyDecision.ALLOW,
-                priority: 2.1,
+                priority: ALLOWED_MCP_SERVER_PRIORITY,
                 source: 'Settings (MCP Allowed)',
             });
         }
@@ -275,7 +298,7 @@ export async function createPolicyEngineConfig(settings, approvalMode, defaultPo
         approvalMode,
     };
 }
-export function createPolicyUpdater(policyEngine, messageBus) {
+export function createPolicyUpdater(policyEngine, messageBus, storage) {
     // Use a sequential queue for persistence to avoid lost updates from concurrent events.
     let persistenceQueue = Promise.resolve();
     messageBus.subscribe(MessageBusType.UPDATE_POLICY, async (message) => {
@@ -290,10 +313,7 @@ export function createPolicyUpdater(policyEngine, messageBus) {
                     policyEngine.addRule({
                         toolName,
                         decision: PolicyDecision.ALLOW,
-                        // User tier (2) + high priority (950/1000) = 2.95
-                        // This ensures user "always allow" selections are high priority
-                        // but still lose to admin policies (3.xxx) and settings excludes (200)
-                        priority: 2.95,
+                        priority: ALWAYS_ALLOW_PRIORITY,
                         argsPattern: new RegExp(pattern),
                         source: 'Dynamic (Confirmed)',
                     });
@@ -311,10 +331,7 @@ export function createPolicyUpdater(policyEngine, messageBus) {
             policyEngine.addRule({
                 toolName,
                 decision: PolicyDecision.ALLOW,
-                // User tier (2) + high priority (950/1000) = 2.95
-                // This ensures user "always allow" selections are high priority
-                // but still lose to admin policies (3.xxx) and settings excludes (200)
-                priority: 2.95,
+                priority: ALWAYS_ALLOW_PRIORITY,
                 argsPattern,
                 source: 'Dynamic (Confirmed)',
             });
@@ -322,18 +339,22 @@ export function createPolicyUpdater(policyEngine, messageBus) {
         if (message.persist) {
             persistenceQueue = persistenceQueue.then(async () => {
                 try {
-                    const userPoliciesDir = Storage.getUserPoliciesDir();
-                    await fs.mkdir(userPoliciesDir, { recursive: true });
-                    const policyFile = path.join(userPoliciesDir, 'auto-saved.toml');
+                    const workspacePoliciesDir = storage.getWorkspacePoliciesDir();
+                    await fs.mkdir(workspacePoliciesDir, { recursive: true });
+                    const policyFile = storage.getAutoSavedPolicyPath();
                     // Read existing file
                     let existingData = {};
                     try {
                         const fileContent = await fs.readFile(policyFile, 'utf-8');
-                        existingData = toml.parse(fileContent);
+                        const parsed = toml.parse(fileContent);
+                        if (typeof parsed === 'object' &&
+                            parsed !== null &&
+                            (!('rule' in parsed) || Array.isArray(parsed['rule']))) {
+                            existingData = parsed;
+                        }
                     }
                     catch (error) {
-                        // eslint-disable-next-line @typescript-eslint/no-unsafe-type-assertion
-                        if (error.code !== 'ENOENT') {
+                        if (!isNodeError(error) || error.code !== 'ENOENT') {
                             debugLogger.warn(`Failed to parse ${policyFile}, overwriting with new policy.`, error);
                         }
                     }

package/dist/src/policy/config.js.map

@@ -1 +1 @@
-{"version":3,"file":"config.js","sourceRoot":"","sources":["../../../src/policy/config.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACvC,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AAC/C,OAAO,EAEL,cAAc,GAIf,MAAM,YAAY,CAAC;AAEpB,OAAO,EAAE,oBAAoB,EAAwB,MAAM,kBAAkB,CAAC;AAC9E,OAAO,EAAE,iBAAiB,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC7D,OAAO,IAAI,MAAM,aAAa,CAAC;AAC/B,OAAO,EACL,cAAc,GAEf,MAAM,8BAA8B,CAAC;AACtC,OAAO,EAAmB,MAAM,oCAAoC,CAAC;AACrE,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACtD,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAEzD,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAEzD,MAAM,UAAU,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAClD,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;AAC3C,MAAM,CAAC,MAAM,yBAAyB,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;AAE1E,iDAAiD;AACjD,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,CAAC;AACrC,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC;AAClC,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,CAAC;AAEnC;;;;;;;GAOG;AACH,MAAM,UAAU,oBAAoB,CAClC,kBAA2B,EAC3B,WAAsB;IAEtB,MAAM,IAAI,GAAa,EAAE,CAAC;IAE1B,iCAAiC;IACjC,IAAI,CAAC,IAAI,CAAC,kBAAkB,IAAI,yBAAyB,CAAC,CAAC;IAE3D,8BAA8B;IAC9B,IAAI,WAAW,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1C,IAAI,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,CAAC;IAC5B,CAAC;SAAM,CAAC;QACN,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,kBAAkB,EAAE,CAAC,CAAC;IAC1C,CAAC;IAED,gCAAgC;IAChC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,oBAAoB,EAAE,CAAC,CAAC;IAE1C,+CAA+C;IAC/C,OAAO,IAAI,CAAC,OAAO,EAAE,CAAC;AACxB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAC3B,GAAW,EACX,kBAA2B;IAE3B,MAAM,iBAAiB,GAAG,OAAO,CAAC,kBAAkB,EAAE,CAAC;IACvD,MAAM,kBAAkB,GAAG,OAAO,CAAC,oBAAoB,EAAE,CAAC;IAE1D,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACxC,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;IACvD,MAAM,eAAe,GAAG,IAAI,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAEzD,IACE,kBAAkB;QAClB,aAAa,KAAK,IAAI,CAAC,OAAO,CAAC,kBAAkB,CAAC,EAClD,CAAC;QACD,OAAO,mBAAmB,CAAC;IAC7B,CAAC;IACD,IAAI,aAAa,KAAK,IAAI,CAAC,OAAO,CAAC,yBAAyB,CAAC,EAAE,CAAC;QAC9D,OAAO,mBAAmB,CAAC;IAC7B,CAAC;IACD,IAAI,aAAa,KAAK,cAAc,EAAE,CAAC;QACrC,OAAO,gBAAgB,CAAC;IAC1B,CAAC;IACD,IAAI,aAAa,KAAK,eAAe,EAAE,CAAC;QACtC,OAAO,iBAAiB,CAAC;IAC3B,CAAC;IAED,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,KAAsB;IACtD,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;IAC3C,IAAI,OAAO,GAAG,IAAI,SAAS,0BAA0B,KAAK,CAAC,QAAQ,KAAK,CAAC;IACzE,OAAO,IAAI,KAAK,KAAK,CAAC,OAAO,EAAE,CAAC;IAChC,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAClB,OAAO,IAAI,KAAK,KAAK,CAAC,OAAO,EAAE,CAAC;IAClC,CAAC;IACD,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;QACrB,OAAO,IAAI,mBAAmB,KAAK,CAAC,UAAU,EAAE,CAAC;IACnD,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,6BAA6B,CAC1C,IAAc;IAEd,MAAM,iBAAiB,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,oBAAoB,EAAE,CAAC,CAAC;IAEvE,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAC/B,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;QACrB,0CAA0C;QAC1C,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,iBAAiB,EAAE,CAAC;YAC5C,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,iBAAiB,CAAC,GAAG,CAAC,CAAC;YACxD,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,GAAG,GAAG,mDAAmD,GAAG,KAAK,MAAM,EAAE,CAAC;gBAChF,UAAU,CAAC,YAAY,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;gBACxC,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC,CAAC,CACH,CAAC;IAEF,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,EAAiB,EAAE,CAAC,GAAG,KAAK,IAAI,CAAC,CAAC;AAC9D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,QAAwB,EACxB,YAA0B,EAC1B,kBAA2B;IAE3B,MAAM,UAAU,GAAG,oBAAoB,CACrC,kBAAkB,EAClB,QAAQ,CAAC,WAAW,CACrB,CAAC;IAEF,MAAM,gBAAgB,GAAG,MAAM,6BAA6B,CAAC,UAAU,CAAC,CAAC;IAEzE,MAAM,0BAA0B,GAAG,IAAI,CAAC,OAAO,CAC7C,OAAO,CAAC,oBAAoB,EAAE,CAC/B,CAAC;IAEF,gCAAgC;IAChC,MAAM,EACJ,KAAK,EAAE,SAAS,EAChB,QAAQ,EAAE,YAAY,EACtB,MAAM,GACP,GAAG,MAAM,oBAAoB,CAAC,gBAAgB,EAAE,CAAC,CAAC,EAAE,EAAE;QACrD,MAAM,IAAI,GAAG,aAAa,CAAC,CAAC,EAAE,kBAAkB,CAAC,CAAC;QAElD,wEAAwE;QACxE,yBAAyB;QACzB,IACE,QAAQ,CAAC,WAAW,EAAE,IAAI,CACxB,CAAC,QAAQ,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CACzD,EACD,CAAC;YACD,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;YACvC,IAAI,cAAc,KAAK,0BAA0B,EAAE,CAAC;gBAClD,OAAO,gBAAgB,CAAC;YAC1B,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;IAEH,4DAA4D;IAC5D,uEAAuE;IACvE,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,UAAU,CAAC,YAAY,CAAC,OAAO,EAAE,iBAAiB,CAAC,KAAK,CAAC,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;IAED,MAAM,KAAK,GAAiB,CAAC,GAAG,SAAS,CAAC,CAAC;IAC3C,MAAM,QAAQ,GAAG,CAAC,GAAG,YAAY,CAAC,CAAC;IAEnC,oCAAoC;IACpC,4DAA4D;IAC5D,oEAAoE;IACpE,6DAA6D;IAC7D,EAAE;IACF,0BAA0B;IAC1B,4EAA4E;IAC5E,yEAAyE;IACzE,0EAA0E;IAC1E,EAAE;IACF,qEAAqE;IACrE,qEAAqE;IACrE,EAAE;IACF,2DAA2D;IAC3D,mFAAmF;IACnF,yEAAyE;IACzE,wEAAwE;IACxE,wEAAwE;IACxE,mEAAmE;IACnE,sEAAsE;IACtE,EAAE;IACF,kDAAkD;IAClD,wEAAwE;IACxE,gEAAgE;IAChE,wDAAwD;IACxD,0EAA0E;IAC1E,0EAA0E;IAC1E,6DAA6D;IAE7D,oEAAoE;IACpE,+EAA+E;IAC/E,IAAI,QAAQ,CAAC,GAAG,EAAE,QAAQ,EAAE,CAAC;QAC3B,KAAK,MAAM,UAAU,IAAI,QAAQ,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;YAC/C,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,GAAG,UAAU,KAAK;gBAC5B,QAAQ,EAAE,cAAc,CAAC,IAAI;gBAC7B,QAAQ,EAAE,GAAG;gBACb,MAAM,EAAE,yBAAyB;aAClC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,sDAAsD;IACtD,wDAAwD;IACxD,IAAI,QAAQ,CAAC,KAAK,EAAE,OAAO,EAAE,CAAC;QAC5B,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YAC1C,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,IAAI;gBACd,QAAQ,EAAE,cAAc,CAAC,IAAI;gBAC7B,QAAQ,EAAE,GAAG;gBACb,MAAM,EAAE,2BAA2B;aACpC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,qDAAqD;IACrD,wDAAwD;IACxD,IAAI,QAAQ,CAAC,KAAK,EAAE,OAAO,EAAE,CAAC;QAC5B,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YAC1C,0CAA0C;YAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,4BAA4B,CAAC,CAAC;YACvD,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,GAAG,KAAK,CAAC;gBACpC,+BAA+B;gBAC/B,MAAM,QAAQ,GAAG,gBAAgB,CAAC,QAAQ,CAAC,WAAW,CAAC;oBACrD,CAAC,CAAC,eAAe;oBACjB,CAAC,CAAC,WAAW,CAAC;gBAEhB,gDAAgD;gBAChD,IAAI,QAAQ,KAAK,eAAe,EAAE,CAAC;oBACjC,MAAM,QAAQ,GAAG,iBAAiB,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;oBACpD,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;wBAC/B,IAAI,OAAO,EAAE,CAAC;4BACZ,KAAK,CAAC,IAAI,CAAC;gCACT,QAAQ;gCACR,QAAQ,EAAE,cAAc,CAAC,KAAK;gCAC9B,QAAQ,EAAE,GAAG;gCACb,WAAW,EAAE,IAAI,MAAM,CAAC,OAAO,CAAC;gCAChC,MAAM,EAAE,0BAA0B;6BACnC,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,gEAAgE;oBAChE,oEAAoE;oBACpE,KAAK,CAAC,IAAI,CAAC;wBACT,QAAQ;wBACR,QAAQ,EAAE,cAAc,CAAC,KAAK;wBAC9B,QAAQ,EAAE,GAAG;wBACb,MAAM,EAAE,0BAA0B;qBACnC,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,qBAAqB;gBACrB,MAAM,QAAQ,GAAG,gBAAgB,CAAC,QAAQ,CAAC,IAAI,CAAC;oBAC9C,CAAC,CAAC,eAAe;oBACjB,CAAC,CAAC,IAAI,CAAC;gBACT,KAAK,CAAC,IAAI,CAAC;oBACT,QAAQ;oBACR,QAAQ,EAAE,cAAc,CAAC,KAAK;oBAC9B,QAAQ,EAAE,GAAG;oBACb,MAAM,EAAE,0BAA0B;iBACnC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,gDAAgD;IAChD,yDAAyD;IACzD,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;QACxB,KAAK,MAAM,CAAC,UAAU,EAAE,YAAY,CAAC,IAAI,MAAM,CAAC,OAAO,CACrD,QAAQ,CAAC,UAAU,CACpB,EAAE,CAAC;YACF,IAAI,YAAY,CAAC,KAAK,EAAE,CAAC;gBACvB,uCAAuC;gBACvC,0FAA0F;gBAC1F,KAAK,CAAC,IAAI,CAAC;oBACT,QAAQ,EAAE,GAAG,UAAU,KAAK;oBAC5B,QAAQ,EAAE,cAAc,CAAC,KAAK;oBAC9B,QAAQ,EAAE,GAAG;oBACb,MAAM,EAAE,wBAAwB;iBACjC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,kEAAkE;IAClE,+DAA+D;IAC/D,IAAI,QAAQ,CAAC,GAAG,EAAE,OAAO,EAAE,CAAC;QAC1B,KAAK,MAAM,UAAU,IAAI,QAAQ,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;YAC9C,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,GAAG,UAAU,KAAK;gBAC5B,QAAQ,EAAE,cAAc,CAAC,KAAK;gBAC9B,QAAQ,EAAE,GAAG;gBACb,MAAM,EAAE,wBAAwB;aACjC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO;QACL,KAAK;QACL,QAAQ;QACR,eAAe,EAAE,cAAc,CAAC,QAAQ;QACxC,YAAY;KACb,CAAC;AACJ,CAAC;AAaD,MAAM,UAAU,mBAAmB,CACjC,YAA0B,EAC1B,UAAsB;IAEtB,uFAAuF;IACvF,IAAI,gBAAgB,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;IAEzC,UAAU,CAAC,SAAS,CAClB,cAAc,CAAC,aAAa,EAC5B,KAAK,EAAE,OAAqB,EAAE,EAAE;QAC9B,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QAElC,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC;YAC1B,gEAAgE;YAChE,MAAM,QAAQ,GAAG,iBAAiB,CAAC,SAAS,EAAE,OAAO,CAAC,aAAa,CAAC,CAAC;YACrE,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;gBAC/B,IAAI,OAAO,EAAE,CAAC;oBACZ,sEAAsE;oBACtE,kDAAkD;oBAClD,YAAY,CAAC,OAAO,CAAC;wBACnB,QAAQ;wBACR,QAAQ,EAAE,cAAc,CAAC,KAAK;wBAC9B,kDAAkD;wBAClD,gEAAgE;wBAChE,uEAAuE;wBACvE,QAAQ,EAAE,IAAI;wBACd,WAAW,EAAE,IAAI,MAAM,CAAC,OAAO,CAAC;wBAChC,MAAM,EAAE,qBAAqB;qBAC9B,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,IAAI,OAAO,CAAC,WAAW,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;gBAC9D,UAAU,CAAC,YAAY,CACrB,OAAO,EACP,iDAAiD,QAAQ,KAAK,OAAO,CAAC,WAAW,EAAE,CACpF,CAAC;gBACF,OAAO;YACT,CAAC;YAED,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW;gBACrC,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC;gBACjC,CAAC,CAAC,SAAS,CAAC;YAEd,YAAY,CAAC,OAAO,CAAC;gBACnB,QAAQ;gBACR,QAAQ,EAAE,cAAc,CAAC,KAAK;gBAC9B,kDAAkD;gBAClD,gEAAgE;gBAChE,uEAAuE;gBACvE,QAAQ,EAAE,IAAI;gBACd,WAAW;gBACX,MAAM,EAAE,qBAAqB;aAC9B,CAAC,CAAC;QACL,CAAC;QAED,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YACpB,gBAAgB,GAAG,gBAAgB,CAAC,IAAI,CAAC,KAAK,IAAI,EAAE;gBAClD,IAAI,CAAC;oBACH,MAAM,eAAe,GAAG,OAAO,CAAC,kBAAkB,EAAE,CAAC;oBACrD,MAAM,EAAE,CAAC,KAAK,CAAC,eAAe,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;oBACrD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,iBAAiB,CAAC,CAAC;oBAEjE,qBAAqB;oBACrB,IAAI,YAAY,GAA0B,EAAE,CAAC;oBAC7C,IAAI,CAAC;wBACH,MAAM,WAAW,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;wBAC3D,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAA0B,CAAC;oBAClE,CAAC;oBAAC,OAAO,KAAK,EAAE,CAAC;wBACf,uEAAuE;wBACvE,IAAK,KAA+B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;4BACvD,WAAW,CAAC,IAAI,CACd,mBAAmB,UAAU,gCAAgC,EAC7D,KAAK,CACN,CAAC;wBACJ,CAAC;oBACH,CAAC;oBAED,kCAAkC;oBAClC,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;wBACvB,YAAY,CAAC,IAAI,GAAG,EAAE,CAAC;oBACzB,CAAC;oBAED,yBAAyB;oBACzB,MAAM,OAAO,GAAa,EAAE,CAAC;oBAE7B,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;wBACpB,OAAO,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;wBAClC,2BAA2B;wBAC3B,MAAM,cAAc,GAAG,QAAQ,CAAC,UAAU,CAAC,GAAG,OAAO,CAAC,OAAO,IAAI,CAAC;4BAChE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC;4BAC5C,CAAC,CAAC,QAAQ,CAAC;wBACb,OAAO,CAAC,QAAQ,GAAG,cAAc,CAAC;wBAClC,OAAO,CAAC,QAAQ,GAAG,OAAO,CAAC;wBAC3B,OAAO,CAAC,QAAQ,GAAG,GAAG,CAAC;oBACzB,CAAC;yBAAM,CAAC;wBACN,OAAO,CAAC,QAAQ,GAAG,QAAQ,CAAC;wBAC5B,OAAO,CAAC,QAAQ,GAAG,OAAO,CAAC;wBAC3B,OAAO,CAAC,QAAQ,GAAG,GAAG,CAAC;oBACzB,CAAC;oBAED,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC;wBAC1B,OAAO,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC;oBAChD,CAAC;yBAAM,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;wBAC/B,kDAAkD;wBAClD,OAAO,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;oBAC5C,CAAC;oBAED,eAAe;oBACf,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;oBAEhC,yBAAyB;oBACzB,6FAA6F;oBAC7F,uEAAuE;oBACvE,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,YAA4B,CAAC,CAAC;oBAEhE,2EAA2E;oBAC3E,0EAA0E;oBAC1E,8EAA8E;oBAC9E,MAAM,SAAS,GAAG,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;oBACxD,MAAM,OAAO,GAAG,GAAG,UAAU,IAAI,SAAS,MAAM,CAAC;oBAEjD,IAAI,MAAiC,CAAC;oBACtC,IAAI,CAAC;wBACH,0EAA0E;wBAC1E,MAAM,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;wBACtC,MAAM,MAAM,CAAC,SAAS,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;oBAC9C,CAAC;4BAAS,CAAC;wBACT,MAAM,MAAM,EAAE,KAAK,EAAE,CAAC;oBACxB,CAAC;oBACD,MAAM,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;gBACvC,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,UAAU,CAAC,YAAY,CACrB,OAAO,EACP,gCAAgC,QAAQ,EAAE,EAC1C,KAAK,CACN,CAAC;gBACJ,CAAC;YACH,CAAC,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CACF,CAAC;AACJ,CAAC"}
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../../src/policy/config.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACvC,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AAC/C,OAAO,EAEL,cAAc,GAIf,MAAM,YAAY,CAAC;AAEpB,OAAO,EAAE,oBAAoB,EAAwB,MAAM,kBAAkB,CAAC;AAC9E,OAAO,EAAE,iBAAiB,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC7D,OAAO,IAAI,MAAM,aAAa,CAAC;AAC/B,OAAO,EACL,cAAc,GAEf,MAAM,8BAA8B,CAAC;AACtC,OAAO,EAAmB,MAAM,oCAAoC,CAAC;AACrE,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACtD,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAEjD,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAEzD,MAAM,UAAU,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAClD,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;AAC3C,MAAM,CAAC,MAAM,yBAAyB,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;AAE1E,iDAAiD;AACjD,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,CAAC;AACrC,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC,CAAC;AACvC,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC;AAClC,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,CAAC;AAEnC,+EAA+E;AAC/E,6DAA6D;AAE7D,wEAAwE;AACxE,gEAAgE;AAChE,mEAAmE;AACnE,MAAM,CAAC,MAAM,qBAAqB,GAAG,qBAAqB,GAAG,IAAI,CAAC;AAElE,MAAM,CAAC,MAAM,qBAAqB,GAAG,gBAAgB,GAAG,GAAG,CAAC;AAC5D,MAAM,CAAC,MAAM,2BAA2B,GAAG,gBAAgB,GAAG,GAAG,CAAC;AAClE,MAAM,CAAC,MAAM,2BAA2B,GAAG,gBAAgB,GAAG,GAAG,CAAC;AAClE,MAAM,CAAC,MAAM,2BAA2B,GAAG,gBAAgB,GAAG,GAAG,CAAC;AAClE,MAAM,CAAC,MAAM,2BAA2B,GAAG,gBAAgB,GAAG,GAAG,CAAC;AAElE;;;;;;;;GAQG;AACH,MAAM,UAAU,oBAAoB,CAClC,kBAA2B,EAC3B,WAAsB,EACtB,oBAA6B;IAE7B,MAAM,IAAI,GAAG,EAAE,CAAC;IAEhB,gCAAgC;IAChC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,oBAAoB,EAAE,CAAC,CAAC;IAE1C,sCAAsC;IACtC,IAAI,WAAW,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1C,IAAI,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,CAAC;IAC5B,CAAC;SAAM,CAAC;QACN,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,kBAAkB,EAAE,CAAC,CAAC;IAC1C,CAAC;IAED,iCAAiC;IACjC,IAAI,oBAAoB,EAAE,CAAC;QACzB,IAAI,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IAClC,CAAC;IAED,iCAAiC;IACjC,IAAI,CAAC,IAAI,CAAC,kBAAkB,IAAI,yBAAyB,CAAC,CAAC;IAE3D,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAC3B,GAAW,EACX,kBAA2B,EAC3B,oBAA6B;IAE7B,MAAM,iBAAiB,GAAG,OAAO,CAAC,kBAAkB,EAAE,CAAC;IACvD,MAAM,kBAAkB,GAAG,OAAO,CAAC,oBAAoB,EAAE,CAAC;IAE1D,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACxC,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;IACvD,MAAM,eAAe,GAAG,IAAI,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAEzD,IACE,kBAAkB;QAClB,aAAa,KAAK,IAAI,CAAC,OAAO,CAAC,kBAAkB,CAAC,EAClD,CAAC;QACD,OAAO,mBAAmB,CAAC;IAC7B,CAAC;IACD,IAAI,aAAa,KAAK,IAAI,CAAC,OAAO,CAAC,yBAAyB,CAAC,EAAE,CAAC;QAC9D,OAAO,mBAAmB,CAAC;IAC7B,CAAC;IACD,IAAI,aAAa,KAAK,cAAc,EAAE,CAAC;QACrC,OAAO,gBAAgB,CAAC;IAC1B,CAAC;IACD,IACE,oBAAoB;QACpB,aAAa,KAAK,IAAI,CAAC,OAAO,CAAC,oBAAoB,CAAC,EACpD,CAAC;QACD,OAAO,qBAAqB,CAAC;IAC/B,CAAC;IACD,IAAI,aAAa,KAAK,eAAe,EAAE,CAAC;QACtC,OAAO,iBAAiB,CAAC;IAC3B,CAAC;IAED,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,KAAsB;IACtD,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;IAC3C,IAAI,OAAO,GAAG,IAAI,SAAS,0BAA0B,KAAK,CAAC,QAAQ,KAAK,CAAC;IACzE,OAAO,IAAI,KAAK,KAAK,CAAC,OAAO,EAAE,CAAC;IAChC,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAClB,OAAO,IAAI,KAAK,KAAK,CAAC,OAAO,EAAE,CAAC;IAClC,CAAC;IACD,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;QACrB,OAAO,IAAI,mBAAmB,KAAK,CAAC,UAAU,EAAE,CAAC;IACnD,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,6BAA6B,CAC1C,IAAc;IAEd,MAAM,iBAAiB,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,oBAAoB,EAAE,CAAC,CAAC;IAEvE,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAC/B,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;QACrB,0CAA0C;QAC1C,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,iBAAiB,EAAE,CAAC;YAC5C,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,iBAAiB,CAAC,GAAG,CAAC,CAAC;YACxD,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,GAAG,GAAG,mDAAmD,GAAG,KAAK,MAAM,EAAE,CAAC;gBAChF,UAAU,CAAC,YAAY,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;gBACxC,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC,CAAC,CACH,CAAC;IAEF,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,EAAiB,EAAE,CAAC,GAAG,KAAK,IAAI,CAAC,CAAC;AAC9D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,QAAwB,EACxB,YAA0B,EAC1B,kBAA2B;IAE3B,MAAM,UAAU,GAAG,oBAAoB,CACrC,kBAAkB,EAClB,QAAQ,CAAC,WAAW,EACpB,QAAQ,CAAC,oBAAoB,CAC9B,CAAC;IACF,MAAM,gBAAgB,GAAG,MAAM,6BAA6B,CAAC,UAAU,CAAC,CAAC;IAEzE,MAAM,0BAA0B,GAAG,IAAI,CAAC,OAAO,CAC7C,OAAO,CAAC,oBAAoB,EAAE,CAC/B,CAAC;IAEF,gCAAgC;IAChC,MAAM,EACJ,KAAK,EAAE,SAAS,EAChB,QAAQ,EAAE,YAAY,EACtB,MAAM,GACP,GAAG,MAAM,oBAAoB,CAAC,gBAAgB,EAAE,CAAC,CAAC,EAAE,EAAE;QACrD,MAAM,IAAI,GAAG,aAAa,CACxB,CAAC,EACD,kBAAkB,EAClB,QAAQ,CAAC,oBAAoB,CAC9B,CAAC;QAEF,wEAAwE;QACxE,yBAAyB;QACzB,IACE,QAAQ,CAAC,WAAW,EAAE,IAAI,CACxB,CAAC,QAAQ,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CACzD,EACD,CAAC;YACD,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;YACvC,IAAI,cAAc,KAAK,0BAA0B,EAAE,CAAC;gBAClD,OAAO,gBAAgB,CAAC;YAC1B,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;IAEH,4DAA4D;IAC5D,uEAAuE;IACvE,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,UAAU,CAAC,YAAY,CAAC,OAAO,EAAE,iBAAiB,CAAC,KAAK,CAAC,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;IAED,MAAM,KAAK,GAAiB,CAAC,GAAG,SAAS,CAAC,CAAC;IAC3C,MAAM,QAAQ,GAAG,CAAC,GAAG,YAAY,CAAC,CAAC;IAEnC,oCAAoC;IACpC,4DAA4D;IAC5D,oEAAoE;IACpE,6DAA6D;IAC7D,EAAE;IACF,0BAA0B;IAC1B,4EAA4E;IAC5E,8EAA8E;IAC9E,yEAAyE;IACzE,0EAA0E;IAC1E,EAAE;IACF,iFAAiF;IACjF,qEAAqE;IACrE,EAAE;IACF,kDAAkD;IAClD,iGAAiG;IACjG,gGAAgG;IAChG,gGAAgG;IAChG,2FAA2F;IAC3F,8FAA8F;IAC9F,2GAA2G;IAC3G,+EAA+E;IAC/E,EAAE;IACF,kDAAkD;IAClD,wEAAwE;IACxE,gEAAgE;IAChE,wDAAwD;IACxD,0EAA0E;IAC1E,0EAA0E;IAC1E,6DAA6D;IAE7D,oEAAoE;IACpE,iGAAiG;IACjG,IAAI,QAAQ,CAAC,GAAG,EAAE,QAAQ,EAAE,CAAC;QAC3B,KAAK,MAAM,UAAU,IAAI,QAAQ,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;YAC/C,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,GAAG,UAAU,KAAK;gBAC5B,QAAQ,EAAE,cAAc,CAAC,IAAI;gBAC7B,QAAQ,EAAE,qBAAqB;gBAC/B,MAAM,EAAE,yBAAyB;aAClC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,sDAAsD;IACtD,gFAAgF;IAChF,IAAI,QAAQ,CAAC,KAAK,EAAE,OAAO,EAAE,CAAC;QAC5B,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YAC1C,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,IAAI;gBACd,QAAQ,EAAE,cAAc,CAAC,IAAI;gBAC7B,QAAQ,EAAE,2BAA2B;gBACrC,MAAM,EAAE,2BAA2B;aACpC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,qDAAqD;IACrD,gFAAgF;IAChF,IAAI,QAAQ,CAAC,KAAK,EAAE,OAAO,EAAE,CAAC;QAC5B,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YAC1C,0CAA0C;YAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,4BAA4B,CAAC,CAAC;YACvD,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,GAAG,KAAK,CAAC;gBACpC,+BAA+B;gBAC/B,MAAM,QAAQ,GAAG,gBAAgB,CAAC,QAAQ,CAAC,WAAW,CAAC;oBACrD,CAAC,CAAC,eAAe;oBACjB,CAAC,CAAC,WAAW,CAAC;gBAEhB,gDAAgD;gBAChD,IAAI,QAAQ,KAAK,eAAe,EAAE,CAAC;oBACjC,MAAM,QAAQ,GAAG,iBAAiB,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;oBACpD,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;wBAC/B,IAAI,OAAO,EAAE,CAAC;4BACZ,KAAK,CAAC,IAAI,CAAC;gCACT,QAAQ;gCACR,QAAQ,EAAE,cAAc,CAAC,KAAK;gCAC9B,QAAQ,EAAE,2BAA2B;gCACrC,WAAW,EAAE,IAAI,MAAM,CAAC,OAAO,CAAC;gCAChC,MAAM,EAAE,0BAA0B;6BACnC,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,gEAAgE;oBAChE,oEAAoE;oBACpE,KAAK,CAAC,IAAI,CAAC;wBACT,QAAQ;wBACR,QAAQ,EAAE,cAAc,CAAC,KAAK;wBAC9B,QAAQ,EAAE,2BAA2B;wBACrC,MAAM,EAAE,0BAA0B;qBACnC,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,qBAAqB;gBACrB,MAAM,QAAQ,GAAG,gBAAgB,CAAC,QAAQ,CAAC,IAAI,CAAC;oBAC9C,CAAC,CAAC,eAAe;oBACjB,CAAC,CAAC,IAAI,CAAC;gBACT,KAAK,CAAC,IAAI,CAAC;oBACT,QAAQ;oBACR,QAAQ,EAAE,cAAc,CAAC,KAAK;oBAC9B,QAAQ,EAAE,2BAA2B;oBACrC,MAAM,EAAE,0BAA0B;iBACnC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,gDAAgD;IAChD,iFAAiF;IACjF,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;QACxB,KAAK,MAAM,CAAC,UAAU,EAAE,YAAY,CAAC,IAAI,MAAM,CAAC,OAAO,CACrD,QAAQ,CAAC,UAAU,CACpB,EAAE,CAAC;YACF,IAAI,YAAY,CAAC,KAAK,EAAE,CAAC;gBACvB,uCAAuC;gBACvC,0FAA0F;gBAC1F,KAAK,CAAC,IAAI,CAAC;oBACT,QAAQ,EAAE,GAAG,UAAU,KAAK;oBAC5B,QAAQ,EAAE,cAAc,CAAC,KAAK;oBAC9B,QAAQ,EAAE,2BAA2B;oBACrC,MAAM,EAAE,wBAAwB;iBACjC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,kEAAkE;IAClE,uFAAuF;IACvF,IAAI,QAAQ,CAAC,GAAG,EAAE,OAAO,EAAE,CAAC;QAC1B,KAAK,MAAM,UAAU,IAAI,QAAQ,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;YAC9C,KAAK,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,GAAG,UAAU,KAAK;gBAC5B,QAAQ,EAAE,cAAc,CAAC,KAAK;gBAC9B,QAAQ,EAAE,2BAA2B;gBACrC,MAAM,EAAE,wBAAwB;aACjC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO;QACL,KAAK;QACL,QAAQ;QACR,eAAe,EAAE,cAAc,CAAC,QAAQ;QACxC,YAAY;KACb,CAAC;AACJ,CAAC;AAaD,MAAM,UAAU,mBAAmB,CACjC,YAA0B,EAC1B,UAAsB,EACtB,OAAgB;IAEhB,uFAAuF;IACvF,IAAI,gBAAgB,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;IAEzC,UAAU,CAAC,SAAS,CAClB,cAAc,CAAC,aAAa,EAC5B,KAAK,EAAE,OAAqB,EAAE,EAAE;QAC9B,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QAElC,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC;YAC1B,gEAAgE;YAChE,MAAM,QAAQ,GAAG,iBAAiB,CAAC,SAAS,EAAE,OAAO,CAAC,aAAa,CAAC,CAAC;YACrE,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;gBAC/B,IAAI,OAAO,EAAE,CAAC;oBACZ,sEAAsE;oBACtE,kDAAkD;oBAClD,YAAY,CAAC,OAAO,CAAC;wBACnB,QAAQ;wBACR,QAAQ,EAAE,cAAc,CAAC,KAAK;wBAC9B,QAAQ,EAAE,qBAAqB;wBAC/B,WAAW,EAAE,IAAI,MAAM,CAAC,OAAO,CAAC;wBAChC,MAAM,EAAE,qBAAqB;qBAC9B,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,IAAI,OAAO,CAAC,WAAW,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;gBAC9D,UAAU,CAAC,YAAY,CACrB,OAAO,EACP,iDAAiD,QAAQ,KAAK,OAAO,CAAC,WAAW,EAAE,CACpF,CAAC;gBACF,OAAO;YACT,CAAC;YAED,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW;gBACrC,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC;gBACjC,CAAC,CAAC,SAAS,CAAC;YAEd,YAAY,CAAC,OAAO,CAAC;gBACnB,QAAQ;gBACR,QAAQ,EAAE,cAAc,CAAC,KAAK;gBAC9B,QAAQ,EAAE,qBAAqB;gBAC/B,WAAW;gBACX,MAAM,EAAE,qBAAqB;aAC9B,CAAC,CAAC;QACL,CAAC;QAED,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YACpB,gBAAgB,GAAG,gBAAgB,CAAC,IAAI,CAAC,KAAK,IAAI,EAAE;gBAClD,IAAI,CAAC;oBACH,MAAM,oBAAoB,GAAG,OAAO,CAAC,uBAAuB,EAAE,CAAC;oBAC/D,MAAM,EAAE,CAAC,KAAK,CAAC,oBAAoB,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;oBAC1D,MAAM,UAAU,GAAG,OAAO,CAAC,sBAAsB,EAAE,CAAC;oBAEpD,qBAAqB;oBACrB,IAAI,YAAY,GAA0B,EAAE,CAAC;oBAC7C,IAAI,CAAC;wBACH,MAAM,WAAW,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;wBAC3D,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;wBACvC,IACE,OAAO,MAAM,KAAK,QAAQ;4BAC1B,MAAM,KAAK,IAAI;4BACf,CAAC,CAAC,CAAC,MAAM,IAAI,MAAM,CAAC,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EACtD,CAAC;4BACD,YAAY,GAAG,MAA+B,CAAC;wBACjD,CAAC;oBACH,CAAC;oBAAC,OAAO,KAAK,EAAE,CAAC;wBACf,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;4BACnD,WAAW,CAAC,IAAI,CACd,mBAAmB,UAAU,gCAAgC,EAC7D,KAAK,CACN,CAAC;wBACJ,CAAC;oBACH,CAAC;oBAED,kCAAkC;oBAClC,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;wBACvB,YAAY,CAAC,IAAI,GAAG,EAAE,CAAC;oBACzB,CAAC;oBAED,yBAAyB;oBACzB,MAAM,OAAO,GAAa,EAAE,CAAC;oBAE7B,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;wBACpB,OAAO,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;wBAClC,2BAA2B;wBAC3B,MAAM,cAAc,GAAG,QAAQ,CAAC,UAAU,CAAC,GAAG,OAAO,CAAC,OAAO,IAAI,CAAC;4BAChE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC;4BAC5C,CAAC,CAAC,QAAQ,CAAC;wBACb,OAAO,CAAC,QAAQ,GAAG,cAAc,CAAC;wBAClC,OAAO,CAAC,QAAQ,GAAG,OAAO,CAAC;wBAC3B,OAAO,CAAC,QAAQ,GAAG,GAAG,CAAC;oBACzB,CAAC;yBAAM,CAAC;wBACN,OAAO,CAAC,QAAQ,GAAG,QAAQ,CAAC;wBAC5B,OAAO,CAAC,QAAQ,GAAG,OAAO,CAAC;wBAC3B,OAAO,CAAC,QAAQ,GAAG,GAAG,CAAC;oBACzB,CAAC;oBAED,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC;wBAC1B,OAAO,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC;oBAChD,CAAC;yBAAM,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;wBAC/B,kDAAkD;wBAClD,OAAO,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;oBAC5C,CAAC;oBAED,eAAe;oBACf,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;oBAEhC,yBAAyB;oBACzB,6FAA6F;oBAC7F,uEAAuE;oBACvE,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,YAA4B,CAAC,CAAC;oBAEhE,2EAA2E;oBAC3E,0EAA0E;oBAC1E,8EAA8E;oBAC9E,MAAM,SAAS,GAAG,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;oBACxD,MAAM,OAAO,GAAG,GAAG,UAAU,IAAI,SAAS,MAAM,CAAC;oBAEjD,IAAI,MAAiC,CAAC;oBACtC,IAAI,CAAC;wBACH,0EAA0E;wBAC1E,MAAM,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;wBACtC,MAAM,MAAM,CAAC,SAAS,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;oBAC9C,CAAC;4BAAS,CAAC;wBACT,MAAM,MAAM,EAAE,KAAK,EAAE,CAAC;oBACxB,CAAC;oBACD,MAAM,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;gBACvC,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,UAAU,CAAC,YAAY,CACrB,OAAO,EACP,gCAAgC,QAAQ,EAAE,EAC1C,KAAK,CACN,CAAC;gBACJ,CAAC;YACH,CAAC,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CACF,CAAC;AACJ,CAAC"}

package/dist/src/policy/config.test.js

@@ -109,7 +109,7 @@ describe('createPolicyEngineConfig', () => {
         const rule = config.rules?.find((r) => r.toolName === 'run_shell_command' &&
             r.decision === PolicyDecision.ALLOW);
         expect(rule).toBeDefined();
-        expect(rule?.priority).toBeCloseTo(2.3, 5); // Command line allow
+        expect(rule?.priority).toBeCloseTo(3.3, 5); // Command line allow
     });
     it('should deny tools in tools.exclude', async () => {
         const { createPolicyEngineConfig } = await import('./config.js');
@@ -120,7 +120,7 @@ describe('createPolicyEngineConfig', () => {
         const rule = config.rules?.find((r) => r.toolName === 'run_shell_command' &&
             r.decision === PolicyDecision.DENY);
         expect(rule).toBeDefined();
-        expect(rule?.priority).toBeCloseTo(2.4, 5); // Command line exclude
+        expect(rule?.priority).toBeCloseTo(3.4, 5); // Command line exclude
     });
     it('should allow tools from allowed MCP servers', async () => {
         const { createPolicyEngineConfig } = await import('./config.js');
@@ -130,7 +130,7 @@ describe('createPolicyEngineConfig', () => {
         const config = await createPolicyEngineConfig(settings, ApprovalMode.DEFAULT, '/tmp/mock/default/policies');
         const rule = config.rules?.find((r) => r.toolName === 'my-server__*' && r.decision === PolicyDecision.ALLOW);
         expect(rule).toBeDefined();
-        expect(rule?.priority).toBe(2.1); // MCP allowed server
+        expect(rule?.priority).toBe(3.1); // MCP allowed server
     });
     it('should deny tools from excluded MCP servers', async () => {
         const { createPolicyEngineConfig } = await import('./config.js');
@@ -140,7 +140,7 @@ describe('createPolicyEngineConfig', () => {
         const config = await createPolicyEngineConfig(settings, ApprovalMode.DEFAULT, '/tmp/mock/default/policies');
         const rule = config.rules?.find((r) => r.toolName === 'my-server__*' && r.decision === PolicyDecision.DENY);
         expect(rule).toBeDefined();
-        expect(rule?.priority).toBe(2.9); // MCP excluded server
+        expect(rule?.priority).toBe(3.9); // MCP excluded server
     });
     it('should allow tools from trusted MCP servers', async () => {
         const { createPolicyEngineConfig } = await import('./config.js');
@@ -158,7 +158,7 @@ describe('createPolicyEngineConfig', () => {
         const trustedRule = config.rules?.find((r) => r.toolName === 'trusted-server__*' &&
             r.decision === PolicyDecision.ALLOW);
         expect(trustedRule).toBeDefined();
-        expect(trustedRule?.priority).toBe(2.2); // MCP trusted server
+        expect(trustedRule?.priority).toBe(3.2); // MCP trusted server
         // Untrusted server should not have an allow rule
         const untrustedRule = config.rules?.find((r) => r.toolName === 'untrusted-server__*' &&
             r.decision === PolicyDecision.ALLOW);
@@ -182,17 +182,17 @@ describe('createPolicyEngineConfig', () => {
         const allowedRule = config.rules?.find((r) => r.toolName === 'allowed-server__*' &&
             r.decision === PolicyDecision.ALLOW);
         expect(allowedRule).toBeDefined();
-        expect(allowedRule?.priority).toBe(2.1); // MCP allowed server
+        expect(allowedRule?.priority).toBe(3.1); // MCP allowed server
         // Check trusted server
         const trustedRule = config.rules?.find((r) => r.toolName === 'trusted-server__*' &&
             r.decision === PolicyDecision.ALLOW);
         expect(trustedRule).toBeDefined();
-        expect(trustedRule?.priority).toBe(2.2); // MCP trusted server
+        expect(trustedRule?.priority).toBe(3.2); // MCP trusted server
         // Check excluded server
         const excludedRule = config.rules?.find((r) => r.toolName === 'excluded-server__*' &&
             r.decision === PolicyDecision.DENY);
         expect(excludedRule).toBeDefined();
-        expect(excludedRule?.priority).toBe(2.9); // MCP excluded server
+        expect(excludedRule?.priority).toBe(3.9); // MCP excluded server
     });
     it('should allow all tools in YOLO mode', async () => {
         const { createPolicyEngineConfig } = await import('./config.js');
@@ -239,10 +239,10 @@ describe('createPolicyEngineConfig', () => {
         const toolAllowRule = config.rules?.find((r) => r.toolName === 'my-server__specific-tool' &&
             r.decision === PolicyDecision.ALLOW);
         expect(serverDenyRule).toBeDefined();
-        expect(serverDenyRule?.priority).toBe(2.9); // MCP excluded server
+        expect(serverDenyRule?.priority).toBe(3.9); // MCP excluded server
         expect(toolAllowRule).toBeDefined();
-        expect(toolAllowRule?.priority).toBeCloseTo(2.3, 5); // Command line allow
-        // Server deny (2.9) has higher priority than tool allow (2.3),
+        expect(toolAllowRule?.priority).toBeCloseTo(3.3, 5); // Command line allow
+        // Server deny (3.9) has higher priority than tool allow (3.3),
         // so server deny wins (this is expected behavior - server-level blocks are security critical)
     });
     it('should handle MCP server allows and tool excludes', async () => {
@@ -262,23 +262,23 @@ describe('createPolicyEngineConfig', () => {
             r.decision === PolicyDecision.DENY);
         expect(serverAllowRule).toBeDefined();
         expect(toolDenyRule).toBeDefined();
-        // Command line exclude (2.4) has higher priority than MCP server trust (2.2)
+        // Command line exclude (3.4) has higher priority than MCP server trust (3.2)
         // This is the correct behavior - specific exclusions should beat general server trust
         expect(toolDenyRule.priority).toBeGreaterThan(serverAllowRule.priority);
     });
     it('should handle complex priority scenarios correctly', async () => {
         const settings = {
             tools: {
-                allowed: ['my-server__tool1', 'other-tool'], // Priority 2.3
-                exclude: ['my-server__tool2', 'glob'], // Priority 2.4
+                allowed: ['my-server__tool1', 'other-tool'], // Priority 3.3
+                exclude: ['my-server__tool2', 'glob'], // Priority 3.4
             },
             mcp: {
-                allowed: ['allowed-server'], // Priority 2.1
-                excluded: ['excluded-server'], // Priority 2.9
+                allowed: ['allowed-server'], // Priority 3.1
+                excluded: ['excluded-server'], // Priority 3.9
             },
             mcpServers: {
                 'trusted-server': {
-                    trust: true, // Priority 90 -> 2.2
+                    trust: true, // Priority 90 -> 3.2
                 },
             },
         };
@@ -338,7 +338,7 @@ describe('createPolicyEngineConfig', () => {
         expect(globDenyRule).toBeDefined();
         expect(globAllowRule).toBeDefined();
         // Deny from settings (user tier)
-        expect(globDenyRule.priority).toBeCloseTo(2.4, 5); // Command line exclude
+        expect(globDenyRule.priority).toBeCloseTo(3.4, 5); // Command line exclude
         // Allow from default TOML: 1 + 50/1000 = 1.05
         expect(globAllowRule.priority).toBeCloseTo(1.05, 5);
         // Verify all priority levels are correct
@@ -349,9 +349,9 @@ describe('createPolicyEngineConfig', () => {
             priority: r.priority,
         }))
             .sort((a, b) => (b.priority ?? 0) - (a.priority ?? 0));
-        // Check that the highest priority items are the excludes (user tier: 2.4 and 2.9)
-        const highestPriorityExcludes = priorities?.filter((p) => Math.abs(p.priority - 2.4) < 0.01 ||
-            Math.abs(p.priority - 2.9) < 0.01);
+        // Check that the highest priority items are the excludes (user tier: 3.4 and 3.9)
+        const highestPriorityExcludes = priorities?.filter((p) => Math.abs(p.priority - 3.4) < 0.01 ||
+            Math.abs(p.priority - 3.9) < 0.01);
         expect(highestPriorityExcludes?.every((p) => p.decision === PolicyDecision.DENY)).toBe(true);
         vi.doUnmock('node:fs/promises');
     });
@@ -406,7 +406,7 @@ describe('createPolicyEngineConfig', () => {
         // Should still have the exclude rule (from settings, user tier)
         const excludeRule = config.rules?.find((r) => r.toolName === 'dangerous-tool' && r.decision === PolicyDecision.DENY);
         expect(excludeRule).toBeDefined();
-        expect(excludeRule?.priority).toBeCloseTo(2.4, 5); // Command line exclude
+        expect(excludeRule?.priority).toBeCloseTo(3.4, 5); // Command line exclude
     });
     it('should support argsPattern in policy rules', async () => {
         const actualFs = await vi.importActual('node:fs/promises');
@@ -471,8 +471,8 @@ priority = 150
         const rule = config.rules?.find((r) => r.toolName === 'run_shell_command' &&
             r.decision === PolicyDecision.ALLOW);
         expect(rule).toBeDefined();
-        // Priority 150 in user tier → 2.150
-        expect(rule?.priority).toBeCloseTo(2.15, 5);
+        // Priority 150 in user tier → 3.150
+        expect(rule?.priority).toBeCloseTo(3.15, 5);
         expect(rule?.argsPattern).toBeInstanceOf(RegExp);
         expect(rule?.argsPattern?.test('{"command":"git status"}')).toBe(true);
         expect(rule?.argsPattern?.test('{"command":"git diff"}')).toBe(true);
@@ -669,7 +669,7 @@ name = "invalid-name"
         const rule = config.rules?.find((r) => r.toolName === 'run_shell_command' &&
             r.decision === PolicyDecision.ALLOW);
         expect(rule).toBeDefined();
-        expect(rule?.priority).toBeCloseTo(2.3, 5); // Command line allow
+        expect(rule?.priority).toBeCloseTo(3.3, 5); // Command line allow
         vi.doUnmock('node:fs/promises');
     });
     it('should allow overriding Plan Mode deny with user policy', async () => {
@@ -758,7 +758,7 @@ modes = ["plan"]
             r.decision === PolicyDecision.ALLOW &&
             r.modes?.includes(ApprovalMode.PLAN));
         expect(subagentRule).toBeDefined();
-        expect(subagentRule?.priority).toBeCloseTo(2.1, 5);
+        expect(subagentRule?.priority).toBeCloseTo(3.1, 5);
         vi.doUnmock('node:fs/promises');
     });
 });

package/dist/src/policy/integrity.d.ts

@@ -0,0 +1,45 @@
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+export declare enum IntegrityStatus {
+    MATCH = "MATCH",
+    MISMATCH = "MISMATCH",
+    NEW = "NEW"
+}
+export interface IntegrityResult {
+    status: IntegrityStatus;
+    hash: string;
+    fileCount: number;
+}
+export declare class PolicyIntegrityManager {
+    /**
+     * Checks the integrity of policies in a given directory against the stored hash.
+     *
+     * @param scope The scope of the policy (e.g., 'project', 'user').
+     * @param identifier A unique identifier for the policy scope (e.g., project path).
+     * @param policyDir The directory containing the policy files.
+     * @returns IntegrityResult indicating if the current policies match the stored hash.
+     */
+    checkIntegrity(scope: string, identifier: string, policyDir: string): Promise<IntegrityResult>;
+    /**
+     * Accepts and persists the current integrity hash for a given policy scope.
+     *
+     * @param scope The scope of the policy.
+     * @param identifier A unique identifier for the policy scope (e.g., project path).
+     * @param hash The hash to persist.
+     */
+    acceptIntegrity(scope: string, identifier: string, hash: string): Promise<void>;
+    /**
+     * Calculates a SHA-256 hash of all policy files in the directory.
+     * The hash includes the relative file path and content to detect renames and modifications.
+     *
+     * @param policyDir The directory containing the policy files.
+     * @returns The calculated hash and file count
+     */
+    private static calculateIntegrityHash;
+    private getIntegrityKey;
+    private loadIntegrityData;
+    private saveIntegrityData;
+}