@intentius/chant 0.1.18 → 0.1.20

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@intentius/chant",
-  "version": "0.1.18",
+  "version": "0.1.20",
   "description": "Declarative infrastructure-as-code toolkit — TypeScript on Node.js",
   "license": "Apache-2.0",
   "homepage": "https://intentius.io/chant",

package/src/build.test.ts

@@ -1,5 +1,5 @@
 import { describe, test, expect, beforeEach, afterEach } from "vitest";
-import { build, partitionByLexicon, detectCrossLexiconRefs, collectLexiconOutputs } from "./build";
+import { build, partitionByLexicon, detectCrossLexiconRefs, collectLexiconOutputs, computeStackGraph } from "./build";
 import { output } from "./lexicon-output";
 import { AttrRef } from "./attrref";
 import { INTRINSIC_MARKER } from "./intrinsic";
@@ -462,3 +462,50 @@ describe("detectCrossLexiconRefs", () => {
     expect(detected[0].outputName).toBe("dataBucket_Endpoint");
   });
 });
+
+describe("computeStackGraph (#200 — cross-stack apply ordering)", () => {
+  const ent = (lexicon: string, props: Record<string, unknown> = {}): Declarable =>
+    ({ lexicon, entityType: `${lexicon}::X`, [DECLARABLE_MARKER]: true, props }) as unknown as Declarable;
+
+  test("infers a consumer→producer edge from a cross-lexicon AttrRef", () => {
+    const vpc = ent("aws");
+    const svc = ent("k8s", { vpcId: new AttrRef(vpc, "id") });
+    const g = computeStackGraph(new Map([["vpc", vpc], ["svc", svc]]), ["aws", "k8s"]);
+
+    expect(g.edges).toEqual([{ from: "k8s", to: "aws" }]);
+    expect(g.order).toEqual(["aws", "k8s"]); // producer before consumer
+    expect(g.waves).toEqual([["aws"], ["k8s"]]); // separate waves — ordered
+    expect(g.cycles).toEqual([]);
+  });
+
+  test("independent stacks share a wave (parallel-safe)", () => {
+    const g = computeStackGraph(new Map([["a", ent("aws")], ["b", ent("gcp")]]), ["aws", "gcp"]);
+    expect(g.edges).toEqual([]);
+    expect(g.waves).toEqual([["aws", "gcp"]]); // one wave — no inter-dependency
+  });
+
+  test("reports a dependency cycle", () => {
+    const a = ent("x");
+    const b = ent("y", { ref: new AttrRef(a, "out") });
+    // close the loop: a references b
+    (a as unknown as { props: Record<string, unknown> }).props = { ref: new AttrRef(b, "out") };
+    const g = computeStackGraph(new Map([["a", a], ["b", b]]), ["x", "y"]);
+
+    expect(g.edges).toEqual(expect.arrayContaining([{ from: "x", to: "y" }, { from: "y", to: "x" }]));
+    expect(g.cycles).toEqual([["x", "y"]]);
+    expect(g.order).toEqual([]); // nothing is orderable inside a cycle
+  });
+
+  test("a diamond resolves into three waves", () => {
+    // base ← (left, right) ← top
+    const base = ent("base");
+    const left = ent("left", { b: new AttrRef(base, "id") });
+    const right = ent("right", { b: new AttrRef(base, "id") });
+    const top = ent("top", { l: new AttrRef(left, "id"), r: new AttrRef(right, "id") });
+    const g = computeStackGraph(
+      new Map([["base", base], ["left", left], ["right", right], ["top", top]]),
+      ["base", "left", "right", "top"],
+    );
+    expect(g.waves).toEqual([["base"], ["left", "right"], ["top"]]);
+  });
+});

package/src/build.ts

@@ -20,6 +20,115 @@ export interface BuildManifest {
     { source: string; entity: string; attribute: string }
   >;
   deployOrder: string[];
+  /** Cross-stack apply-ordering graph (see {@link computeStackGraph}). */
+  stackGraph: StackGraph;
+}
+
+/**
+ * The cross-stack (cross-lexicon) apply-ordering graph chant already computes
+ * while resolving cross-lexicon references — surfaced as tool-agnostic data for
+ * an orchestrator to consume. chant exposes the order; it does not drive the
+ * apply.
+ */
+export interface StackGraph {
+  /** Stacks (lexicon partitions) in the build. */
+  nodes: string[];
+  /**
+   * Consumer→producer edges: `from` imports a value `to` exports, so `to` must
+   * apply before `from`. Inferred from cross-lexicon references.
+   */
+  edges: Array<{ from: string; to: string }>;
+  /** A flat applicable sequence — every producer before its consumers. */
+  order: string[];
+  /**
+   * Levels: stacks in the same wave have no inter-dependency and may apply
+   * concurrently. `order` flattened with parallelism made explicit.
+   */
+  waves: string[][];
+  /** Dependency cycles, if any (each a list of stacks). Normally empty. */
+  cycles: string[][];
+}
+
+/**
+ * Compute the cross-stack apply-ordering graph from resolved entities. Edges are
+ * inferred from cross-lexicon attribute references (a resource in lexicon A
+ * referencing an attribute of a resource in lexicon B ⇒ A depends on B). Returns
+ * the edge set plus a topological order, parallel-safe waves, and any cycles.
+ */
+export function computeStackGraph(
+  entities: Map<string, Declarable>,
+  lexiconNames: string[],
+): StackGraph {
+  const edges: Array<{ from: string; to: string }> = [];
+  const edgeSet = new Set<string>();
+  const addEdge = (from: string, to: string): void => {
+    if (from === to) return;
+    const key = `${from}\0${to}`;
+    if (edgeSet.has(key)) return;
+    edgeSet.add(key);
+    edges.push({ from, to });
+  };
+
+  const walk = (value: unknown, consumer: string, visited: Set<unknown>): void => {
+    if (value === null || value === undefined || typeof value !== "object") return;
+    if (visited.has(value)) return;
+    visited.add(value);
+    if (value instanceof AttrRef) {
+      const parent = value.parent.deref();
+      const producer = parent ? (parent as Record<string, unknown>).lexicon : undefined;
+      if (typeof producer === "string" && producer !== consumer) addEdge(consumer, producer);
+      return;
+    }
+    if (isLexiconOutput(value)) return;
+    if (Array.isArray(value)) {
+      for (const item of value) walk(item, consumer, visited);
+      return;
+    }
+    for (const val of Object.values(value as Record<string, unknown>)) walk(val, consumer, visited);
+  };
+
+  for (const [, entity] of entities) {
+    const consumer = entity.lexicon;
+    const visited = new Set<unknown>();
+    for (const val of Object.values(entity as unknown as Record<string, unknown>)) {
+      walk(val, consumer, visited);
+    }
+    if ("props" in entity && typeof entity.props === "object" && entity.props !== null) {
+      walk(entity.props, consumer, visited);
+    }
+  }
+
+  // Dependency map: node → producers it depends on.
+  const nodes = lexiconNames.length
+    ? [...lexiconNames]
+    : [...new Set([...entities.values()].map((e) => e.lexicon))];
+  const deps = new Map<string, Set<string>>();
+  for (const n of nodes) deps.set(n, new Set());
+  for (const { from, to } of edges) {
+    if (!deps.has(from)) deps.set(from, new Set());
+    if (!deps.has(to)) deps.set(to, new Set());
+    deps.get(from)!.add(to);
+  }
+
+  // Kahn layering: a node is ready once every producer it depends on is placed.
+  const remaining = new Set(deps.keys());
+  const waves: string[][] = [];
+  const order: string[] = [];
+  while (remaining.size > 0) {
+    const wave = [...remaining]
+      .filter((n) => [...deps.get(n)!].every((d) => !remaining.has(d)))
+      .sort();
+    if (wave.length === 0) break; // remaining nodes form a cycle
+    for (const n of wave) {
+      remaining.delete(n);
+      order.push(n);
+    }
+    waves.push(wave);
+  }
+  const cycles: string[][] = remaining.size > 0 ? [[...remaining].sort()] : [];
+
+  edges.sort((a, b) => `${a.from}\0${a.to}`.localeCompare(`${b.from}\0${b.to}`));
+  return { nodes: [...nodes].sort(), edges, order, waves, cycles };
 }
 
 /**
@@ -288,7 +397,8 @@ function computeDeployOrder(
  */
 function generateManifest(
   lexiconNames: string[],
-  lexiconOutputs: LexiconOutput[]
+  lexiconOutputs: LexiconOutput[],
+  entities: Map<string, Declarable>
 ): BuildManifest {
   const outputsRecord: Record<
     string,
@@ -307,6 +417,7 @@ function generateManifest(
     lexicons: lexiconNames,
     outputs: outputsRecord,
     deployOrder: computeDeployOrder(lexiconNames, lexiconOutputs),
+    stackGraph: computeStackGraph(entities, lexiconNames),
   };
 }
 
@@ -453,7 +564,7 @@ export async function build(
 
   // Step 8: Generate manifest
   const lexiconNames = Array.from(partitions.keys());
-  const manifest = generateManifest(lexiconNames, lexiconOutputs);
+  const manifest = generateManifest(lexiconNames, lexiconOutputs, discoveryResult.entities);
 
   return {
     outputs,

package/src/cli/commands/build.ts

@@ -3,7 +3,7 @@ import { loadChantConfig, resolveOwnershipMarker } from "../../config";
 import type { Serializer, SerializerResult } from "../../serializer";
 import type { LexiconPlugin } from "../../lexicon";
 import { runPostSynthChecks } from "../../lint/post-synth";
-import type { PostSynthCheck } from "../../lint/post-synth";
+import { loadPolicyChecks } from "../../lint/policy";
 import { sortedJsonReplacer } from "../../utils";
 import { formatError, formatWarning, formatSuccess, formatBold, formatInfo } from "../format";
 import { writeFileSync, mkdirSync } from "fs";
@@ -26,8 +26,15 @@ export interface BuildOptions {
   plugins?: LexiconPlugin[];
   /** Print summary to stderr */
   verbose?: boolean;
+  /**
+   * Environment/stack to evaluate policy against (`--env`). Falls back to the
+   * project's `ownership.env`. Passed into post-synth checks so organizational
+   * policy can branch on environment.
+   */
+  env?: string;
 }
 
+
 /**
  * Build command result
  */
@@ -56,11 +63,21 @@ export async function buildCommand(options: BuildOptions): Promise<BuildResult>
 
   // Resolve opt-in ownership marking from project config (search the infra dir
   // and its parent, where chant.config.* usually lives).
-  const { config } = await loadChantConfig(infraPath).then((r) =>
+  const loaded = await loadChantConfig(infraPath).then((r) =>
     r.configPath ? r : loadChantConfig(dirname(infraPath)),
   );
+  const config = loaded.config;
   const ownership = resolveOwnershipMarker(config);
 
+  // Environment for policy evaluation: explicit --env wins, else ownership.env.
+  const env = options.env ?? config.ownership?.env;
+  // Project-authored organizational policy checks (lint.policies), run over the
+  // resolved resources during build. Resolve paths relative to the config dir.
+  const configDir = loaded.configPath ? dirname(loaded.configPath) : infraPath;
+  const policyChecks = config.lint?.policies?.length
+    ? await loadPolicyChecks(config.lint.policies, configDir)
+    : [];
+
   // Run the build
   const result = await build(infraPath, options.serializers, undefined, { ownership });
 
@@ -96,7 +113,7 @@ export async function buildCommand(options: BuildOptions): Promise<BuildResult>
       }
 
       const scopedResult = { ...result, outputs: scopedOutputs };
-      const postDiags = runPostSynthChecks(checks, scopedResult);
+      const postDiags = runPostSynthChecks(checks, scopedResult, env);
       for (const diag of postDiags) {
         const prefix = diag.entity ? `[${diag.entity}] ` : "";
         const lexiconSuffix = diag.lexicon ? ` (${diag.lexicon})` : "";
@@ -107,6 +124,19 @@ export async function buildCommand(options: BuildOptions): Promise<BuildResult>
         }
       }
     }
+
+    // Project-authored organizational policy — cross-cutting, so it sees every
+    // lexicon's output at once (not scoped per-plugin), with the current env.
+    if (policyChecks.length > 0) {
+      const policyDiags = runPostSynthChecks(policyChecks, result, env);
+      for (const diag of policyDiags) {
+        const prefix = diag.entity ? `[${diag.entity}] ` : "";
+        const where = diag.lexicon ? ` (${diag.lexicon})` : "";
+        const msg = `[policy:${diag.checkId}] ${prefix}${diag.message}${where}`;
+        if (diag.severity === "error") errors.push(formatError({ message: msg }));
+        else warnings.push(formatWarning({ message: msg }));
+      }
+    }
   }
 
   // Empty-output guard: source files were discovered but no lexicon produced

package/src/cli/handlers/build.ts

@@ -44,6 +44,7 @@ export async function runBuild(ctx: CommandContext): Promise<number> {
     serializers,
     plugins,
     verbose: args.verbose,
+    env: args.env,
   });
 
   // When --lexicon filters to a subset, suppress "No serializer" warnings for excluded lexicons

package/src/cli/handlers/graph.ts

@@ -1,8 +1,21 @@
+import { resolve } from "node:path";
 import { discoverOps } from "../../op/discover";
-import { formatError } from "../format";
+import { discover } from "../../discovery/index";
+import { partitionByLexicon, computeStackGraph } from "../../build";
+import { formatError, formatWarning, formatBold } from "../format";
 import type { CommandContext } from "../registry";
 
-export async function runGraph(_ctx: CommandContext): Promise<number> {
+/**
+ * `chant graph` — the Op dependency graph by default; `--stacks` renders the
+ * cross-stack apply-ordering graph (edges, order, waves) chant computes from
+ * cross-lexicon references.
+ */
+export async function runGraph(ctx: CommandContext): Promise<number> {
+  if (ctx.args.stacks) return runStackGraph(ctx);
+  return runOpGraph();
+}
+
+async function runOpGraph(): Promise<number> {
   const { ops, errors } = await discoverOps();
   for (const err of errors) console.error(formatError({ message: err }));
 
@@ -21,3 +34,43 @@ export async function runGraph(_ctx: CommandContext): Promise<number> {
   if (!hasEdges) console.log("No Op dependencies");
   return 0;
 }
+
+async function runStackGraph(ctx: CommandContext): Promise<number> {
+  const projectPath = resolve(ctx.args.path === "." ? "." : ctx.args.path);
+  const result = await discover(projectPath);
+  if (result.errors.length > 0) {
+    for (const e of result.errors) console.error(formatError({ message: e.message }));
+    return 1;
+  }
+
+  const lexicons = [...partitionByLexicon(result.entities).keys()];
+  const graph = computeStackGraph(result.entities, lexicons);
+
+  if (ctx.args.json) {
+    console.log(JSON.stringify(graph, null, 2));
+    return graph.cycles.length > 0 ? 1 : 0;
+  }
+
+  if (graph.nodes.length === 0) {
+    console.log("No stacks found");
+    return 0;
+  }
+
+  console.log(formatBold("Apply order (waves apply top-to-bottom; a wave's stacks are parallel-safe):"));
+  graph.waves.forEach((wave, i) => console.log(`  ${i + 1}. ${wave.join(", ")}`));
+
+  if (graph.edges.length > 0) {
+    console.log(formatBold("\nDependencies (consumer → producer):"));
+    for (const { from, to } of graph.edges) console.log(`  ${from} → ${to}`);
+  } else {
+    console.log("\nNo cross-stack dependencies — all stacks are independent.");
+  }
+
+  if (graph.cycles.length > 0) {
+    for (const cycle of graph.cycles) {
+      console.error(formatWarning({ message: `Dependency cycle among stacks: ${cycle.join(" ↔ ")}` }));
+    }
+    return 1;
+  }
+  return 0;
+}

package/src/cli/handlers/lifecycle.ts

@@ -5,6 +5,7 @@ import { readSnapshot, readEnvironmentSnapshots, listSnapshots, fetchLifecycle,
 import { computeBuildDigest, diffDigests } from "../../lifecycle/digest";
 import { diffLive, diffLiveArtifacts, type LiveDiffResult, type LiveArtifactDiffResult } from "../../lifecycle/live-diff";
 import { buildChangeSet, renderChangeSet, type ChangeSet } from "../../lifecycle/change-set";
+import { affectedStacks } from "../../lifecycle/affected";
 import { loadChantConfig } from "../../config";
 import { formatError, formatWarning, formatSuccess, formatBold } from "../format";
 import type { CommandContext } from "../registry";
@@ -576,3 +577,59 @@ function printSnapshotTable(snapshot: LifecycleSnapshot): void {
     );
   }
 }
+
+/**
+ * chant lifecycle affected --base <ref> [--head <ref>] [--include-dependents] [--json]
+ *
+ * Read-only: report which stacks a change affects (directly-changed via artifact
+ * diff, dependents via the cross-stack graph, external-input as indeterminate).
+ * Returns the set; fanning plan/apply over it is an Op the user composes.
+ */
+export async function runLifecycleAffected(ctx: CommandContext): Promise<number> {
+  const { args, plugins } = ctx;
+  if (!args.base) {
+    console.error(formatError({
+      message: "Base ref is required: chant lifecycle affected --base <ref> [--head <ref>] [--include-dependents]",
+    }));
+    return 1;
+  }
+
+  const { config } = await loadChantConfig(resolve("."));
+  const projectPath = resolveBuildRoot(args, config);
+
+  let result;
+  try {
+    result = await affectedStacks({
+      projectPath,
+      serializers: plugins.map((p) => p.serializer),
+      baseRef: args.base,
+      headRef: args.head,
+      includeDependents: args.includeDependents,
+    });
+  } catch (err) {
+    console.error(formatError({ message: err instanceof Error ? err.message : String(err) }));
+    return 1;
+  }
+
+  if (args.json) {
+    console.log(JSON.stringify(result, null, 2));
+    return 0;
+  }
+
+  if (result.changed.length === 0 && result.dependents.length === 0) {
+    console.error(formatSuccess("No stacks affected"));
+  } else {
+    console.log(formatBold("Directly changed:"));
+    console.log(result.changed.length ? result.changed.map((s) => `  ${s}`).join("\n") : "  (none)");
+    if (args.includeDependents) {
+      console.log(formatBold("\nDependents (consume a changed stack):"));
+      console.log(result.dependents.length ? result.dependents.map((s) => `  ${s}`).join("\n") : "  (none)");
+    }
+  }
+  if (result.indeterminate.length > 0) {
+    console.error(formatWarning({
+      message: `External-input stacks — cannot confirm from source: ${result.indeterminate.join(", ")}`,
+    }));
+  }
+  return 0;
+}

package/src/cli/main.ts

@@ -14,7 +14,7 @@ import { runInit, runInitLexicon } from "./handlers/init";
 import { runList, runDescribe, runImport, runUpdate, runDoctor } from "./handlers/misc";
 import { runVendor } from "./handlers/vendor";
 import { runMigrate } from "./handlers/migrate";
-import { runLifecycleSnapshot, runLifecycleShow, runLifecycleDiff, runLifecyclePlan, runLifecycleLog, runLifecycleUnknown } from "./handlers/lifecycle";
+import { runLifecycleSnapshot, runLifecycleShow, runLifecycleDiff, runLifecyclePlan, runLifecycleAffected, runLifecycleLog, runLifecycleUnknown } from "./handlers/lifecycle";
 import { runGraph } from "./handlers/graph";
 import { runOp, runOpList, runOpStatus, runOpSignal, runOpCancel, runOpLog } from "./handlers/run";
 
@@ -51,6 +51,7 @@ export function parseArgs(args: string[]): ParsedArgs {
     reportFile: undefined,
     skill: undefined,
     src: undefined,
+    env: undefined,
   };
 
   let i = 0;
@@ -115,6 +116,16 @@ export function parseArgs(args: string[]): ParsedArgs {
       result.skill = args[++i];
     } else if (arg === "--src") {
       result.src = args[++i];
+    } else if (arg === "--env") {
+      result.env = args[++i];
+    } else if (arg === "--stacks") {
+      result.stacks = true;
+    } else if (arg === "--base") {
+      result.base = args[++i];
+    } else if (arg === "--head") {
+      result.head = args[++i];
+    } else if (arg === "--include-dependents") {
+      result.includeDependents = true;
     } else if (arg === "--local") {
       result.local = true;
     } else if (arg === "--temporal") {
@@ -169,7 +180,7 @@ Ops:
   run cancel <name>     Cancel the active workflow run (requires --force)
   run log <name>        Show run history for an Op
 
-  graph                 Show Op dependency graph
+  graph                 Show Op dependency graph (--stacks for cross-stack order)
 
 Lifecycle (alias: lc):
   lifecycle snapshot <env>  Query API, save metadata to orphan branch
@@ -177,6 +188,7 @@ Lifecycle (alias: lc):
   lifecycle diff <env>      Compare current build against last snapshot
                             --live: query cloud now and detect drift
   lifecycle plan <env>      Typed change set (create/update/delete/adopt) vs live
+  lifecycle affected        Stacks a change affects (--base <ref> [--include-dependents])
                             --json: emit the ChangeSet as JSON
   lifecycle log [env]       History of lifecycle snapshots
 
@@ -201,6 +213,7 @@ Options:
                         - list: text (default) or json
                         - lint: stylish (default), json, or sarif
   -d, --lexicon <name>  Build only the specified lexicon (e.g. aws, gitlab)
+      --env <name>      Environment for organizational policy evaluation (build)
   -t, --template <name> Init template (e.g. node-pipeline, docker-build)
   --skill <name>        Init: install only this skill from the lexicon
   --fix                 Auto-fix fixable issues (lint command)
@@ -300,6 +313,7 @@ const registry: CommandDef[] = [
   { name: "lifecycle show", handler: runLifecycleShow },
   { name: "lifecycle diff", requiresPlugins: true, handler: runLifecycleDiff },
   { name: "lifecycle plan", requiresPlugins: true, handler: runLifecyclePlan },
+  { name: "lifecycle affected", requiresPlugins: true, handler: runLifecycleAffected },
   { name: "lifecycle log", handler: runLifecycleLog },
 
   // Serve subcommands

package/src/cli/registry.ts

@@ -53,6 +53,16 @@ export interface ParsedArgs {
   verbatim?: boolean;
   /** `chant lifecycle … --src <dir>` — build root override for lifecycle commands */
   src?: string;
+  /** `chant build --env <name>` — environment for organizational policy evaluation */
+  env?: string;
+  /** `chant graph --stacks` — render the cross-stack apply-ordering graph */
+  stacks?: boolean;
+  /** `chant lifecycle affected --base <ref>` — base git ref to diff against */
+  base?: string;
+  /** `chant lifecycle affected --head <ref>` — head git ref (default: working tree) */
+  head?: string;
+  /** `chant lifecycle affected --include-dependents` — add downstream consumers */
+  includeDependents?: boolean;
 }
 
 /**

package/src/index.ts

@@ -32,6 +32,7 @@ export * from "./lint/declarative";
 export * from "./lint/selectors";
 export * from "./lint/named-checks";
 export * from "./lint/post-synth";
+export * from "./lint/policy";
 export * from "./lint/rule-loader";
 export * from "./lint/discover";
 export * from "./import/parser";

package/src/lifecycle/affected.test.ts

@@ -0,0 +1,161 @@
+import { describe, test, expect, beforeEach, afterEach } from "vitest";
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+import { mkdtempSync, mkdirSync, writeFileSync, rmSync } from "node:fs";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+import {
+  changedStacks,
+  dependentStacks,
+  computeAffected,
+  externalInputStacks,
+  affectedStacks,
+} from "./affected";
+import type { StackGraph } from "../build";
+import type { Serializer } from "../serializer";
+import type { Declarable } from "../declarable";
+
+const execFileAsync = promisify(execFile);
+
+// Serializer whose output reflects entity names + types, so a value change moves
+// the bytes but an unrelated edit (comment) does not.
+const fakeSerializer: Serializer = {
+  name: "fake",
+  rulePrefix: "FAKE",
+  serialize: (entities) =>
+    JSON.stringify([...entities.keys()].sort().map((k) => ({ k, t: entities.get(k)!.entityType }))),
+};
+
+function widget(type: string): string {
+  return `export const foo = { lexicon: "fake", entityType: "${type}", [Symbol.for("chant.declarable")]: true };\n`;
+}
+
+// ── Pure model ────────────────────────────────────────────────────────────────
+
+describe("changedStacks", () => {
+  test("flags stacks whose output differs, and added/removed stacks", () => {
+    const base = new Map([["a", "1"], ["b", "2"], ["gone", "x"]]);
+    const head = new Map([["a", "1"], ["b", "CHANGED"], ["new", "y"]]);
+    expect(changedStacks(base, head)).toEqual(["b", "gone", "new"]);
+  });
+  test("identical builds → nothing changed", () => {
+    const m = new Map([["a", "1"], ["b", "2"]]);
+    expect(changedStacks(m, new Map(m))).toEqual([]);
+  });
+});
+
+describe("dependentStacks", () => {
+  // Diamond: top→left, top→right, left→base, right→base (consumer→producer).
+  const graph: StackGraph = {
+    nodes: ["base", "left", "right", "top"],
+    edges: [
+      { from: "left", to: "base" },
+      { from: "right", to: "base" },
+      { from: "top", to: "left" },
+      { from: "top", to: "right" },
+    ],
+    order: ["base", "left", "right", "top"],
+    waves: [["base"], ["left", "right"], ["top"]],
+    cycles: [],
+  };
+  test("a changed producer surfaces all transitive consumers", () => {
+    expect(dependentStacks(["base"], graph)).toEqual(["left", "right", "top"]);
+  });
+  test("a changed mid-stack surfaces only what's above it", () => {
+    expect(dependentStacks(["left"], graph)).toEqual(["top"]);
+  });
+  test("nothing depends on the top", () => {
+    expect(dependentStacks(["top"], graph)).toEqual([]);
+  });
+});
+
+describe("computeAffected", () => {
+  const graph: StackGraph = {
+    nodes: ["aws", "k8s"],
+    edges: [{ from: "k8s", to: "aws" }],
+    order: ["aws", "k8s"],
+    waves: [["aws"], ["k8s"]],
+    cycles: [],
+  };
+  const base = new Map([["aws", "v1"], ["k8s", "same"]]);
+  const head = new Map([["aws", "v2"], ["k8s", "same"]]);
+
+  test("dependents excluded by default", () => {
+    const r = computeAffected(base, head, graph);
+    expect(r.changed).toEqual(["aws"]);
+    expect(r.dependents).toEqual([]);
+  });
+  test("--include-dependents adds the unchanged consumer of a changed producer", () => {
+    const r = computeAffected(base, head, graph, { includeDependents: true });
+    expect(r.changed).toEqual(["aws"]);
+    expect(r.dependents).toEqual(["k8s"]); // k8s bytes unchanged, but consumes aws
+  });
+  test("external-input stacks are reported as indeterminate", () => {
+    const r = computeAffected(base, head, graph, { externalInput: ["k8s"] });
+    expect(r.indeterminate).toEqual(["k8s"]);
+  });
+});
+
+describe("externalInputStacks", () => {
+  test("detects stacks declaring a deploy-time parameter", () => {
+    const entities = new Map<string, Declarable>([
+      ["p", { lexicon: "aws", entityType: "Param", parameterType: "String" } as unknown as Declarable],
+      ["r", { lexicon: "k8s", entityType: "Deployment" } as unknown as Declarable],
+    ]);
+    expect(externalInputStacks(entities)).toEqual(["aws"]);
+  });
+});
+
+// ── Integration: artifact diff over real builds ──────────────────────────────
+
+describe("affectedStacks — baseDir (caller-supplied)", () => {
+  let root: string;
+  beforeEach(() => {
+    root = mkdtempSync(join(tmpdir(), "chant-affected-it-"));
+  });
+  afterEach(() => rmSync(root, { recursive: true, force: true }));
+
+  const srcDir = (name: string, content: string): string => {
+    const dir = join(root, name);
+    mkdirSync(dir, { recursive: true });
+    writeFileSync(join(dir, "infra.ts"), content);
+    return dir;
+  };
+
+  test("a value change makes the stack affected", async () => {
+    const base = srcDir("base", widget("Widget"));
+    const head = srcDir("head", widget("Gadget"));
+    const r = await affectedStacks({ projectPath: head, baseDir: base, serializers: [fakeSerializer] });
+    expect(r.changed).toEqual(["fake"]);
+  });
+
+  test("a no-output-change refactor is NOT affected (deterministic build)", async () => {
+    const base = srcDir("base", widget("Widget"));
+    // Same declarable, only a comment added — serialized output is identical.
+    const head = srcDir("head", "// a harmless refactor\n" + widget("Widget"));
+    const r = await affectedStacks({ projectPath: head, baseDir: base, serializers: [fakeSerializer] });
+    expect(r.changed).toEqual([]);
+  });
+});
+
+describe("affectedStacks — baseRef (git worktree)", () => {
+  let repo: string;
+  beforeEach(async () => {
+    repo = mkdtempSync(join(tmpdir(), "chant-affected-git-"));
+    const git = (...a: string[]) => execFileAsync("git", a, { cwd: repo });
+    await git("init", "-q");
+    await git("config", "user.email", "t@t.dev");
+    await git("config", "user.name", "t");
+    writeFileSync(join(repo, "infra.ts"), widget("Widget"));
+    await git("add", "-A");
+    await git("commit", "-q", "-m", "base");
+  });
+  afterEach(() => rmSync(repo, { recursive: true, force: true }));
+
+  test("diffs the working tree against a base ref via one worktree", async () => {
+    // Mutate the working tree (uncommitted) — the head build sees this.
+    writeFileSync(join(repo, "infra.ts"), widget("Gadget"));
+    const r = await affectedStacks({ projectPath: repo, baseRef: "HEAD", serializers: [fakeSerializer] });
+    expect(r.changed).toEqual(["fake"]);
+  }, 30_000);
+});

package/src/lifecycle/affected.ts

@@ -0,0 +1,202 @@
+/**
+ * Selective change-set scoping — which stacks does a change affect?
+ *
+ * "Affected" is two distinct things, because chant serializes cross-stack
+ * references symbolically:
+ *   1. **Directly changed** — the stack's built artifact differs between base
+ *      and head. Caught by artifact diff over deterministic builds, so it
+ *      ignores comment-only / refactor-with-no-output-change edits.
+ *   2. **Operationally affected (dependents)** — a stack whose own artifact is
+ *      unchanged but which consumes an upstream export whose value changed. Its
+ *      bytes don't move, yet it may need re-apply. Caught by walking the
+ *      cross-stack graph (#200) from the directly-changed set; opt-in.
+ *
+ * A stack whose inputs come from outside synthesis (deploy-time params) cannot
+ * be judged from a source diff — reported as **indeterminate**, not silently
+ * included or excluded.
+ *
+ * This returns the set; it does not act. Fanning `lifecycle plan` / `ApplyOp`
+ * over it is an Op the user composes.
+ */
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+import { mkdtempSync, rmSync, existsSync, symlinkSync, realpathSync } from "node:fs";
+import { join, relative, resolve } from "node:path";
+import { tmpdir } from "node:os";
+import { build, type StackGraph } from "../build";
+import { getPrimaryOutput } from "../lint/post-synth";
+import type { Serializer } from "../serializer";
+import type { Declarable } from "../declarable";
+
+const execFileAsync = promisify(execFile);
+
+export interface AffectedResult {
+  /** Stacks whose built artifact differs between base and head. */
+  changed: string[];
+  /** Downstream consumers of changed stacks (only when `includeDependents`). */
+  dependents: string[];
+  /** Stacks with deploy-time inputs — cannot be confirmed from a source diff. */
+  indeterminate: string[];
+}
+
+// ── Pure model ──────────────────────────────────────────────────────────────
+
+/** Stacks whose serialized output differs between the two builds (added/removed count). */
+export function changedStacks(
+  base: Map<string, string>,
+  head: Map<string, string>,
+): string[] {
+  const names = new Set([...base.keys(), ...head.keys()]);
+  const changed: string[] = [];
+  for (const name of names) {
+    if (base.get(name) !== head.get(name)) changed.push(name);
+  }
+  return changed.sort();
+}
+
+/**
+ * Walk the cross-stack graph backwards from `changed` to find every stack that
+ * (transitively) consumes a changed stack. Edge `from → to` means `from`
+ * depends on `to`, so a changed `to` makes `from` a dependent.
+ */
+export function dependentStacks(changed: string[], graph: StackGraph): string[] {
+  const consumersOf = new Map<string, string[]>();
+  for (const { from, to } of graph.edges) {
+    (consumersOf.get(to) ?? consumersOf.set(to, []).get(to)!).push(from);
+  }
+  const seen = new Set(changed);
+  const queue = [...changed];
+  const dependents = new Set<string>();
+  while (queue.length > 0) {
+    const node = queue.shift()!;
+    for (const consumer of consumersOf.get(node) ?? []) {
+      if (seen.has(consumer)) continue;
+      seen.add(consumer);
+      dependents.add(consumer);
+      queue.push(consumer);
+    }
+  }
+  return [...dependents].sort();
+}
+
+/**
+ * Compute the affected set from two per-stack artifact maps and the cross-stack
+ * graph. Pure — no builds, no git — so the model is independently testable.
+ */
+export function computeAffected(
+  base: Map<string, string>,
+  head: Map<string, string>,
+  graph: StackGraph,
+  opts: { includeDependents?: boolean; externalInput?: string[] } = {},
+): AffectedResult {
+  const changed = changedStacks(base, head);
+  const dependents = opts.includeDependents ? dependentStacks(changed, graph) : [];
+  const indeterminate = [...(opts.externalInput ?? [])].sort();
+  return { changed, dependents, indeterminate };
+}
+
+// ── Build + git plumbing ──────────────────────────────────────────────────────
+
+/** A built BuildResult's per-stack (lexicon) primary output, keyed by stack. */
+export function artifactMap(outputs: Map<string, string | { primary: string }>): Map<string, string> {
+  const map = new Map<string, string>();
+  for (const [stack, output] of outputs) map.set(stack, getPrimaryOutput(output as string));
+  return map;
+}
+
+/** Stacks (lexicons) that declare a deploy-time parameter — external input. */
+export function externalInputStacks(entities: Map<string, Declarable>): string[] {
+  const stacks = new Set<string>();
+  for (const [, entity] of entities) {
+    if ("parameterType" in entity && typeof (entity as { parameterType?: unknown }).parameterType === "string") {
+      stacks.add(entity.lexicon);
+    }
+  }
+  return [...stacks].sort();
+}
+
+async function gitTopLevel(cwd: string): Promise<string> {
+  const { stdout } = await execFileAsync("git", ["rev-parse", "--show-toplevel"], { cwd });
+  return stdout.trim();
+}
+
+/**
+ * Check out `ref` into a throwaway worktree, symlink the repo's node_modules so
+ * lexicon imports resolve, run `fn`, then remove the worktree. At most one
+ * worktree exists at a time.
+ */
+async function withWorktree<T>(repoRoot: string, ref: string, fn: (dir: string) => Promise<T>): Promise<T> {
+  const dir = mkdtempSync(join(tmpdir(), "chant-affected-"));
+  await execFileAsync("git", ["worktree", "add", "--detach", dir, ref], { cwd: repoRoot });
+  try {
+    const nm = join(repoRoot, "node_modules");
+    const linked = join(dir, "node_modules");
+    if (existsSync(nm) && !existsSync(linked)) symlinkSync(nm, linked, "dir");
+    return await fn(dir);
+  } finally {
+    await execFileAsync("git", ["worktree", "remove", "--force", dir], { cwd: repoRoot }).catch(() => {
+      rmSync(dir, { recursive: true, force: true });
+    });
+  }
+}
+
+export interface AffectedStacksOptions {
+  /** Project source directory to scope (the head/working-tree build root). */
+  projectPath: string;
+  serializers: Serializer[];
+  /** Base git ref to diff against (built in a throwaway worktree). */
+  baseRef?: string;
+  /** Head git ref. Defaults to the working tree (built in place — no worktree). */
+  headRef?: string;
+  /**
+   * Caller-supplied base source directory (already on disk). Takes precedence
+   * over `baseRef` — no worktree is created. Use for a build cache or two dist
+   * trees you already have.
+   */
+  baseDir?: string;
+  includeDependents?: boolean;
+}
+
+/**
+ * Compute the affected stacks for a change. Head is built in place (the working
+ * tree); base is built from `baseDir` if supplied, else from `baseRef` via a
+ * single throwaway worktree. Builds are deterministic, so a cached/supplied base
+ * is as trustworthy as a rebuild.
+ */
+export async function affectedStacks(opts: AffectedStacksOptions): Promise<AffectedResult> {
+  const projectPath = resolve(opts.projectPath);
+  const needsWorktree = Boolean(opts.headRef) || Boolean(opts.baseRef && !opts.baseDir);
+  const repoRoot = needsWorktree ? await gitTopLevel(projectPath) : projectPath;
+  // Canonicalize via realpath so the worktree-relative path is correct even when
+  // the temp dir is a symlink (macOS /var → /private/var) and `git
+  // rev-parse --show-toplevel` reports the real path.
+  const relProject = needsWorktree ? relative(repoRoot, realpathSync(projectPath)) : "";
+
+  // Head: the in-place build of the working tree, unless an explicit headRef is
+  // given (then a throwaway worktree — removed before the base worktree, so at
+  // most one exists at a time).
+  const head = opts.headRef
+    ? await withWorktree(repoRoot, opts.headRef, (dir) => build(join(dir, relProject), opts.serializers))
+    : await build(projectPath, opts.serializers);
+  const headMap = artifactMap(head.outputs);
+  const externalInput = externalInputStacks(head.entities);
+
+  // Base: caller-supplied dir (cheapest), else a single worktree at baseRef.
+  let baseMap: Map<string, string>;
+  if (opts.baseDir) {
+    const baseBuild = await build(resolve(opts.baseDir), opts.serializers);
+    baseMap = artifactMap(baseBuild.outputs);
+  } else if (opts.baseRef) {
+    baseMap = await withWorktree(repoRoot, opts.baseRef, async (dir) => {
+      const baseBuild = await build(join(dir, relProject), opts.serializers);
+      return artifactMap(baseBuild.outputs);
+    });
+  } else {
+    throw new Error("affectedStacks requires either baseDir or baseRef");
+  }
+
+  return computeAffected(baseMap, headMap, head.manifest.stackGraph, {
+    includeDependents: opts.includeDependents,
+    externalInput,
+  });
+}

package/src/lifecycle/index.ts

@@ -4,3 +4,4 @@ export * from "./digest";
 export * from "./snapshot";
 export * from "./live-diff";
 export * from "./change-set";
+export * from "./affected";

package/src/lint/config.ts

@@ -29,6 +29,7 @@ export const LintConfigSchema = z.object({
     rules: z.record(z.string(), RuleConfigSchema),
   })).optional(),
   plugins: z.array(z.string()).optional(),
+  policies: z.array(z.string()).optional(),
 });
 
 /**
@@ -149,6 +150,14 @@ export interface LintConfig {
   overrides?: LintOverride[];
   /** Array of plugin file paths to load custom rules from (project-local, not inherited) */
   plugins?: string[];
+  /**
+   * Array of file paths to load project-authored organizational policy checks
+   * from — each exporting one or more {@link PostSynthCheck} objects. They run
+   * during `chant build` over the resolved resources, with the current `env` in
+   * context. Distinct from `plugins` (declarative lint rules) by authorship and
+   * phase; same engine.
+   */
+  policies?: string[];
 }
 
 /**

package/src/lint/policy.ts

@@ -0,0 +1,81 @@
+/**
+ * Project-authored organizational policy: loading the policy pack and evaluating
+ * it against a freshly built project. `chant build` runs policies inline; the
+ * `policyGate` Op step runs this to gate an apply on the same checks.
+ */
+import { resolve, dirname } from "node:path";
+import { loadChantConfig } from "../config";
+import { resolveProjectLexicons, loadPlugins } from "../cli/plugins";
+import { build } from "../build";
+import { runPostSynthChecks, isPostSynthCheck } from "./post-synth";
+import type { PostSynthCheck, PostSynthDiagnostic } from "./post-synth";
+
+/** Load project policy checks (one or more `PostSynthCheck` exports) from files. */
+export async function loadPolicyChecks(paths: string[], configDir: string): Promise<PostSynthCheck[]> {
+  const checks: PostSynthCheck[] = [];
+  for (const p of paths) {
+    const resolved = resolve(configDir, p);
+    let mod: Record<string, unknown>;
+    try {
+      mod = (await import(resolved)) as Record<string, unknown>;
+    } catch (err) {
+      throw new Error(
+        `Failed to load policy "${p}": ${err instanceof Error ? err.message : String(err)}`,
+      );
+    }
+    for (const value of Object.values(mod)) {
+      if (isPostSynthCheck(value)) checks.push(value);
+    }
+  }
+  return checks;
+}
+
+export interface PolicyEvaluation {
+  /** All policy diagnostics (errors + warnings). */
+  diagnostics: PostSynthDiagnostic[];
+  /** The error-severity subset — these are policy *violations* that gate. */
+  violations: PostSynthDiagnostic[];
+  /** The environment policies were evaluated against (if any). */
+  env?: string;
+}
+
+/**
+ * Build a project and run its `lint.policies` over the resolved resources,
+ * standalone — used by the `policyGate` Op step to gate an apply on the same
+ * organizational policy `chant build` enforces. Loads the project's lexicons,
+ * builds, then runs the policy pack with `env` (explicit, else `ownership.env`).
+ */
+export async function evaluateProjectPolicies(opts: {
+  path: string;
+  env?: string;
+}): Promise<PolicyEvaluation> {
+  const buildPath = resolve(opts.path);
+
+  const lexiconNames = await resolveProjectLexicons(buildPath);
+  const plugins = await loadPlugins(lexiconNames);
+  const serializers = plugins.map((p) => p.serializer);
+
+  // Config can live in the build dir or its parent (the project root).
+  const loaded = await loadChantConfig(buildPath).then((r) =>
+    r.configPath ? r : loadChantConfig(dirname(buildPath)),
+  );
+  const config = loaded.config;
+  const configDir = loaded.configPath ? dirname(loaded.configPath) : buildPath;
+  const env = opts.env ?? config.ownership?.env;
+
+  const result = await build(buildPath, serializers);
+  if (result.errors.length > 0) {
+    throw new Error("Build failed — cannot evaluate policy on a broken build");
+  }
+
+  const checks = config.lint?.policies?.length
+    ? await loadPolicyChecks(config.lint.policies, configDir)
+    : [];
+  if (checks.length === 0) {
+    return { diagnostics: [], violations: [], env };
+  }
+
+  const diagnostics = runPostSynthChecks(checks, result, env);
+  const violations = diagnostics.filter((d) => d.severity === "error");
+  return { diagnostics, violations, env };
+}

package/src/lint/post-synth.test.ts

@@ -111,3 +111,33 @@ describe("post-synth checks", () => {
     expect(diags).toHaveLength(0);
   });
 });
+
+describe("environment-aware checks (#201)", () => {
+  // A policy that only fires in prod — the new env-branching primitive.
+  const prodOnly: PostSynthCheck = {
+    id: "ENV-PROD",
+    description: "fires only in prod",
+    check(ctx) {
+      return ctx.env === "prod"
+        ? [{ checkId: "ENV-PROD", severity: "error", message: "blocked in prod" }]
+        : [];
+    },
+  };
+
+  test("env is threaded into the context", () => {
+    expect(runPostSynthChecks([prodOnly], createBuildResult(), "prod")).toHaveLength(1);
+    expect(runPostSynthChecks([prodOnly], createBuildResult(), "dev")).toHaveLength(0);
+    expect(runPostSynthChecks([prodOnly], createBuildResult())).toHaveLength(0); // env undefined
+  });
+});
+
+describe("isPostSynthCheck", () => {
+  test("accepts a well-formed check and rejects others", async () => {
+    const { isPostSynthCheck } = await import("./post-synth");
+    expect(isPostSynthCheck({ id: "X", description: "d", check: () => [] })).toBe(true);
+    expect(isPostSynthCheck({ id: "X", description: "d" })).toBe(false); // no check fn
+    expect(isPostSynthCheck({ check: () => [] })).toBe(false); // no id/description
+    expect(isPostSynthCheck(null)).toBe(false);
+    expect(isPostSynthCheck("nope")).toBe(false);
+  });
+});

package/src/lint/post-synth.ts

@@ -10,6 +10,12 @@ export interface PostSynthContext {
   outputs: Map<string, string | SerializerResult>;
   /** Map of entity name to Declarable entity */
   entities: Map<string, Declarable>;
+  /**
+   * The environment/stack being built, if known (from `--env` or the project's
+   * `ownership.env`). Lets an organizational policy branch on environment —
+   * e.g. "no public buckets in prod". Undefined when no environment is set.
+   */
+  env?: string;
   /** Raw build result object */
   buildResult: {
     outputs: Map<string, string | SerializerResult>;
@@ -44,7 +50,9 @@ export interface PostSynthDiagnostic {
 }
 
 /**
- * A post-synthesis check that validates build output.
+ * A post-synthesis check that validates build output. Lexicons ship these as
+ * domain rules; projects author them as organizational policy (see the
+ * `lint.policies` config and the Organizational Policy guide).
  */
 export interface PostSynthCheck {
   /** Unique identifier for this check */
@@ -55,16 +63,30 @@ export interface PostSynthCheck {
   check(ctx: PostSynthContext): PostSynthDiagnostic[];
 }
 
+/** Structural type guard — used to collect project-authored policy checks. */
+export function isPostSynthCheck(value: unknown): value is PostSynthCheck {
+  return (
+    typeof value === "object" &&
+    value !== null &&
+    typeof (value as PostSynthCheck).id === "string" &&
+    typeof (value as PostSynthCheck).description === "string" &&
+    typeof (value as PostSynthCheck).check === "function"
+  );
+}
+
 /**
- * Run a set of post-synthesis checks against a build result.
+ * Run a set of post-synthesis checks against a build result. `env` is threaded
+ * into the context so a check can branch on the current environment/stack.
  */
 export function runPostSynthChecks(
   checks: PostSynthCheck[],
   buildResult: PostSynthContext["buildResult"],
+  env?: string,
 ): PostSynthDiagnostic[] {
   const ctx: PostSynthContext = {
     outputs: buildResult.outputs,
     entities: buildResult.entities,
+    env,
     buildResult,
   };
 

package/src/op/builders.ts

@@ -130,3 +130,17 @@ export const shell = (
 /** Run `chant teardown` in the given project directory. Uses `longInfra` profile. */
 export const teardown = (path: string): ActivityStep =>
   activity("chantTeardown", { path }, "longInfra");
+
+/**
+ * Gate an apply on organizational policy: build the project and run its
+ * `lint.policies` over the resolved resources, blocking the workflow on any
+ * violation. Place it before the apply phase. `env` (or `ownership.env`) lets a
+ * policy branch on environment. Single-attempt (`policyCheck` profile) — a
+ * deterministic violation is not retried.
+ */
+export const policyGate = (opts?: { env?: string; path?: string }): ActivityStep =>
+  activity(
+    "policyGate",
+    { path: opts?.path ?? ".", ...(opts?.env ? { env: opts.env } : {}) },
+    "policyCheck",
+  );

package/src/op/index.ts

@@ -1,5 +1,5 @@
 export { Op, phase, activity, gate, build, kubectlApply, helmInstall, waitForStack,
-         gitlabPipeline, lifecycleSnapshot, shell, teardown } from "./builders";
+         gitlabPipeline, lifecycleSnapshot, shell, teardown, policyGate } from "./builders";
 export { OpResource } from "./resource";
 export type { OpConfig, PhaseDefinition, StepDefinition, ActivityStep, GateStep } from "./types";
 export { discoverOps } from "./discover";

package/src/op/op.test.ts

@@ -4,7 +4,7 @@
 
 import { describe, expect, it } from "vitest";
 import { Op, phase, activity, gate, build, kubectlApply, helmInstall,
-         waitForStack, gitlabPipeline, lifecycleSnapshot, shell, teardown } from "./builders";
+         waitForStack, gitlabPipeline, lifecycleSnapshot, shell, teardown, policyGate } from "./builders";
 import { DECLARABLE_MARKER, type Declarable } from "../declarable";
 
 // ── Op() ──────────────────────────────────────────────────────────────────────
@@ -196,6 +196,20 @@ describe("pre-built shortcuts", () => {
     expect(a.args?.path).toBe("./project");
     expect(a.profile).toBe("longInfra");
   });
+
+  it("policyGate() produces a policyGate activity with the single-attempt policyCheck profile", () => {
+    const a = policyGate({ env: "prod" });
+    expect(a.fn).toBe("policyGate");
+    expect(a.args?.path).toBe("."); // defaults to the project dir
+    expect(a.args?.env).toBe("prod");
+    expect(a.profile).toBe("policyCheck");
+  });
+
+  it("policyGate() with no opts defaults path to '.' and omits env", () => {
+    const a = policyGate();
+    expect(a.args?.path).toBe(".");
+    expect("env" in (a.args ?? {})).toBe(false);
+  });
 });
 
 describe("profile routing (opts.profile sets the step profile, never leaks into args)", () => {

package/src/op/types.ts

@@ -45,7 +45,7 @@ export interface ActivityStep {
    * Key from TEMPORAL_ACTIVITY_PROFILES controlling timeout + retry.
    * Default: "fastIdempotent"
    */
-  profile?: "fastIdempotent" | "longInfra" | "k8sWait" | "humanGate" | "argoSync";
+  profile?: "fastIdempotent" | "longInfra" | "k8sWait" | "humanGate" | "argoSync" | "policyCheck";
   /**
    * Surface this activity's return value as a workflow search attribute.
    *