@haibun/core 3.6.0 → 3.8.0

package/build/run-policy/run-policy-schema.d.ts

@@ -0,0 +1,44 @@
+import { z } from 'zod';
+import { type TRunPolicyConfig } from './run-policy-types.js';
+/**
+ * Validates the policy file structure itself.
+ * The structure mirrors TRunPolicyConfig (place + dirFilters array).
+ */
+declare const PolicyFileSchema: z.ZodObject<{
+    $schema: z.ZodOptional<z.ZodString>;
+    type: z.ZodDefault<z.ZodLiteral<"object">>;
+    properties: z.ZodOptional<z.ZodObject<{}, z.core.$loose>>;
+    definitions: z.ZodOptional<z.ZodObject<{}, z.core.$loose>>;
+    $defs: z.ZodOptional<z.ZodObject<{}, z.core.$loose>>;
+    required: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    allOf: z.ZodOptional<z.ZodArray<z.ZodUnknown>>;
+    anyOf: z.ZodOptional<z.ZodArray<z.ZodUnknown>>;
+    oneOf: z.ZodOptional<z.ZodArray<z.ZodUnknown>>;
+    deny: z.ZodDefault<z.ZodArray<z.ZodObject<{
+        place: z.ZodOptional<z.ZodString>;
+        dir: z.ZodOptional<z.ZodString>;
+        access: z.ZodOptional<z.ZodEnum<{
+            r: "r";
+            a: "a";
+            w: "w";
+        }>>;
+    }, z.core.$strip>>>;
+}, z.core.$loose>;
+export type TRunPolicy = z.infer<typeof PolicyFileSchema>;
+/** Load and parse a policy file */
+export declare function loadRunPolicy(schemaPath: string): TRunPolicy;
+/**
+ * Validate a runtime config against a loaded policy.
+ * Builds a strict Zod schema dynamically from the policy definition.
+ */
+export declare function buildConfigValidator(policy: TRunPolicy): z.ZodObject<{
+    [x: string]: z.ZodType<unknown, unknown, z.core.$ZodTypeInternals<unknown, unknown>>;
+}, z.core.$loose>;
+/**
+ * Validate a config against a loaded policy, returning array of error strings.
+ */
+export declare function validateRunPolicyConfig(config: TRunPolicyConfig, policy: TRunPolicy, schemaPath: string): string[];
+/** Load policy, validate config, throw on failure. */
+export declare function loadAndValidateRunPolicy(config: TRunPolicyConfig, schemaPath: string): TRunPolicy;
+export {};
+//# sourceMappingURL=run-policy-schema.d.ts.map

package/build/run-policy/run-policy-schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"run-policy-schema.d.ts","sourceRoot":"","sources":["../../src/run-policy/run-policy-schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAiB,KAAK,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAY7E;;;GAGG;AACH,QAAA,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;iBAWN,CAAC;AAEjB,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAE1D,mCAAmC;AACnC,wBAAgB,aAAa,CAAC,UAAU,EAAE,MAAM,GAAG,UAAU,CAQ5D;AAsID;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,UAAU;;kBA6EtD;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,gBAAgB,EAAE,MAAM,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM,EAAE,CAMlH;AAED,sDAAsD;AACtD,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,gBAAgB,EAAE,UAAU,EAAE,MAAM,GAAG,UAAU,CAQjG"}

package/build/run-policy/run-policy-schema.js

@@ -0,0 +1,263 @@
+import { z } from 'zod';
+import { readFileSync } from 'fs';
+import { ACCESS_LEVELS } from './run-policy-types.js';
+// ============================================================================
+// Policy File Schema — Hierarchical JSON Schema
+// ============================================================================
+const DenyRuleSchema = z.object({
+    place: z.string().optional(),
+    dir: z.string().optional(),
+    access: z.enum(ACCESS_LEVELS).optional(),
+});
+/**
+ * Validates the policy file structure itself.
+ * The structure mirrors TRunPolicyConfig (place + dirFilters array).
+ */
+const PolicyFileSchema = z.object({
+    $schema: z.string().optional(),
+    type: z.literal('object').default('object'),
+    properties: z.object({}).passthrough().optional(),
+    definitions: z.object({}).passthrough().optional(),
+    $defs: z.object({}).passthrough().optional(),
+    required: z.array(z.string()).optional(),
+    allOf: z.array(z.unknown()).optional(),
+    anyOf: z.array(z.unknown()).optional(),
+    oneOf: z.array(z.unknown()).optional(),
+    deny: z.array(DenyRuleSchema).default([]),
+}).passthrough();
+/** Load and parse a policy file */
+export function loadRunPolicy(schemaPath) {
+    let raw;
+    try {
+        raw = readFileSync(schemaPath, 'utf-8');
+    }
+    catch (err) {
+        throw new Error(`Cannot read run policy "${schemaPath}": ${err.message}`);
+    }
+    return PolicyFileSchema.parse(JSON.parse(raw));
+}
+function resolveRef(ref, rootDocs) {
+    if (!ref.startsWith('#/'))
+        return undefined;
+    const parts = ref.substring(2).split('/');
+    for (const doc of rootDocs) {
+        if (!doc)
+            continue;
+        let curr = doc;
+        for (const part of parts) {
+            if (typeof curr === 'object' && curr !== null && part in curr) {
+                curr = curr[part];
+            }
+            else {
+                curr = undefined;
+                break;
+            }
+        }
+        if (curr !== undefined)
+            return curr;
+    }
+    return undefined;
+}
+function evaluateCondition(conditionObj, config, ctx, rootDocs, allowedKeys) {
+    if (!conditionObj)
+        return true;
+    let ok = true;
+    // 1. resolve $ref
+    if (typeof conditionObj.$ref === 'string') {
+        const resolved = resolveRef(conditionObj.$ref, rootDocs);
+        if (resolved) {
+            ok = evaluateCondition(resolved, config, ctx, rootDocs, allowedKeys) && ok;
+        }
+        else {
+            ctx.addIssue({ code: z.ZodIssueCode.custom, message: `Unresolvable schema reference: ${conditionObj.$ref}`, path: [] });
+            ok = false;
+        }
+        return ok; // If it's a $ref, JSON schema typically ignores siblings, but we'll stop here.
+    }
+    // 2. process allOf
+    if (Array.isArray(conditionObj.allOf)) {
+        for (const rule of conditionObj.allOf) {
+            ok = evaluateCondition(rule, config, ctx, rootDocs, allowedKeys) && ok;
+        }
+    }
+    if (Array.isArray(conditionObj.anyOf)) {
+        const results = conditionObj.anyOf.map((rule) => evaluateBranch(rule, config, rootDocs));
+        const passing = results.filter((result) => result.ok);
+        if (passing.length === 0) {
+            ctx.addIssue({ code: z.ZodIssueCode.custom, message: 'must match at least one schema in anyOf', path: [] });
+            ok = false;
+        }
+        else {
+            for (const result of passing) {
+                for (const key of result.allowedKeys) {
+                    allowedKeys.add(key);
+                }
+            }
+        }
+    }
+    if (Array.isArray(conditionObj.oneOf)) {
+        const results = conditionObj.oneOf.map((rule) => evaluateBranch(rule, config, rootDocs));
+        const passing = results.filter((result) => result.ok);
+        if (passing.length !== 1) {
+            ctx.addIssue({ code: z.ZodIssueCode.custom, message: 'must match exactly one schema in oneOf', path: [] });
+            ok = false;
+        }
+        else {
+            for (const key of passing[0].allowedKeys) {
+                allowedKeys.add(key);
+            }
+        }
+    }
+    // 3. process if/then
+    if (conditionObj.if && typeof conditionObj.if === 'object' && 'properties' in conditionObj.if) {
+        let matchesIf = true;
+        for (const [k, v] of Object.entries(conditionObj.if.properties)) {
+            const castV = v;
+            if (castV.const !== undefined && config[k] !== castV.const) {
+                matchesIf = false;
+                break;
+            }
+        }
+        if (matchesIf && conditionObj.then) {
+            ok = evaluateCondition(conditionObj.then, config, ctx, rootDocs, allowedKeys) && ok;
+        }
+    }
+    // 4. process required
+    if (Array.isArray(conditionObj.required)) {
+        for (const req of conditionObj.required) {
+            if (config[req] === undefined) {
+                ctx.addIssue({ code: z.ZodIssueCode.custom, message: `must have required property '${req}'`, path: [req] });
+                ok = false;
+            }
+        }
+    }
+    if (conditionObj.properties && typeof conditionObj.properties === 'object') {
+        for (const [k, v] of Object.entries(conditionObj.properties)) {
+            allowedKeys.add(k);
+            const castV = v;
+            if (config[k] !== undefined) {
+                if (castV.const !== undefined && config[k] !== castV.const) {
+                    ctx.addIssue({ code: z.ZodIssueCode.custom, message: `must be equal to constant "${castV.const}"`, path: [k] });
+                    ok = false;
+                }
+                if (castV.type === 'number' && typeof config[k] !== 'number') {
+                    // if it's string from env, parse it dynamically
+                    if (typeof config[k] === 'string' && !isNaN(Number(config[k]))) {
+                        config[k] = Number(config[k]);
+                    }
+                    else {
+                        ctx.addIssue({ code: z.ZodIssueCode.custom, message: `must be number`, path: [k] });
+                        ok = false;
+                    }
+                }
+            }
+        }
+    }
+    return ok;
+}
+function evaluateBranch(conditionObj, config, rootDocs) {
+    const issues = [];
+    const branchAllowed = new Set();
+    const ctx = {
+        addIssue: (issue) => {
+            issues.push(issue);
+        }
+    };
+    const ok = evaluateCondition(conditionObj, config, ctx, rootDocs, branchAllowed);
+    return { ok: ok && issues.length === 0, allowedKeys: branchAllowed, issues };
+}
+/**
+ * Validate a runtime config against a loaded policy.
+ * Builds a strict Zod schema dynamically from the policy definition.
+ */
+export function buildConfigValidator(policy) {
+    const validPlaces = policy.properties?.place && policy.properties.place.enum;
+    const validDirs = policy.properties?.dirFilters &&
+        policy.properties.dirFilters.items &&
+        policy.properties.dirFilters.items.properties &&
+        policy.properties.dirFilters.items.properties.dir &&
+        policy.properties.dirFilters.items.properties.dir.enum;
+    const baseSchema = {};
+    if (validPlaces) {
+        baseSchema.place = z.enum(validPlaces);
+    }
+    else {
+        baseSchema.place = z.string();
+    }
+    if (validDirs) {
+        baseSchema.dirFilters = z.array(z.object({
+            dir: z.union([z.enum(validDirs), z.literal('*')]),
+            access: z.enum(ACCESS_LEVELS),
+        }));
+    }
+    else {
+        baseSchema.dirFilters = z.array(z.object({
+            dir: z.string(),
+            access: z.enum(ACCESS_LEVELS),
+        }));
+    }
+    const ConfigValidator = z.object(baseSchema).passthrough();
+    return ConfigValidator.superRefine((config, ctx) => {
+        // 1. Evaluate policy rules dynamically
+        const rootDocs = [policy];
+        // keys that are always allowed by the base schema
+        const allowedKeys = new Set();
+        // Pre-populate allowedKeys with root properties
+        allowedKeys.add('place');
+        allowedKeys.add('dirFilters');
+        if (policy.properties)
+            Object.keys(policy.properties).forEach(k => allowedKeys.add(k));
+        evaluateCondition(policy, config, ctx, rootDocs, allowedKeys);
+        // Validate strictness: block non-existent parameters
+        for (const key of Object.keys(config)) {
+            if (!allowedKeys.has(key)) {
+                ctx.addIssue({
+                    code: z.ZodIssueCode.unrecognized_keys,
+                    keys: [key],
+                    message: `Unrecognized key(s) in object: '${key}'`,
+                    path: []
+                });
+            }
+        }
+        // 2. Custom deny rule validation
+        const dirFilters = config.dirFilters;
+        if (dirFilters) {
+            dirFilters.forEach((filter, index) => {
+                const flat = { place: config.place, dir: filter.dir, access: filter.access };
+                for (const rule of policy.deny) {
+                    const match = (!rule.place || rule.place === flat.place)
+                        && (!rule.dir || rule.dir === flat.dir)
+                        && (!rule.access || rule.access === flat.access);
+                    if (match) {
+                        ctx.addIssue({
+                            code: z.ZodIssueCode.custom,
+                            message: `Filter "${filter.dir}:${filter.access}" in "${config.place}": Denied by policy: ${JSON.stringify(rule)}`,
+                            path: ['dirFilters', index]
+                        });
+                    }
+                }
+            });
+        }
+    });
+}
+/**
+ * Validate a config against a loaded policy, returning array of error strings.
+ */
+export function validateRunPolicyConfig(config, policy, schemaPath) {
+    const validator = buildConfigValidator(policy);
+    const result = validator.safeParse(config);
+    if (result.success)
+        return [];
+    return result.error.issues.map((err) => `${err.path.length ? '/' + err.path.join('/') + ' ' : ''}${err.message}`);
+}
+/** Load policy, validate config, throw on failure. */
+export function loadAndValidateRunPolicy(config, schemaPath) {
+    const policy = loadRunPolicy(schemaPath);
+    const errors = validateRunPolicyConfig(config, policy, schemaPath);
+    if (errors.length > 0) {
+        const jsonContext = JSON.stringify({ $schema: schemaPath, ...config }, null, 2);
+        throw new Error(`Run policy validation failed:\n${jsonContext}\n\nErrors:\n${errors.map((e) => `  • ${e}`).join('\\n')}`);
+    }
+    return policy;
+}
+//# sourceMappingURL=run-policy-schema.js.map

package/build/run-policy/run-policy-schema.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"run-policy-schema.js","sourceRoot":"","sources":["../../src/run-policy/run-policy-schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,EAAE,aAAa,EAAyB,MAAM,uBAAuB,CAAC;AAE7E,+EAA+E;AAC/E,gDAAgD;AAChD,+EAA+E;AAE/E,MAAM,cAAc,GAAG,CAAC,CAAC,MAAM,CAAC;IAC9B,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,QAAQ,EAAE;CACzC,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IAChC,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC9B,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC;IAC3C,UAAU,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,EAAE;IACjD,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,EAAE;IAClD,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,EAAE;IAC5C,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACxC,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE;IACtC,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE;IACtC,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE;IACtC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;CAC1C,CAAC,CAAC,WAAW,EAAE,CAAC;AAIjB,mCAAmC;AACnC,MAAM,UAAU,aAAa,CAAC,UAAkB;IAC9C,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IAC1C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,2BAA2B,UAAU,MAAO,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;IACvF,CAAC;IACD,OAAO,gBAAgB,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;AACjD,CAAC;AAED,SAAS,UAAU,CAAC,GAAW,EAAE,QAAmB;IAClD,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,SAAS,CAAC;IAC5C,MAAM,KAAK,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC1C,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,IAAI,CAAC,GAAG;YAAE,SAAS;QACnB,IAAI,IAAI,GAAY,GAAG,CAAC;QACxB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,IAAI,IAAI,EAAE,CAAC;gBAC9D,IAAI,GAAI,IAAgC,CAAC,IAAI,CAAC,CAAC;YACjD,CAAC;iBAAM,CAAC;gBACN,IAAI,GAAG,SAAS,CAAC;gBACjB,MAAM;YACR,CAAC;QACH,CAAC;QACD,IAAI,IAAI,KAAK,SAAS;YAAE,OAAO,IAAI,CAAC;IACtC,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,iBAAiB,CAAC,YAAiD,EAAE,MAA+B,EAAE,GAAoB,EAAE,QAAmB,EAAE,WAAwB;IAChL,IAAI,CAAC,YAAY;QAAE,OAAO,IAAI,CAAC;IAC/B,IAAI,EAAE,GAAG,IAAI,CAAC;IAEd,kBAAkB;IAClB,IAAI,OAAO,YAAY,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC1C,MAAM,QAAQ,GAAG,UAAU,CAAC,YAAY,CAAC,IAAI,EAAE,QAAQ,CAAwC,CAAC;QAChG,IAAI,QAAQ,EAAE,CAAC;YACb,EAAE,GAAG,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,WAAW,CAAC,IAAI,EAAE,CAAC;QAC7E,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,QAAQ,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM,EAAE,OAAO,EAAE,kCAAkC,YAAY,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;YACxH,EAAE,GAAG,KAAK,CAAC;QACb,CAAC;QACD,OAAO,EAAE,CAAC,CAAC,+EAA+E;IAC5F,CAAC;IAED,mBAAmB;IACnB,IAAI,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;QACtC,KAAK,MAAM,IAAI,IAAI,YAAY,CAAC,KAAK,EAAE,CAAC;YACtC,EAAE,GAAG,iBAAiB,CAAC,IAA+B,EAAE,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,WAAW,CAAC,IAAI,EAAE,CAAC;QACpG,CAAC;IACH,CAAC;IAED,IAAI,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;QACtC,MAAM,OAAO,GAAG,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,cAAc,CAAC,IAA+B,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;QACpH,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACtD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,GAAG,CAAC,QAAQ,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM,EAAE,OAAO,EAAE,yCAAyC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;YAC5G,EAAE,GAAG,KAAK,CAAC;QACb,CAAC;aAAM,CAAC;YACN,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;gBAC7B,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;oBACrC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBACvB,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;QACtC,MAAM,OAAO,GAAG,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,cAAc,CAAC,IAA+B,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;QACpH,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACtD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,GAAG,CAAC,QAAQ,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM,EAAE,OAAO,EAAE,wCAAwC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;YAC3G,EAAE,GAAG,KAAK,CAAC;QACb,CAAC;aAAM,CAAC;YACN,KAAK,MAAM,GAAG,IAAI,OAAO,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;gBACzC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACvB,CAAC;QACH,CAAC;IACH,CAAC;IAED,qBAAqB;IACrB,IAAI,YAAY,CAAC,EAAE,IAAI,OAAO,YAAY,CAAC,EAAE,KAAK,QAAQ,IAAI,YAAY,IAAI,YAAY,CAAC,EAAE,EAAE,CAAC;QAC9F,IAAI,SAAS,GAAG,IAAI,CAAC;QACrB,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAE,YAAY,CAAC,EAA8B,CAAC,UAAqC,CAAC,EAAE,CAAC;YACxH,MAAM,KAAK,GAAG,CAA4B,CAAC;YAC3C,IAAI,KAAK,CAAC,KAAK,KAAK,SAAS,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,KAAK,EAAE,CAAC;gBAC3D,SAAS,GAAG,KAAK,CAAC;gBAClB,MAAM;YACR,CAAC;QACH,CAAC;QACD,IAAI,SAAS,IAAI,YAAY,CAAC,IAAI,EAAE,CAAC;YACnC,EAAE,GAAG,iBAAiB,CAAC,YAAY,CAAC,IAA+B,EAAE,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,WAAW,CAAC,IAAI,EAAE,CAAC;QACjH,CAAC;IACH,CAAC;IAED,sBAAsB;IACtB,IAAI,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC,QAAQ,CAAC,EAAE,CAAC;QACzC,KAAK,MAAM,GAAG,IAAI,YAAY,CAAC,QAAQ,EAAE,CAAC;YACxC,IAAI,MAAM,CAAC,GAAG,CAAC,KAAK,SAAS,EAAE,CAAC;gBAC9B,GAAG,CAAC,QAAQ,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM,EAAE,OAAO,EAAE,gCAAgC,GAAG,GAAG,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAC5G,EAAE,GAAG,KAAK,CAAC;YACb,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,YAAY,CAAC,UAAU,IAAI,OAAO,YAAY,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;QAC3E,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,UAAqC,CAAC,EAAE,CAAC;YACxF,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACnB,MAAM,KAAK,GAAG,CAA4B,CAAC;YAC3C,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,SAAS,EAAE,CAAC;gBAC5B,IAAI,KAAK,CAAC,KAAK,KAAK,SAAS,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,KAAK,EAAE,CAAC;oBAC3D,GAAG,CAAC,QAAQ,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM,EAAE,OAAO,EAAE,8BAA8B,KAAK,CAAC,KAAK,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;oBAChH,EAAE,GAAG,KAAK,CAAC;gBACb,CAAC;gBACD,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ,IAAI,OAAO,MAAM,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC;oBAC7D,gDAAgD;oBAChD,IAAI,OAAO,MAAM,CAAC,CAAC,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;wBAC/D,MAAM,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;oBAChC,CAAC;yBAAM,CAAC;wBACN,GAAG,CAAC,QAAQ,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM,EAAE,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;wBACpF,EAAE,GAAG,KAAK,CAAC;oBACb,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,SAAS,cAAc,CAAC,YAAqC,EAAE,MAA+B,EAAE,QAAmB;IACjH,MAAM,MAAM,GAAiB,EAAE,CAAC;IAChC,MAAM,aAAa,GAAG,IAAI,GAAG,EAAU,CAAC;IACxC,MAAM,GAAG,GAAG;QACV,QAAQ,EAAE,CAAC,KAAiB,EAAE,EAAE;YAC9B,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrB,CAAC;KACiB,CAAC;IACrB,MAAM,EAAE,GAAG,iBAAiB,CAAC,YAAY,EAAE,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAC;IACjF,OAAO,EAAE,EAAE,EAAE,EAAE,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,EAAE,CAAC;AAC/E,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAAkB;IACrD,MAAM,WAAW,GAAI,MAAM,CAAC,UAAsC,EAAE,KAAK,IAAM,MAAM,CAAC,UAAsC,CAAC,KAAiC,CAAC,IAAyC,CAAC;IACzM,MAAM,SAAS,GAAI,MAAM,CAAC,UAAsC,EAAE,UAAU;QACxE,MAAM,CAAC,UAAsC,CAAC,UAAsC,CAAC,KAAK;QACzF,MAAM,CAAC,UAAsC,CAAC,UAAsC,CAAC,KAAiC,CAAC,UAAU;QAChI,MAAM,CAAC,UAAsC,CAAC,UAAsC,CAAC,KAAiC,CAAC,UAAsC,CAAC,GAAG;QAChK,MAAM,CAAC,UAAsC,CAAC,UAAsC,CAAC,KAAiC,CAAC,UAAsC,CAAC,GAA+B,CAAC,IAAyC,CAAC;IAE/O,MAAM,UAAU,GAAiC,EAAE,CAAC;IACpD,IAAI,WAAW,EAAE,CAAC;QAChB,UAAU,CAAC,KAAK,GAAG,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACzC,CAAC;SAAM,CAAC;QACN,UAAU,CAAC,KAAK,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC;IAChC,CAAC;IAED,IAAI,SAAS,EAAE,CAAC;QACd,UAAU,CAAC,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC;YACvC,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;YACjD,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC;SAC9B,CAAC,CAAC,CAAC;IACN,CAAC;SAAM,CAAC;QACN,UAAU,CAAC,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC;YACvC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;YACf,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC;SAC9B,CAAC,CAAC,CAAC;IACN,CAAC;IAED,MAAM,eAAe,GAAG,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE,CAAC;IAE3D,OAAO,eAAe,CAAC,WAAW,CAAC,CAAC,MAAM,EAAE,GAAG,EAAE,EAAE;QACjD,uCAAuC;QACvC,MAAM,QAAQ,GAAG,CAAC,MAAM,CAAC,CAAC;QAE1B,kDAAkD;QAClD,MAAM,WAAW,GAAG,IAAI,GAAG,EAAU,CAAC;QAEtC,gDAAgD;QAChD,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACzB,WAAW,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAC9B,IAAI,MAAM,CAAC,UAAU;YAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,UAAqC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAElH,iBAAiB,CAAC,MAAiC,EAAE,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,WAAW,CAAC,CAAC;QAEzF,qDAAqD;QACrD,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;YACtC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC1B,GAAG,CAAC,QAAQ,CAAC;oBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,iBAAiB;oBACtC,IAAI,EAAE,CAAC,GAAG,CAAC;oBACX,OAAO,EAAE,mCAAmC,GAAG,GAAG;oBAClD,IAAI,EAAE,EAAE;iBACT,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,iCAAiC;QACjC,MAAM,UAAU,GAAG,MAAM,CAAC,UAAuC,CAAC;QAClE,IAAI,UAAU,EAAE,CAAC;YACf,UAAU,CAAC,OAAO,CAAC,CAAC,MAA+B,EAAE,KAAa,EAAE,EAAE;gBACpE,MAAM,IAAI,GAAG,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC;gBAE7E,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;oBAC/B,MAAM,KAAK,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,KAAK,IAAI,CAAC,KAAK,CAAC;2BACnD,CAAC,CAAC,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,KAAK,IAAI,CAAC,GAAG,CAAC;2BACpC,CAAC,CAAC,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM,CAAC,CAAC;oBAEnD,IAAI,KAAK,EAAE,CAAC;wBACV,GAAG,CAAC,QAAQ,CAAC;4BACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;4BAC3B,OAAO,EAAE,WAAW,MAAM,CAAC,GAAG,IAAI,MAAM,CAAC,MAAM,SAAS,MAAM,CAAC,KAAK,wBAAwB,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;4BAClH,IAAI,EAAE,CAAC,YAAY,EAAE,KAAK,CAAC;yBAC5B,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB,CAAC,MAAwB,EAAE,MAAkB,EAAE,UAAkB;IACtG,MAAM,SAAS,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC;IAC/C,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAC3C,IAAI,MAAM,CAAC,OAAO;QAAE,OAAO,EAAE,CAAC;IAE9B,OAAO,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,GAAG,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;AACpH,CAAC;AAED,sDAAsD;AACtD,MAAM,UAAU,wBAAwB,CAAC,MAAwB,EAAE,UAAkB;IACnF,MAAM,MAAM,GAAG,aAAa,CAAC,UAAU,CAAC,CAAC;IACzC,MAAM,MAAM,GAAG,uBAAuB,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;IACnE,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,MAAM,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QAChF,MAAM,IAAI,KAAK,CAAC,kCAAkC,WAAW,gBAAgB,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC5H,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/build/run-policy/run-policy-types.d.ts

@@ -0,0 +1,60 @@
+import { z } from 'zod';
+/** CLI option name for run-policy */
+export declare const OPTION_RUN_POLICY = "--run-policy";
+/** CLI option for dry-run mode (preview which features pass/fail the run policy) */
+export declare const OPTION_DRY_RUN = "--dry-run";
+/** Environment variable for run-policy (format: "place dir:access[,dir:access]") */
+export declare const HAIBUN_RUN_POLICY = "HAIBUN_RUN_POLICY";
+/** Valid access levels, forming a strict hierarchy: r ⊂ a ⊂ w */
+export declare const ACCESS_LEVELS: readonly ["r", "a", "w"];
+/** Feature filename prefixes corresponding to access levels */
+export declare const ACCESS_PREFIXES: readonly ["r_", "a_", "w_"];
+export declare const AccessLevelSchema: z.ZodEnum<{
+    r: "r";
+    a: "a";
+    w: "w";
+}>;
+export type AccessLevel = z.infer<typeof AccessLevelSchema>;
+export type TDirFilter = {
+    dir: string;
+    access: string;
+};
+export type TRunPolicyConfig = {
+    place: string;
+    dirFilters: TDirFilter[];
+    [param: string]: unknown;
+};
+/** Parses "smoke:r" → { dir: "smoke", access: "r" } */
+export declare const DirFilterSchema: z.ZodPipe<z.ZodPipe<z.ZodString, z.ZodTransform<{
+    dir: string;
+    access: string;
+}, string>>, z.ZodObject<{
+    dir: z.ZodString;
+    access: z.ZodString;
+}, z.core.$strip>>;
+/** Parse dir:access[,dir:access] string */
+export declare function parseDirFilters(input: string): TDirFilter[];
+export declare const RunPolicyConfigSchema: z.ZodPipe<z.ZodObject<{
+    place: z.ZodString;
+    dirAccessStr: z.ZodString;
+}, z.core.$catchall<z.ZodUnknown>>, z.ZodTransform<TRunPolicyConfig, {
+    [x: string]: unknown;
+    place: string;
+    dirAccessStr: string;
+}>>;
+/** Parse --run-policy arguments: place dir:access[,dir:access] */
+export declare function parseRunPolicyArgs(place: string, dirAccessStr: string): TRunPolicyConfig;
+/** Parse HAIBUN_RUN_POLICY env var: "place dir:access[,dir:access]" */
+export declare function parseRunPolicyEnv(envVar: string): TRunPolicyConfig;
+/** Numeric rank for hierarchy comparison: r=0, a=1, w=2 */
+export declare function accessRank(level: string): number;
+/** Check if granted level includes required level (w ⊃ a ⊃ r) */
+export declare function accessLevelIncludes(granted: string, required: string): boolean;
+/** Extract access prefix from feature filename, or undefined if unrecognized */
+export declare function getFeatureAccessPrefix(filename: string): AccessLevel | undefined;
+/**
+ * Determine if a feature file should run given the active dir filters.
+ * Exclusive: only features with a recognized prefix in a listed directory pass.
+ */
+export declare function featureMatchesFilter(featurePath: string, dirFilters: TDirFilter[]): boolean;
+//# sourceMappingURL=run-policy-types.d.ts.map

package/build/run-policy/run-policy-types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"run-policy-types.d.ts","sourceRoot":"","sources":["../../src/run-policy/run-policy-types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAMxB,qCAAqC;AACrC,eAAO,MAAM,iBAAiB,iBAAiB,CAAC;AAEhD,oFAAoF;AACpF,eAAO,MAAM,cAAc,cAAc,CAAC;AAE1C,oFAAoF;AACpF,eAAO,MAAM,iBAAiB,sBAAsB,CAAC;AAErD,iEAAiE;AACjE,eAAO,MAAM,aAAa,0BAA2B,CAAC;AAEtD,+DAA+D;AAC/D,eAAO,MAAM,eAAe,6BAA8B,CAAC;AAQ3D,eAAO,MAAM,iBAAiB;;;;EAAwB,CAAC;AACvD,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAE5D,MAAM,MAAM,UAAU,GAAG;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,UAAU,EAAE,CAAC;IACzB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;CAC1B,CAAC;AAEF,uDAAuD;AACvD,eAAO,MAAM,eAAe;;;;;;kBASiD,CAAC;AAE9E,2CAA2C;AAC3C,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,UAAU,EAAE,CAE3D;AAED,eAAO,MAAM,qBAAqB;;;;;;;GAShC,CAAC;AAMH,kEAAkE;AAClE,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,gBAAgB,CAUxF;AAED,uEAAuE;AACvE,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,MAAM,GAAG,gBAAgB,CAMlE;AAMD,2DAA2D;AAC3D,wBAAgB,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAEhD;AAED,iEAAiE;AACjE,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAE9E;AAED,gFAAgF;AAChF,wBAAgB,sBAAsB,CAAC,QAAQ,EAAE,MAAM,GAAG,WAAW,GAAG,SAAS,CAGhF;AAMD;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,WAAW,EAAE,MAAM,EAAE,UAAU,EAAE,UAAU,EAAE,GAAG,OAAO,CAa3F"}

package/build/run-policy/run-policy-types.js

@@ -0,0 +1,106 @@
+import { z } from 'zod';
+// ============================================================================
+// Constants
+// ============================================================================
+/** CLI option name for run-policy */
+export const OPTION_RUN_POLICY = '--run-policy';
+/** CLI option for dry-run mode (preview which features pass/fail the run policy) */
+export const OPTION_DRY_RUN = '--dry-run';
+/** Environment variable for run-policy (format: "place dir:access[,dir:access]") */
+export const HAIBUN_RUN_POLICY = 'HAIBUN_RUN_POLICY';
+/** Valid access levels, forming a strict hierarchy: r ⊂ a ⊂ w */
+export const ACCESS_LEVELS = ['r', 'a', 'w'];
+/** Feature filename prefixes corresponding to access levels */
+export const ACCESS_PREFIXES = ['r_', 'a_', 'w_'];
+// ============================================================================
+// Zod Schemas — types are inferred, parsing via transforms
+// ============================================================================
+// Basic types
+const InputAccessLevelSchema = z.string();
+export const AccessLevelSchema = z.enum(ACCESS_LEVELS);
+/** Parses "smoke:r" → { dir: "smoke", access: "r" } */
+export const DirFilterSchema = z.string()
+    .transform((val, ctx) => {
+    const parts = val.split(':');
+    if (parts.length !== 2) {
+        ctx.addIssue({ code: z.ZodIssueCode.custom, message: `Invalid filter format "${val}". Expected "dir:access"` });
+        return z.NEVER;
+    }
+    return { dir: parts[0], access: parts[1] };
+})
+    .pipe(z.object({ dir: z.string().min(1), access: InputAccessLevelSchema }));
+/** Parse dir:access[,dir:access] string */
+export function parseDirFilters(input) {
+    return input.split(',').map(s => DirFilterSchema.parse(s));
+}
+export const RunPolicyConfigSchema = z.object({
+    place: z.string().min(1),
+    dirAccessStr: z.string(),
+}).catchall(z.unknown()).transform((data) => {
+    const dirFilters = parseDirFilters(data.dirAccessStr);
+    const result = { ...data };
+    delete result.dirAccessStr;
+    result.dirFilters = dirFilters;
+    return result;
+});
+// ============================================================================
+// Parsing — thin wrappers delegating to Zod
+// ============================================================================
+/** Parse --run-policy arguments: place dir:access[,dir:access] */
+export function parseRunPolicyArgs(place, dirAccessStr) {
+    try {
+        return RunPolicyConfigSchema.parse({ place, dirAccessStr });
+    }
+    catch (e) {
+        if (e instanceof z.ZodError) {
+            const detail = e.issues.map((i) => `  • ${i.path.join('.')}: ${i.message}`).join('\n');
+            throw new Error(`Run policy configuration failed:\n${detail}`);
+        }
+        throw e;
+    }
+}
+/** Parse HAIBUN_RUN_POLICY env var: "place dir:access[,dir:access]" */
+export function parseRunPolicyEnv(envVar) {
+    const parts = envVar.trim().split(/\s+/);
+    if (parts.length !== 2) {
+        throw new Error(`Invalid format. Expected "place dir:access"`);
+    }
+    return parseRunPolicyArgs(parts[0], parts[1]);
+}
+// ============================================================================
+// Access Level Logic — minimal procedural (pure domain logic)
+// ============================================================================
+/** Numeric rank for hierarchy comparison: r=0, a=1, w=2 */
+export function accessRank(level) {
+    return ACCESS_LEVELS.indexOf(level);
+}
+/** Check if granted level includes required level (w ⊃ a ⊃ r) */
+export function accessLevelIncludes(granted, required) {
+    return accessRank(granted) >= accessRank(required);
+}
+/** Extract access prefix from feature filename, or undefined if unrecognized */
+export function getFeatureAccessPrefix(filename) {
+    const result = AccessLevelSchema.safeParse(filename.charAt(0));
+    return result.success && filename.charAt(1) === '_' ? result.data : undefined;
+}
+// ============================================================================
+// Feature Matching — runtime matching (must be procedural)
+// ============================================================================
+/**
+ * Determine if a feature file should run given the active dir filters.
+ * Exclusive: only features with a recognized prefix in a listed directory pass.
+ */
+export function featureMatchesFilter(featurePath, dirFilters) {
+    const parts = featurePath.replace(/^\//, '').split('/');
+    const filename = parts[parts.length - 1];
+    const featureDir = parts.length > 1 ? parts[0] : undefined;
+    const requiredAccess = getFeatureAccessPrefix(filename);
+    if (!requiredAccess)
+        return false;
+    const matchingFilter = dirFilters.find((f) => f.dir === featureDir)
+        ?? dirFilters.find((f) => f.dir === '*');
+    if (!matchingFilter)
+        return false;
+    return accessLevelIncludes(matchingFilter.access, requiredAccess);
+}
+//# sourceMappingURL=run-policy-types.js.map

package/build/run-policy/run-policy-types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"run-policy-types.js","sourceRoot":"","sources":["../../src/run-policy/run-policy-types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E,qCAAqC;AACrC,MAAM,CAAC,MAAM,iBAAiB,GAAG,cAAc,CAAC;AAEhD,oFAAoF;AACpF,MAAM,CAAC,MAAM,cAAc,GAAG,WAAW,CAAC;AAE1C,oFAAoF;AACpF,MAAM,CAAC,MAAM,iBAAiB,GAAG,mBAAmB,CAAC;AAErD,iEAAiE;AACjE,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAU,CAAC;AAEtD,+DAA+D;AAC/D,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAU,CAAC;AAE3D,+EAA+E;AAC/E,2DAA2D;AAC3D,+EAA+E;AAE/E,cAAc;AACd,MAAM,sBAAsB,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC;AAC1C,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;AAcvD,uDAAuD;AACvD,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,CAAC,MAAM,EAAE;KACtC,SAAS,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;IACtB,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,GAAG,CAAC,QAAQ,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM,EAAE,OAAO,EAAE,0BAA0B,GAAG,0BAA0B,EAAE,CAAC,CAAC;QAChH,OAAO,CAAC,CAAC,KAAK,CAAC;IACjB,CAAC;IACD,OAAO,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;AAC7C,CAAC,CAAC;KACD,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,sBAAsB,EAAE,CAAC,CAAC,CAAC;AAE9E,2CAA2C;AAC3C,MAAM,UAAU,eAAe,CAAC,KAAa;IAC3C,OAAO,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;AAC7D,CAAC;AAED,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5C,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACxB,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE;CACzB,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,IAAI,EAAoB,EAAE;IAC5D,MAAM,UAAU,GAAG,eAAe,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACtD,MAAM,MAAM,GAA4B,EAAE,GAAG,IAAI,EAAE,CAAC;IACpD,OAAO,MAAM,CAAC,YAAY,CAAC;IAC3B,MAAM,CAAC,UAAU,GAAG,UAAU,CAAC;IAC/B,OAAO,MAA0B,CAAC;AACpC,CAAC,CAAC,CAAC;AAEH,+EAA+E;AAC/E,4CAA4C;AAC5C,+EAA+E;AAE/E,kEAAkE;AAClE,MAAM,UAAU,kBAAkB,CAAC,KAAa,EAAE,YAAoB;IACpE,IAAI,CAAC;QACH,OAAO,qBAAqB,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC,CAAC;IAC9D,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,IAAI,CAAC,YAAY,CAAC,CAAC,QAAQ,EAAE,CAAC;YAC5B,MAAM,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACvF,MAAM,IAAI,KAAK,CAAC,qCAAqC,MAAM,EAAE,CAAC,CAAC;QACjE,CAAC;QACD,MAAM,CAAC,CAAC;IACV,CAAC;AACH,CAAC;AAED,uEAAuE;AACvE,MAAM,UAAU,iBAAiB,CAAC,MAAc;IAC9C,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IACzC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;IACjE,CAAC;IACD,OAAO,kBAAkB,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;AAChD,CAAC;AAED,+EAA+E;AAC/E,8DAA8D;AAC9D,+EAA+E;AAE/E,2DAA2D;AAC3D,MAAM,UAAU,UAAU,CAAC,KAAa;IACtC,OAAO,aAAa,CAAC,OAAO,CAAC,KAAoB,CAAC,CAAC;AACrD,CAAC;AAED,iEAAiE;AACjE,MAAM,UAAU,mBAAmB,CAAC,OAAe,EAAE,QAAgB;IACnE,OAAO,UAAU,CAAC,OAAO,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,CAAC;AACrD,CAAC;AAED,gFAAgF;AAChF,MAAM,UAAU,sBAAsB,CAAC,QAAgB;IACrD,MAAM,MAAM,GAAG,iBAAiB,CAAC,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/D,OAAO,MAAM,CAAC,OAAO,IAAI,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;AAChF,CAAC;AAED,+EAA+E;AAC/E,2DAA2D;AAC3D,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAAC,WAAmB,EAAE,UAAwB;IAChF,MAAM,KAAK,GAAG,WAAW,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACxD,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACzC,MAAM,UAAU,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAE3D,MAAM,cAAc,GAAG,sBAAsB,CAAC,QAAQ,CAAC,CAAC;IACxD,IAAI,CAAC,cAAc;QAAE,OAAO,KAAK,CAAC;IAElC,MAAM,cAAc,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,UAAU,CAAC;WAC9D,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC;IAC3C,IAAI,CAAC,cAAc;QAAE,OAAO,KAAK,CAAC;IAElC,OAAO,mBAAmB,CAAC,cAAc,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;AACpE,CAAC"}

package/build/runfilter/filter-schema.d.ts

@@ -0,0 +1,76 @@
+import { z } from 'zod';
+import { type TFilterConfig } from './filter-types.js';
+/**
+ * Validates the policy file structure itself.
+ * The structure now mimics TFilterConfig (env + dirFilters array).
+ */
+declare const PolicyFileSchema: z.ZodObject<{
+    type: z.ZodDefault<z.ZodLiteral<"object">>;
+    properties: z.ZodObject<{
+        env: z.ZodObject<{
+            type: z.ZodDefault<z.ZodLiteral<"string">>;
+            enum: z.ZodArray<z.ZodString>;
+        }, z.core.$loose>;
+        dirFilters: z.ZodObject<{
+            type: z.ZodDefault<z.ZodLiteral<"array">>;
+            items: z.ZodObject<{
+                type: z.ZodDefault<z.ZodLiteral<"object">>;
+                properties: z.ZodObject<{
+                    dir: z.ZodObject<{
+                        type: z.ZodDefault<z.ZodLiteral<"string">>;
+                        enum: z.ZodArray<z.ZodString>;
+                    }, z.core.$loose>;
+                    access: z.ZodOptional<z.ZodObject<{
+                        type: z.ZodDefault<z.ZodLiteral<"string">>;
+                        enum: z.ZodOptional<z.ZodArray<z.ZodEnum<{
+                            r: "r";
+                            a: "a";
+                            w: "w";
+                        }>>>;
+                    }, z.core.$loose>>;
+                }, z.core.$loose>;
+                required: z.ZodOptional<z.ZodArray<z.ZodString>>;
+            }, z.core.$loose>;
+        }, z.core.$loose>;
+    }, z.core.$loose>;
+    deny: z.ZodDefault<z.ZodArray<z.ZodObject<{
+        env: z.ZodOptional<z.ZodString>;
+        dir: z.ZodOptional<z.ZodString>;
+        access: z.ZodOptional<z.ZodEnum<{
+            r: "r";
+            a: "a";
+            w: "w";
+        }>>;
+    }, z.core.$strip>>>;
+}, z.core.$loose>;
+export type TFilterPolicy = z.infer<typeof PolicyFileSchema>;
+/**
+ * Build a Zod validator for the entire TFilterConfig based on the policy.
+ * This validator checks the whole config object at once ("wholesale validation").
+ */
+export declare function buildConfigValidator(policy: TFilterPolicy): z.ZodObject<{
+    env: z.ZodEnum<{
+        [x: string]: string;
+    }>;
+    dirFilters: z.ZodArray<z.ZodObject<{
+        dir: z.ZodEnum<{
+            [x: string]: string;
+        }>;
+        access: z.ZodEnum<{
+            r: "r";
+            a: "a";
+            w: "w";
+        }>;
+    }, z.core.$strip>>;
+}, z.core.$loose>;
+/** Load and parse a policy file */
+export declare function loadFilterPolicy(schemaPath: string): TFilterPolicy;
+/**
+ * Validate a runtime config against a loaded policy.
+ * Uses the generated Zod validator to check the config wholesale.
+ */
+export declare function validateFilterConfig(config: TFilterConfig, policy: TFilterPolicy, schemaPath: string): string[];
+/** Load schema, validate config, throw on failure. */
+export declare function loadAndValidateFilters(config: TFilterConfig, schemaPath: string): TFilterPolicy;
+export {};
+//# sourceMappingURL=filter-schema.d.ts.map

package/build/runfilter/filter-schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"filter-schema.d.ts","sourceRoot":"","sources":["../../src/runfilter/filter-schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAiB,KAAK,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAYtE;;;GAGG;AACH,QAAA,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBA0BN,CAAC;AAEjB,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAM7D;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,aAAa;;;;;;;;;;;;;;kBAsCzD;AAED,mCAAmC;AACnC,wBAAgB,gBAAgB,CAAC,UAAU,EAAE,MAAM,GAAG,aAAa,CAQlE;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM,EAAE,CAmB/G;AAED,sDAAsD;AACtD,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,GAAG,aAAa,CAQ/F"}