@hominis/fireforge 0.21.1 → 0.21.3

package/CHANGELOG.md

@@ -6,6 +6,7 @@
 
 - **Chrome-doc previews and cleanup.** `furnace chrome-doc create` now supports `--dry-run`, validating the same target files and jar registrations without writing. New `furnace chrome-doc remove <name>` removes scaffolded chrome-doc files, jar entries, and optional xpcshell packaging-test directories, with `--dry-run` and `--yes` support.
 - **Versioned `status --json` schema.** The JSON output is now an object with `schemaVersion`, `summary`, and `files` instead of a bare array. Error paths also emit versioned JSON objects with `code` and `error`.
+- **Configurable patch queue policy.** Projects can now opt into `fireforge.json#patchPolicy` to define category-owned numeric ranges, reserved exception ranges, filename capture patterns, description requirements, gap policy, and mutation enforcement mode. FireForge enforces the policy during export/re-export/reorder/rename projections and reports the same findings from `verify` and `lint --per-patch`.
 
 ### Hardening
 

package/README.md

@@ -107,6 +107,47 @@ patches/
 
 The category system is intentionally broad. The numeric ordering provides sequencing.
 
+Projects that need stricter queue semantics can add an optional `patchPolicy` block to
+`fireforge.json`. When present, FireForge checks the policy before mutating the patch queue and
+reports the same policy findings from `fireforge verify` and `fireforge lint --per-patch`.
+
+```json
+{
+  "patchPolicy": {
+    "filenamePattern": "^(?<order>\\d{3})-(?<category>branding|infra|ui)-(?<slug>[a-z0-9-]+)\\.patch$",
+    "requireDescription": true,
+    "allowGaps": true,
+    "mutationMode": "error",
+    "ranges": [
+      { "from": 1, "to": 99, "category": "branding" },
+      { "from": 100, "to": 199, "category": "infra" },
+      { "from": 200, "to": 299, "category": "ui" }
+    ],
+    "reservedRanges": [
+      {
+        "from": 900,
+        "to": 999,
+        "allowed": [
+          {
+            "filename": "900-infra-bootstrap-workaround.patch",
+            "files": ["tools/profiler/rust-api/build.rs"],
+            "adr": "docs/architecture/adr/0001-bootstrap-workaround.md"
+          }
+        ]
+      }
+    ]
+  }
+}
+```
+
+Policy ranges are category-owned: a `ui` patch in the example must use `200-299`, while
+`900-999` is reserved for exact allowlisted exceptions. Reserved exceptions must include either
+`adr` or `documentation`; when `files` is present, the patch may not touch paths outside that
+allowlist. `filenamePattern` must expose named captures `order`, `category`, and `slug`.
+`mutationMode` controls mutating commands: `"error"` refuses, `"warn"` prints warnings and
+continues, and `"force"` refuses unless the command supports and receives `--force-unsafe`.
+Without `patchPolicy`, existing repositories keep the broad category and numeric ordering behavior.
+
 ### Importing patches
 
 ```bash

package/dist/src/commands/export-all.js

@@ -1,5 +1,3 @@
-// SPDX-License-Identifier: EUPL-1.2
-import { Option } from 'commander';
 import { isBrandingManagedPath } from '../core/branding.js';
 import { getProjectPaths, loadConfig } from '../core/config.js';
 import { collectFurnaceManagedPrefixes, furnaceConfigExists, loadFurnaceConfig, } from '../core/furnace-config.js';
@@ -14,7 +12,6 @@ import { GeneralError } from '../errors/base.js';
 import { ensureDir, pathExists } from '../utils/fs.js';
 import { info, intro, outro, spinner } from '../utils/logger.js';
 import { pickDefined } from '../utils/options.js';
-import { PATCH_CATEGORIES } from '../utils/validation.js';
 import { renderDryRunPreview } from './export-flow.js';
 import { autoFixLicenseHeaders, confirmSupersedePatches, guardOwnershipOverlap, promptExportPatchMetadata, runPatchLint, } from './export-shared.js';
 async function checkBrandingManagedFiles(paths, config) {
@@ -235,7 +232,7 @@ export async function exportAllCommand(projectRoot, options = {}) {
     if (headersAdded) {
         diff = await getAllDiff(paths.engine);
     }
-    const metadata = await promptExportPatchMetadata(options, isInteractive, 'export-all');
+    const metadata = await promptExportPatchMetadata(options, isInteractive, 'export-all', config);
     if (!metadata)
         return;
     const { patchName, selectedCategory, description } = metadata;
@@ -268,6 +265,8 @@ export async function exportAllCommand(projectRoot, options = {}) {
                 sourceEsrVersion: config.firefox.version,
                 explicitSupersede: options.supersede === true,
                 allowOverlap: options.allowOverlap === true,
+                config,
+                forceUnsafe: options.forceUnsafe === true,
             });
             outro('Dry run complete — no changes made');
             return;
@@ -301,6 +300,9 @@ export async function exportAllCommand(projectRoot, options = {}) {
             diff,
             filesAffected,
             sourceEsrVersion: config.firefox.version,
+            config,
+            policyCommand: 'export-all',
+            forceUnsafe: options.forceUnsafe === true,
         });
         for (const oldPatch of superseded) {
             info(`Superseded: ${oldPatch.filename}`);
@@ -323,18 +325,19 @@ export function registerExportAll(program, { getProjectRoot, withErrorHandling }
         .command('export-all')
         .description('Export all changes as a patch')
         .option('--name <name>', 'Name for the patch')
-        .addOption(new Option('-c, --category <category>', 'Patch category').choices([...PATCH_CATEGORIES]))
+        .option('-c, --category <category>', 'Patch category')
         .option('-d, --description <desc>', 'Description of the patch')
         .option('--supersede', 'Allow superseding multiple existing patches')
         .option('--skip-lint', 'Skip patch lint checks (downgrade errors to warnings)')
         .option('--exclude-furnace', 'Export the non-Furnace subset of the aggregate diff instead of refusing when Furnace-managed files are modified. Furnace-managed files are still deployed by "fireforge furnace apply"; this flag only changes whether export-all aborts or filters in their presence.')
         .option('--allow-overlap', 'Acknowledge cross-patch ownership overlap with non-superseded patches (the resulting queue fails verify). Does not bypass the new-file creation guard — two patches creating the same path is structurally unrecoverable, so that case still refuses regardless of this flag.')
         .option('--dry-run', 'Print the export-all plan (filename, metadata, files affected, supersede preview) without writing anything to patches/. Lint still runs so the operator sees the same lint output a real run would produce.')
+        .option('--force-unsafe', 'Bypass force-mode patchPolicy refusals')
         .action(withErrorHandling(async (options) => {
         const { category, ...rest } = options;
         await exportAllCommand(getProjectRoot(), {
             ...pickDefined(rest),
-            ...(category !== undefined ? { category: category } : {}),
+            ...(category !== undefined ? { category } : {}),
         });
     }));
 }

package/dist/src/commands/export-flow.d.ts

@@ -9,6 +9,7 @@
 import { type ConflictReport } from '../core/destructive.js';
 import { type PatchRenameEntry } from '../core/patch-manifest.js';
 import type { ExportOptions, PatchCategory, PatchMetadata } from '../types/commands/index.js';
+import type { FireForgeConfig } from '../types/config.js';
 /**
  * Shape for the rename map computed when a placement flag forces existing
  * patches to move out of the new slot. Keys are current filenames.
@@ -53,6 +54,10 @@ export interface CommitPlacementExportInput {
     metadata: PatchMetadata;
     expectedPlan: PlacementPlan;
     unsafeOverride?: boolean;
+    /** Project config, used only when opt-in patchPolicy is present. */
+    config?: FireForgeConfig;
+    /** Whether --force-unsafe was supplied by the mutating command. */
+    forceUnsafe?: boolean;
     /**
      * Optional post-commit hook that runs inside the patch directory lock,
      * after the mutation has succeeded but before the lock is released.
@@ -87,6 +92,10 @@ export interface DryRunPreviewInput {
     tier?: 'branding';
     /** Optional `PatchMetadata.lintIgnore` carried from the CLI. */
     lintIgnore?: string[];
+    /** Project config, used only when opt-in patchPolicy is present. */
+    config?: FireForgeConfig;
+    /** Whether --force-unsafe was supplied by the mutating command. */
+    forceUnsafe?: boolean;
 }
 /**
  * Renders the plain (non-placement) dry-run preview: calls planExport,

package/dist/src/commands/export-flow.js

@@ -12,6 +12,7 @@ import { findAllPatchesForFilesWithDetails, planExport, sanitizeName, } from '..
 import { buildModifiedFileAdditionsFromDiff, buildPatchQueueContext, detectNewFilesInDiff, lintPatchQueue, } from '../core/patch-lint.js';
 import { withPatchDirectoryLock } from '../core/patch-lock.js';
 import { addPatchToManifest, loadPatchesManifest, renumberPatchesInManifest, resolvePatchIdentifier, savePatchesManifest, } from '../core/patch-manifest.js';
+import { applyRenameMapToManifest, buildProjectedManifest, enforcePatchPolicy, } from '../core/patch-policy.js';
 import { extractNewFileContentFromDiff } from '../core/patch-transform.js';
 import { GeneralError, InvalidArgumentError } from '../errors/base.js';
 import { toError } from '../utils/errors.js';
@@ -200,13 +201,31 @@ export async function commitPlacementExport(input) {
         if (conflicts && input.unsafeOverride !== true) {
             throw new InvalidArgumentError(`Refusing to run export: ${conflicts.reason}. Pass --force-unsafe to override.`, '--force-unsafe');
         }
+        const originalManifest = await loadPatchesManifest(input.patchesDir);
+        if (input.config !== undefined) {
+            const renamed = originalManifest !== null
+                ? applyRenameMapToManifest(originalManifest, currentPlan.renameMap)
+                : buildProjectedManifest(null, []);
+            enforcePatchPolicy({
+                config: input.config,
+                manifest: buildProjectedManifest(renamed, [
+                    ...renamed.patches,
+                    {
+                        ...input.metadata,
+                        filename: currentPlan.newFilename,
+                        order: currentPlan.insertionOrder,
+                    },
+                ]),
+                command: 'export',
+                forceUnsafe: input.forceUnsafe === true,
+            });
+        }
         // Snapshot pre-mutation state so we can best-effort restore the queue
         // if any of the three steps below fail mid-flight. Mirrors the
         // rollback shape in commitExportedPatch (src/core/patch-export.ts), but
         // inlined because the two rollbacks operate on different state shapes
         // (rename map vs. supersede set) and sharing a helper would be forced.
         const patchPath = join(input.patchesDir, currentPlan.newFilename);
-        const originalManifest = await loadPatchesManifest(input.patchesDir);
         const originalNewPatchContent = (await pathExists(patchPath))
             ? await readText(patchPath)
             : null;
@@ -311,7 +330,16 @@ export async function renderDryRunPreview(input) {
         sourceEsrVersion: input.sourceEsrVersion,
         ...(input.tier !== undefined ? { tier: input.tier } : {}),
         ...(input.lintIgnore !== undefined ? { lintIgnore: input.lintIgnore } : {}),
+        ...(input.config !== undefined ? { config: input.config } : {}),
     });
+    if (input.config !== undefined) {
+        enforcePatchPolicy({
+            config: input.config,
+            manifest: plan.manifestAfter,
+            command: 'export',
+            forceUnsafe: input.forceUnsafe === true,
+        });
+    }
     info(`\n[dry-run] Would write: patches/${plan.patchFilename}`);
     info(`  category: ${plan.metadata.category}`);
     info(`  order: ${plan.metadata.order}`);

package/dist/src/commands/export-shared.d.ts

@@ -31,7 +31,7 @@ export declare function runPatchLint(engineDir: string, filesAffected: string[],
  * @param isInteractive - Whether interactive prompts are allowed
  * @param commandName - Command name for error/help text
  */
-export declare function promptExportPatchMetadata(options: ExportOptions, isInteractive: boolean, commandName: 'export' | 'export-all'): Promise<{
+export declare function promptExportPatchMetadata(options: ExportOptions, isInteractive: boolean, commandName: 'export' | 'export-all', config?: FireForgeConfig): Promise<{
     patchName: string;
     selectedCategory: PatchCategory;
     description: string;

package/dist/src/commands/export-shared.js

@@ -5,10 +5,11 @@ import { addLicenseHeaderToFile, getLicenseHeader } from '../core/license-header
 import { findAllPatchesForFiles } from '../core/patch-export.js';
 import { commentStyleForFile, detectNewFilesInDiff, lintExportedPatch, resolvePatchSizeTier, } from '../core/patch-lint.js';
 import { loadPatchesManifest } from '../core/patch-manifest.js';
+import { getPatchPolicyCategories, isCategoryAllowedByConfig } from '../core/patch-policy.js';
 import { GeneralError, InvalidArgumentError } from '../errors/base.js';
 import { pathExists, readText } from '../utils/fs.js';
 import { cancel, info, isCancel, warn } from '../utils/logger.js';
-import { isValidPatchCategory, PATCH_CATEGORIES, validatePatchName } from '../utils/validation.js';
+import { PATCH_CATEGORIES, validatePatchName } from '../utils/validation.js';
 /**
  * Runs the full patch lint pipeline and reports results.
  * Warnings are always displayed. Errors block the export unless skipLint is true.
@@ -89,7 +90,8 @@ export async function runPatchLint(engineDir, filesAffected, diffContent, config
  * @param isInteractive - Whether interactive prompts are allowed
  * @param commandName - Command name for error/help text
  */
-export async function promptExportPatchMetadata(options, isInteractive, commandName) {
+export async function promptExportPatchMetadata(options, isInteractive, commandName, config) {
+    const categories = config !== undefined ? getPatchPolicyCategories(config) : [...PATCH_CATEGORIES];
     let patchName = options.name;
     if (patchName) {
         const validationError = validatePatchName(patchName);
@@ -98,7 +100,7 @@ export async function promptExportPatchMetadata(options, isInteractive, commandN
         }
     }
     if (!patchName && !isInteractive) {
-        throw new InvalidArgumentError('The --name flag is required in non-interactive mode', `Use: fireforge ${commandName} ${commandName === 'export' ? '<paths...> ' : ''}--name "my-patch-name" --category ui`);
+        throw new InvalidArgumentError('The --name flag is required in non-interactive mode', `Use: fireforge ${commandName} ${commandName === 'export' ? '<paths...> ' : ''}--name "my-patch-name" --category ${categories[0] ?? 'ui'}`);
     }
     if (!patchName) {
         const nameResult = await text({
@@ -114,23 +116,20 @@ export async function promptExportPatchMetadata(options, isInteractive, commandN
     }
     let category = options.category;
     if (category) {
-        if (!isValidPatchCategory(category)) {
-            throw new InvalidArgumentError(`Invalid category. Must be one of: ${PATCH_CATEGORIES.join(', ')}`, '--category');
+        const isAllowed = config !== undefined
+            ? isCategoryAllowedByConfig(config, category)
+            : PATCH_CATEGORIES.includes(category);
+        if (!isAllowed) {
+            throw new InvalidArgumentError(`Invalid category. Must be one of: ${categories.join(', ')}`, '--category');
         }
     }
     else if (!isInteractive) {
-        throw new InvalidArgumentError('The --category flag is required in non-interactive mode', `Use: fireforge ${commandName} ${commandName === 'export' ? '<paths...> ' : ''}--name "name" --category <${PATCH_CATEGORIES.join('|')}>`);
+        throw new InvalidArgumentError('The --category flag is required in non-interactive mode', `Use: fireforge ${commandName} ${commandName === 'export' ? '<paths...> ' : ''}--name "name" --category <${categories.join('|')}>`);
     }
     else {
         const categoryResult = await select({
             message: 'Select a category for this patch:',
-            options: [
-                { value: 'branding', label: 'branding - Logo, icons, names, about pages' },
-                { value: 'ui', label: 'ui - User interface changes' },
-                { value: 'privacy', label: 'privacy - Telemetry, tracking, data collection' },
-                { value: 'security', label: 'security - Security hardening, policies' },
-                { value: 'infra', label: 'infra - Build system, tooling, CI, configuration' },
-            ],
+            options: categories.map((value) => ({ value, label: value })),
         });
         if (isCancel(categoryResult)) {
             cancel('Export cancelled');

package/dist/src/commands/export.js

@@ -11,13 +11,15 @@ import { isBinaryFile } from '../core/git-file-ops.js';
 import { getModifiedFilesInDir, getUntrackedFiles, getUntrackedFilesInDir, } from '../core/git-status.js';
 import { extractAffectedFiles } from '../core/patch-apply.js';
 import { commitExportedPatch, findAllPatchesForFiles } from '../core/patch-export.js';
+import { loadPatchesManifest } from '../core/patch-manifest.js';
+import { applyRenameMapToManifest, buildProjectedManifest, enforcePatchPolicy, } from '../core/patch-policy.js';
 import { GeneralError, InvalidArgumentError } from '../errors/base.js';
 import { toError } from '../utils/errors.js';
 import { ensureDir, pathExists } from '../utils/fs.js';
 import { info, intro, outro, spinner, verbose, warn } from '../utils/logger.js';
 import { pickDefined } from '../utils/options.js';
 import { stripEnginePrefix } from '../utils/paths.js';
-import { parsePositiveIntegerFlag, PATCH_CATEGORIES } from '../utils/validation.js';
+import { parsePositiveIntegerFlag } from '../utils/validation.js';
 import { commitPlacementExport, placementSummary, projectPlacementForLint, renderDryRunPreview, resolvePlacementPlan, } from './export-flow.js';
 import { autoFixLicenseHeaders, confirmSupersedePatches, guardOwnershipOverlap, promptExportPatchMetadata, runPatchLint, } from './export-shared.js';
 async function collectExportFiles(paths, files) {
@@ -164,7 +166,7 @@ export async function exportCommand(projectRoot, files, options) {
     if (headersAdded) {
         diff = await generatePatchDiff(paths.engine, allFiles);
     }
-    const metadata = await promptExportPatchMetadata(options, isInteractive, 'export');
+    const metadata = await promptExportPatchMetadata(options, isInteractive, 'export', config);
     if (!metadata)
         return;
     const { patchName, selectedCategory, description } = metadata;
@@ -190,6 +192,32 @@ export async function exportCommand(projectRoot, files, options) {
             }
             placementPlan = await resolvePlacementPlan(paths.patches, options, selectedCategory, patchName);
             const conflicts = await projectPlacementForLint(paths.patches, placementPlan, diff);
+            const currentManifest = await loadPatchesManifest(paths.patches);
+            const renamed = currentManifest !== null
+                ? applyRenameMapToManifest(currentManifest, placementPlan.renameMap)
+                : buildProjectedManifest(null, []);
+            enforcePatchPolicy({
+                config,
+                manifest: buildProjectedManifest(renamed, [
+                    ...renamed.patches,
+                    {
+                        filename: placementPlan.newFilename,
+                        order: placementPlan.insertionOrder,
+                        category: selectedCategory,
+                        name: patchName,
+                        description,
+                        createdAt: new Date().toISOString(),
+                        sourceEsrVersion: config.firefox.version,
+                        filesAffected,
+                        ...(options.tier !== undefined ? { tier: options.tier } : {}),
+                        ...(options.lintIgnore !== undefined && options.lintIgnore.length > 0
+                            ? { lintIgnore: options.lintIgnore }
+                            : {}),
+                    },
+                ]),
+                command: 'export',
+                forceUnsafe: options.forceUnsafe === true,
+            });
             const summary = placementSummary(placementPlan);
             const renameCount = placementPlan.renameMap.size;
             // Route through confirmDestructive when the operation is destructive
@@ -238,6 +266,8 @@ export async function exportCommand(projectRoot, files, options) {
                 ...(options.lintIgnore !== undefined && options.lintIgnore.length > 0
                     ? { lintIgnore: options.lintIgnore }
                     : {}),
+                config,
+                forceUnsafe: options.forceUnsafe === true,
             });
             outro('Dry run complete — no changes made');
             return;
@@ -270,6 +300,8 @@ export async function exportCommand(projectRoot, files, options) {
                 metadata: placementMetadata,
                 expectedPlan: placementPlan,
                 unsafeOverride: options.forceUnsafe === true,
+                config,
+                forceUnsafe: options.forceUnsafe === true,
                 // History append runs inside the same lock as the mutation so
                 // concurrent placement exports cannot interleave their records
                 // and a crash between mutation and record cannot orphan the
@@ -335,6 +367,9 @@ export async function exportCommand(projectRoot, files, options) {
             ...(options.lintIgnore !== undefined && options.lintIgnore.length > 0
                 ? { lintIgnore: options.lintIgnore }
                 : {}),
+            config,
+            policyCommand: 'export',
+            forceUnsafe: options.forceUnsafe === true,
         });
         for (const oldPatch of superseded) {
             info(`Superseded: ${oldPatch.filename}`);
@@ -357,7 +392,7 @@ export function registerExport(program, { getProjectRoot, withErrorHandling }) {
         .command('export <paths...>')
         .description('Export new changes as a patch (use re-export to update existing patches)')
         .option('-n, --name <name>', 'Name for the patch')
-        .addOption(new Option('-c, --category <category>', 'Patch category').choices([...PATCH_CATEGORIES]))
+        .option('-c, --category <category>', 'Patch category')
         .option('-d, --description <desc>', 'Description of the patch')
         .option('--supersede', 'Allow superseding multiple existing patches')
         .option('--skip-lint', 'Skip patch lint checks (downgrade errors to warnings)')
@@ -375,7 +410,7 @@ export function registerExport(program, { getProjectRoot, withErrorHandling }) {
         const { category, tier, lintIgnore, ...rest } = options;
         await exportCommand(getProjectRoot(), paths, {
             ...pickDefined(rest),
-            ...(category !== undefined ? { category: category } : {}),
+            ...(category !== undefined ? { category } : {}),
             ...(tier !== undefined ? { tier: tier } : {}),
             ...(lintIgnore !== undefined && lintIgnore.length > 0 ? { lintIgnore } : {}),
         });

package/dist/src/commands/lint.js

@@ -11,6 +11,7 @@ import { extractAffectedFiles } from '../core/patch-apply.js';
 import { buildPatchQueueContext, lintExportedPatch, lintPatchQueue, resolvePatchSizeTier, } from '../core/patch-lint.js';
 import { collectDiffFilePaths, tagLintIssues } from '../core/patch-lint-diff-tag.js';
 import { loadPatchesManifest } from '../core/patch-manifest.js';
+import { evaluatePatchPolicy } from '../core/patch-policy.js';
 import { GeneralError } from '../errors/base.js';
 import { pathExists } from '../utils/fs.js';
 import { info, intro, outro, success, warn } from '../utils/logger.js';
@@ -407,6 +408,14 @@ async function lintPerPatch(projectRoot, paths) {
     const config = await loadConfig(projectRoot);
     const ctx = await buildPatchQueueContext(paths.patches);
     const issues = [];
+    for (const issue of evaluatePatchPolicy(config, manifest)) {
+        issues.push({
+            file: issue.filename,
+            check: `patch-policy/${issue.code}`,
+            message: issue.message,
+            severity: issue.severity,
+        });
+    }
     let linted = 0;
     let skipped = 0;
     for (const patch of manifest.patches) {

package/dist/src/commands/patch/rename.js

@@ -18,12 +18,13 @@
  */
 import { rename as fsRename } from 'node:fs/promises';
 import { join } from 'node:path';
-import { getProjectPaths } from '../../core/config.js';
+import { getProjectPaths, loadConfig } from '../../core/config.js';
 import { appendHistory, confirmDestructive } from '../../core/destructive.js';
 import { sanitizeName } from '../../core/patch-export.js';
 import { formatPatchNotFoundError } from '../../core/patch-identifier-suggest.js';
 import { withPatchDirectoryLock } from '../../core/patch-lock.js';
 import { loadPatchesManifest, resolvePatchIdentifier, savePatchesManifest, } from '../../core/patch-manifest.js';
+import { buildProjectedManifest, enforcePatchPolicy } from '../../core/patch-policy.js';
 import { GeneralError, InvalidArgumentError } from '../../errors/base.js';
 import { toError } from '../../utils/errors.js';
 import { pathExists } from '../../utils/fs.js';
@@ -66,23 +67,40 @@ async function commitRenameUnderLock(input) {
         if (!before) {
             throw new GeneralError(`Patch ${target.filename} disappeared from the manifest during rename.`);
         }
+        let oldPath;
+        let newPath;
         if (filenameChanging) {
             const collisionInLock = fresh.patches.find((p) => p.filename === newFilename && p.filename !== target.filename);
             if (collisionInLock) {
                 throw new InvalidArgumentError(`Cannot rename to "${newFilename}" — a different patch claimed that filename concurrently.`, 'patch rename');
             }
-            const oldPath = join(patchesDir, target.filename);
-            const newPath = join(patchesDir, newFilename);
+            oldPath = join(patchesDir, target.filename);
+            newPath = join(patchesDir, newFilename);
             if (await pathExists(newPath)) {
                 throw new InvalidArgumentError(`Cannot rename: ${newFilename} already exists on disk. Resolve manually before retrying.`, 'patch rename');
             }
-            await fsRename(oldPath, newPath);
             fresh.patches[idx] = {
                 ...before,
                 filename: newFilename,
                 name: newName,
                 ...(descriptionChanging ? { description: newDescription ?? '' } : {}),
             };
+        }
+        else {
+            fresh.patches[idx] = {
+                ...before,
+                ...(nameChanging ? { name: newName } : {}),
+                ...(descriptionChanging ? { description: newDescription ?? '' } : {}),
+            };
+        }
+        enforcePatchPolicy({
+            config: input.config,
+            manifest: buildProjectedManifest(fresh, fresh.patches),
+            command: 'patch rename',
+            forceUnsafe: input.forceUnsafe === true,
+        });
+        if (filenameChanging && oldPath !== undefined && newPath !== undefined) {
+            await fsRename(oldPath, newPath);
             try {
                 await savePatchesManifest(patchesDir, fresh);
             }
@@ -97,11 +115,6 @@ async function commitRenameUnderLock(input) {
             }
         }
         else {
-            fresh.patches[idx] = {
-                ...before,
-                ...(nameChanging ? { name: newName } : {}),
-                ...(descriptionChanging ? { description: newDescription ?? '' } : {}),
-            };
             await savePatchesManifest(patchesDir, fresh);
         }
         try {
@@ -115,6 +128,7 @@ async function commitRenameUnderLock(input) {
                     ...(descriptionChanging ? { oldDescription: target.description, newDescription } : {}),
                 },
                 ...(input.yes === true ? { yes: true } : {}),
+                ...(input.forceUnsafe === true ? { unsafeOverride: true } : {}),
                 result: 'ok',
             });
         }
@@ -138,6 +152,7 @@ export async function patchRenameCommand(projectRoot, identifier, options = {})
         throw new InvalidArgumentError('Specify --to <new-name>. The new name is sanitised into the filename slug the same way `export --name` is.', 'patch rename');
     }
     const paths = getProjectPaths(projectRoot);
+    const config = await loadConfig(projectRoot);
     if (!(await pathExists(paths.patches))) {
         throw new GeneralError('Patches directory not found.');
     }
@@ -187,6 +202,19 @@ export async function patchRenameCommand(projectRoot, identifier, options = {})
     if (descriptionChanging) {
         summary.push(`description: "${target.description || '(none)'}" → "${options.description ?? '(none)'}"`);
     }
+    enforcePatchPolicy({
+        config,
+        manifest: buildProjectedManifest(manifest, manifest.patches.map((entry) => entry.filename === target.filename
+            ? {
+                ...entry,
+                filename: newFilename,
+                name: nameChanging ? (options.to ?? entry.name) : entry.name,
+                ...(descriptionChanging ? { description: options.description ?? '' } : {}),
+            }
+            : entry)),
+        command: 'patch rename',
+        forceUnsafe: options.forceUnsafe === true,
+    });
     const decision = await confirmDestructive({
         operation: 'patch-rename',
         title: `Rename ${target.filename}`,
@@ -213,6 +241,8 @@ export async function patchRenameCommand(projectRoot, identifier, options = {})
         nameChanging,
         descriptionChanging,
         ...(options.yes === true ? { yes: true } : {}),
+        ...(options.forceUnsafe === true ? { forceUnsafe: true } : {}),
+        config,
     });
     if (filenameChanging) {
         info(`${target.filename} → ${newFilename}`);
@@ -237,6 +267,7 @@ export function registerPatchRename(parent, context) {
         .option('--description <text>', 'Replacement description (omit to leave description unchanged)')
         .option('--dry-run', 'Show what would change without writing')
         .option('-y, --yes', 'Skip confirmation prompt (required for non-TTY)')
+        .option('--force-unsafe', 'Bypass force-mode patchPolicy refusals')
         .action(withErrorHandling(async (name, options) => {
         await patchRenameCommand(getProjectRoot(), name, pickDefined(options));
     }));

package/dist/src/commands/patch/reorder.js

@@ -9,12 +9,13 @@
  * before any bytes move.
  */
 import { Option } from 'commander';
-import { getProjectPaths } from '../../core/config.js';
+import { getProjectPaths, loadConfig } from '../../core/config.js';
 import { appendHistory, confirmDestructive, } from '../../core/destructive.js';
 import { formatPatchNotFoundError } from '../../core/patch-identifier-suggest.js';
 import { buildPatchQueueContext, lintPatchQueue, } from '../../core/patch-lint.js';
 import { withPatchDirectoryLock } from '../../core/patch-lock.js';
 import { loadPatchesManifest, renumberPatchesInManifest, resolvePatchIdentifier, } from '../../core/patch-manifest.js';
+import { applyRenameMapToManifest, enforcePatchPolicy } from '../../core/patch-policy.js';
 import { GeneralError, InvalidArgumentError } from '../../errors/base.js';
 import { toError } from '../../utils/errors.js';
 import { pathExists } from '../../utils/fs.js';
@@ -184,7 +185,7 @@ function resolveDestination(target, manifestPatches, options) {
     }
     return { destinationOrder: anchor.order + 1, anchorFilename: anchor.filename };
 }
-async function commitReorderPlan(patchesDir, target, renameMap, anchorFilename, options, buildHistoryEntry) {
+async function commitReorderPlan(patchesDir, target, renameMap, anchorFilename, options, config, buildHistoryEntry) {
     await withPatchDirectoryLock(patchesDir, async () => {
         const currentManifest = await loadPatchesManifest(patchesDir);
         if (!currentManifest || currentManifest.patches.length === 0) {
@@ -216,6 +217,12 @@ async function commitReorderPlan(patchesDir, target, renameMap, anchorFilename,
         if (!renameMapsEqual(renameMap, currentRenameMap)) {
             throw new GeneralError('Patch queue changed while waiting for confirmation. Re-run reorder to recompute the rename plan.');
         }
+        enforcePatchPolicy({
+            config,
+            manifest: applyRenameMapToManifest(currentManifest, currentRenameMap),
+            command: 'patch reorder',
+            forceUnsafe: options.forceUnsafe === true,
+        });
         const currentProjected = projectReorder(await buildPatchQueueContext(patchesDir), currentRenameMap);
         const currentConflicts = lintPatchQueue(currentProjected).filter((i) => i.severity === 'error');
         if (currentConflicts.length > 0 && options.forceUnsafe !== true) {
@@ -262,6 +269,7 @@ export async function patchReorderCommand(projectRoot, identifier, options = {})
         throw new InvalidArgumentError('--to, --before, and --after are mutually exclusive.', 'patch reorder');
     }
     const paths = getProjectPaths(projectRoot);
+    const config = await loadConfig(projectRoot);
     if (!(await pathExists(paths.patches))) {
         throw new GeneralError('Patches directory not found.');
     }
@@ -286,6 +294,12 @@ export async function patchReorderCommand(projectRoot, identifier, options = {})
     const projected = projectReorder(baseCtx, renameMap);
     const projectedIssues = lintPatchQueue(projected);
     const errorIssues = projectedIssues.filter((i) => i.severity === 'error');
+    enforcePatchPolicy({
+        config,
+        manifest: applyRenameMapToManifest(manifest, renameMap),
+        command: 'patch reorder',
+        forceUnsafe: options.forceUnsafe === true,
+    });
     const conflicts = errorIssues.length > 0
         ? {
             reason: `reorder would introduce ${errorIssues.length} cross-patch lint error(s)`,
@@ -344,7 +358,7 @@ export async function patchReorderCommand(projectRoot, identifier, options = {})
             result: 'ok',
         };
     };
-    await commitReorderPlan(paths.patches, target, renameMap, anchorFilename, options, buildHistoryEntry);
+    await commitReorderPlan(paths.patches, target, renameMap, anchorFilename, options, config, buildHistoryEntry);
     info(`Reordered ${renameMap.size} patch(es).`);
     outro('Reorder complete');
 }

package/dist/src/commands/re-export-files.js

@@ -6,6 +6,8 @@ import { computeProjectedLintRegressions } from '../core/lint-projection.js';
 import { extractAffectedFiles } from '../core/patch-apply.js';
 import { updatePatchAndMetadata } from '../core/patch-export.js';
 import { buildModifiedFileAdditionsFromDiff, buildPatchQueueContext, detectNewFilesInDiff, lintPatchQueue, } from '../core/patch-lint.js';
+import { loadPatchesManifest } from '../core/patch-manifest.js';
+import { buildProjectedManifest, enforcePatchPolicy } from '../core/patch-policy.js';
 import { extractNewFileContentFromDiff } from '../core/patch-transform.js';
 import { InvalidArgumentError } from '../errors/base.js';
 import { pathExists } from '../utils/fs.js';
@@ -163,6 +165,16 @@ export async function reExportFilesInPlace(paths, selectedPatches, options, conf
     const ignoreChecks = effectiveLintIgnore ? new Set(effectiveLintIgnore) : undefined;
     await runPatchLint(paths.engine, actualProjectedFiles, projectedDiff, config, options.skipLint, undefined, ignoreChecks, effectiveTier);
     const conflicts = await runProjectedCrossPatchLint(paths.patches, target.filename, projectedDiff);
+    const filesUpdates = buildFilesModeMetadataUpdates(actualProjectedFiles, options, effectiveLintIgnore, flagIgnoreSet);
+    const manifest = await loadPatchesManifest(paths.patches);
+    if (manifest) {
+        enforcePatchPolicy({
+            config,
+            manifest: buildProjectedManifest(manifest, manifest.patches.map((entry) => entry.filename === target.filename ? { ...entry, ...filesUpdates } : entry)),
+            command: 're-export --files',
+            forceUnsafe: options.forceUnsafe === true,
+        });
+    }
     // Shrinks are destructive (previously-owned files become unmanaged).
     // Additive-only changes still deserve a prompt because --files asserts
     // an authoritative file set.
@@ -205,7 +217,6 @@ export async function reExportFilesInPlace(paths, selectedPatches, options, conf
     // directory lock as the mutation (via the onCommitted hook) so two
     // concurrent re-exports cannot interleave records and a crash between
     // mutation and append cannot orphan the audit trail.
-    const filesUpdates = buildFilesModeMetadataUpdates(actualProjectedFiles, options, effectiveLintIgnore, flagIgnoreSet);
     await updatePatchAndMetadata(paths.patches, target.filename, projectedDiff, filesUpdates, async () => {
         await appendHistory(paths.patches, {
             operation: 're-export-files',
@@ -219,6 +230,10 @@ export async function reExportFilesInPlace(paths, selectedPatches, options, conf
             ...(options.forceUnsafe === true ? { unsafeOverride: true } : {}),
             result: 'ok',
         });
+    }, {
+        config,
+        command: 're-export --files',
+        forceUnsafe: options.forceUnsafe === true,
     });
     success(`Re-exported ${target.filename}`);
     outro('Re-export complete');