@lannguyensi/harness 0.26.0 → 0.28.0

package/dist/policy-packs/builtin/branch-protection.js

@@ -28,9 +28,26 @@
 // Pack is OFF by default: it must be enabled per-installation via
 // `harness pack add branch-protection`. The `full` init template does
 // NOT wire it (revisit after one cycle of operator feedback).
+import { z } from "zod";
+import { PolicyUxSchema } from "../../schema/policies.js";
 import { DEFAULT_RUNTIME } from "../runtime.js";
 import { ACK_TAG_PREFIX, DEFAULT_PROTECTED_BRANCHES, NON_PROTECTED_TAG_PREFIX, PACK_NAME, PRODUCER_FRESHNESS_MS, resolveProtectedBranches, } from "./branch-protection-runtime.js";
 export { PACK_NAME };
+/**
+ * Zod schema for this pack's `config:` block. See sibling pack
+ * `understanding-before-execution.configSchema` for rationale: strict
+ * by design so typo'd keys fail loud at lint time. `protected_branches`
+ * is the only operator-tunable key today; new keys land here first,
+ * then in `resolveProtectedBranches`.
+ */
+export const configSchema = z
+    .object({
+    protected_branches: z.array(z.string().min(1)).optional(),
+    // `ux` is consumed by the PreToolUse blocker to render an
+    // agent-facing remediation block when the gate trips.
+    ux: PolicyUxSchema.optional(),
+})
+    .strict();
 const HOOK_NAME_PREFIX = `policy-pack:${PACK_NAME}`;
 const PRE_TOOL_USE_MATCH_CLAUDE = "Write|Edit";
 const PRE_TOOL_USE_MATCH_CODEX = "apply_patch";

package/dist/policy-packs/builtin/branch-protection.js.map

@@ -1 +1 @@
-{"version":3,"file":"branch-protection.js","sourceRoot":"","sources":["../../../src/policy-packs/builtin/branch-protection.ts"],"names":[],"mappings":"AAAA,4CAA4C;AAC5C,EAAE;AACF,sEAAsE;AACtE,uEAAuE;AACvE,sEAAsE;AACtE,wEAAwE;AACxE,EAAE;AACF,yDAAyD;AACzD,EAAE;AACF,0EAA0E;AAC1E,oEAAoE;AACpE,qEAAqE;AACrE,uCAAuC;AACvC,EAAE;AACF,kEAAkE;AAClE,sEAAsE;AACtE,wDAAwD;AACxD,+DAA+D;AAC/D,oEAAoE;AACpE,0EAA0E;AAC1E,mDAAmD;AACnD,EAAE;AACF,wEAAwE;AACxE,sEAAsE;AACtE,iEAAiE;AACjE,WAAW;AACX,EAAE;AACF,kEAAkE;AAClE,sEAAsE;AACtE,8DAA8D;AAG9D,OAAO,EAAE,eAAe,EAAgB,MAAM,eAAe,CAAC;AAE9D,OAAO,EACL,cAAc,EACd,0BAA0B,EAC1B,wBAAwB,EACxB,SAAS,EACT,qBAAqB,EACrB,wBAAwB,GACzB,MAAM,gCAAgC,CAAC;AAExC,OAAO,EAAE,SAAS,EAAE,CAAC;AAErB,MAAM,gBAAgB,GAAG,eAAe,SAAS,EAAE,CAAC;AAEpD,MAAM,yBAAyB,GAAG,YAAY,CAAC;AAC/C,MAAM,wBAAwB,GAAG,aAAa,CAAC;AAE/C,MAAM,gBAAgB,GAAG,oCAAoC,CAAC;AAC9D,MAAM,eAAe,GAAG,qCAAqC,CAAC;AAE9D,SAAS,UAAU,CAAC,OAAgB;IAClC,MAAM,OAAO,GAAG,OAAO,KAAK,OAAO,CAAC;IACpC,MAAM,YAAY,GAAG,OAAO,CAAC,CAAC,CAAC,wBAAwB,CAAC,CAAC,CAAC,yBAAyB,CAAC;IACpF,OAAO;QACL;YACE,IAAI,EAAE,GAAG,gBAAgB,gBAAgB;YACzC,KAAK,EAAE,cAAc;YACrB,OAAO,EAAE,gBAAgB;YACzB,QAAQ,EAAE,KAAK;YACf,SAAS,EAAE,IAAI;YACf,WAAW,EACT,wKAAwK;SAC3K;QACD;YACE,IAAI,EAAE,GAAG,gBAAgB,eAAe;YACxC,KAAK,EAAE,YAAY;YACnB,KAAK,EAAE,YAAY;YACnB,OAAO,EAAE,eAAe;YACxB,QAAQ,EAAE,MAAM;YAChB,SAAS,EAAE,IAAI;YACf,WAAW,EAAE,iBAAiB,YAAY,0HAA0H;SACrK;KACF,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAgB,EAAE,QAA2B,EAAE,OAAgB;IACxF,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACnD,MAAM,OAAO,GAAG,OAAO,KAAK,OAAO,CAAC;IACpC,MAAM,YAAY,GAAG,OAAO,CAAC,CAAC,CAAC,wBAAwB,CAAC,CAAC,CAAC,yBAAyB,CAAC;IACpF,MAAM,gBAAgB,GAAG,OAAO;QAC9B,CAAC,CAAC,uCAAuC;QACzC,CAAC,CAAC,iCAAiC,CAAC;IACtC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,qBAAqB,GAAG,KAAK,CAAC,CAAC;IAC1D,OAAO,kBAAkB,SAAS;;;;;;;;EAQlC,OAAO;;;;EAIP,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;;;;;;uDAMS,gBAAgB;;kCAErC,gBAAgB;;oBAE9B,wBAAwB;;;+BAGb,eAAe;OACvC,YAAY;WACR,wBAAwB;uBACZ,OAAO;WACnB,cAAc;;;;;oCAKW,gBAAgB;;;;;;gBAMpC,cAAc;;;;;;;;;;;;;;;EAe5B,WAAW,CAAC,CAAC,CAAC,OAAO,WAAW,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;;YAEtD,SAAS;eACN,OAAO;cACR,0BAA0B,CAAC,IAAI,CAAC,IAAI,CAAC;CAClD,CAAC;AACF,CAAC;AAED,MAAM,UAAU,OAAO,CACrB,IAAgB,EAChB,UAAmB,eAAe;IAElC,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,wBAAwB,CAAC,IAAI,CAAC,CAAC;IAC7D,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;IAClC,MAAM,KAAK,GAA2B;QACpC;YACE,YAAY,EAAE,gBAAgB,SAAS,kBAAkB;YACzD,OAAO,EAAE,iBAAiB,CAAC,IAAI,EAAE,QAAQ,EAAE,OAAO,CAAC;SACpD;KACF,CAAC;IACF,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,IAAI,OAAO;QAAE,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACpC,OAAO,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,QAAQ,EAAE,CAAC;AACtD,CAAC"}
+{"version":3,"file":"branch-protection.js","sourceRoot":"","sources":["../../../src/policy-packs/builtin/branch-protection.ts"],"names":[],"mappings":"AAAA,4CAA4C;AAC5C,EAAE;AACF,sEAAsE;AACtE,uEAAuE;AACvE,sEAAsE;AACtE,wEAAwE;AACxE,EAAE;AACF,yDAAyD;AACzD,EAAE;AACF,0EAA0E;AAC1E,oEAAoE;AACpE,qEAAqE;AACrE,uCAAuC;AACvC,EAAE;AACF,kEAAkE;AAClE,sEAAsE;AACtE,wDAAwD;AACxD,+DAA+D;AAC/D,oEAAoE;AACpE,0EAA0E;AAC1E,mDAAmD;AACnD,EAAE;AACF,wEAAwE;AACxE,sEAAsE;AACtE,iEAAiE;AACjE,WAAW;AACX,EAAE;AACF,kEAAkE;AAClE,sEAAsE;AACtE,8DAA8D;AAE9D,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAE1D,OAAO,EAAE,eAAe,EAAgB,MAAM,eAAe,CAAC;AAE9D,OAAO,EACL,cAAc,EACd,0BAA0B,EAC1B,wBAAwB,EACxB,SAAS,EACT,qBAAqB,EACrB,wBAAwB,GACzB,MAAM,gCAAgC,CAAC;AAExC,OAAO,EAAE,SAAS,EAAE,CAAC;AAErB;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,CAAC;KAC1B,MAAM,CAAC;IACN,kBAAkB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACzD,0DAA0D;IAC1D,sDAAsD;IACtD,EAAE,EAAE,cAAc,CAAC,QAAQ,EAAE;CAC9B,CAAC;KACD,MAAM,EAAE,CAAC;AAEZ,MAAM,gBAAgB,GAAG,eAAe,SAAS,EAAE,CAAC;AAEpD,MAAM,yBAAyB,GAAG,YAAY,CAAC;AAC/C,MAAM,wBAAwB,GAAG,aAAa,CAAC;AAE/C,MAAM,gBAAgB,GAAG,oCAAoC,CAAC;AAC9D,MAAM,eAAe,GAAG,qCAAqC,CAAC;AAE9D,SAAS,UAAU,CAAC,OAAgB;IAClC,MAAM,OAAO,GAAG,OAAO,KAAK,OAAO,CAAC;IACpC,MAAM,YAAY,GAAG,OAAO,CAAC,CAAC,CAAC,wBAAwB,CAAC,CAAC,CAAC,yBAAyB,CAAC;IACpF,OAAO;QACL;YACE,IAAI,EAAE,GAAG,gBAAgB,gBAAgB;YACzC,KAAK,EAAE,cAAc;YACrB,OAAO,EAAE,gBAAgB;YACzB,QAAQ,EAAE,KAAK;YACf,SAAS,EAAE,IAAI;YACf,WAAW,EACT,wKAAwK;SAC3K;QACD;YACE,IAAI,EAAE,GAAG,gBAAgB,eAAe;YACxC,KAAK,EAAE,YAAY;YACnB,KAAK,EAAE,YAAY;YACnB,OAAO,EAAE,eAAe;YACxB,QAAQ,EAAE,MAAM;YAChB,SAAS,EAAE,IAAI;YACf,WAAW,EAAE,iBAAiB,YAAY,0HAA0H;SACrK;KACF,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAgB,EAAE,QAA2B,EAAE,OAAgB;IACxF,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACnD,MAAM,OAAO,GAAG,OAAO,KAAK,OAAO,CAAC;IACpC,MAAM,YAAY,GAAG,OAAO,CAAC,CAAC,CAAC,wBAAwB,CAAC,CAAC,CAAC,yBAAyB,CAAC;IACpF,MAAM,gBAAgB,GAAG,OAAO;QAC9B,CAAC,CAAC,uCAAuC;QACzC,CAAC,CAAC,iCAAiC,CAAC;IACtC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,qBAAqB,GAAG,KAAK,CAAC,CAAC;IAC1D,OAAO,kBAAkB,SAAS;;;;;;;;EAQlC,OAAO;;;;EAIP,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;;;;;;uDAMS,gBAAgB;;kCAErC,gBAAgB;;oBAE9B,wBAAwB;;;+BAGb,eAAe;OACvC,YAAY;WACR,wBAAwB;uBACZ,OAAO;WACnB,cAAc;;;;;oCAKW,gBAAgB;;;;;;gBAMpC,cAAc;;;;;;;;;;;;;;;EAe5B,WAAW,CAAC,CAAC,CAAC,OAAO,WAAW,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;;YAEtD,SAAS;eACN,OAAO;cACR,0BAA0B,CAAC,IAAI,CAAC,IAAI,CAAC;CAClD,CAAC;AACF,CAAC;AAED,MAAM,UAAU,OAAO,CACrB,IAAgB,EAChB,UAAmB,eAAe;IAElC,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,wBAAwB,CAAC,IAAI,CAAC,CAAC;IAC7D,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;IAClC,MAAM,KAAK,GAA2B;QACpC;YACE,YAAY,EAAE,gBAAgB,SAAS,kBAAkB;YACzD,OAAO,EAAE,iBAAiB,CAAC,IAAI,EAAE,QAAQ,EAAE,OAAO,CAAC;SACpD;KACF,CAAC;IACF,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,IAAI,OAAO;QAAE,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACpC,OAAO,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,QAAQ,EAAE,CAAC;AACtD,CAAC"}

package/dist/policy-packs/builtin/understanding-before-execution.d.ts

@@ -1,10 +1,157 @@
+import { z } from "zod";
 import type { PolicyPack } from "../../schema/index.js";
 import { type Runtime } from "../runtime.js";
 import type { PackContribution } from "../types.js";
 export declare const PACK_NAME = "understanding-before-execution";
+export declare const VERSION_COMMAND: readonly [string, string];
 export type Mode = "fast_confirm" | "grill_me" | "strict";
 export declare const DEFAULT_MODE: Mode;
 export declare function isMode(value: unknown): value is Mode;
+/**
+ * Zod schema for this pack's `config:` block. Surfaced via
+ * `resolveBuiltinConfigSchema()` and consumed by `harness validate` /
+ * `harness doctor` so typo'd keys (e.g. `permision_profile`) or values
+ * (e.g. `mode: fastConfirm`) fail loud at lint time instead of falling
+ * through to the runtime fallback. Each shape mirrors what the pack's
+ * own resolvers (`resolveMode`, `resolveExpireOnToolMatch`,
+ * `resolvePermissionProfile`) accept — the schema is a typo guard, not
+ * a replacement parser; the resolvers still own defaults + warnings for
+ * borderline cases the schema lets through.
+ *
+ * `.strict()` is intentional: this pack already documents every
+ * supported key, and an unknown key in the operator's manifest is far
+ * more likely to be a typo than forward-compat. New keys added in a
+ * future harness version land in this schema first, then in the pack.
+ */
+export declare const configSchema: z.ZodObject<{
+    mode: z.ZodOptional<z.ZodEnum<[Mode, ...Mode[]]>>;
+    permission_profile: z.ZodOptional<z.ZodEnum<[string, ...string[]]>>;
+    approval_lifecycle: z.ZodOptional<z.ZodObject<{
+        mode: z.ZodOptional<z.ZodLiteral<"session">>;
+        expire_on_tool_match: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        expire_on_bash_match: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        max_age: z.ZodOptional<z.ZodString>;
+    }, "strict", z.ZodTypeAny, {
+        mode?: "session" | undefined;
+        expire_on_tool_match?: string[] | undefined;
+        expire_on_bash_match?: string[] | undefined;
+        max_age?: string | undefined;
+    }, {
+        mode?: "session" | undefined;
+        expire_on_tool_match?: string[] | undefined;
+        expire_on_bash_match?: string[] | undefined;
+        max_age?: string | undefined;
+    }>>;
+    ux: z.ZodOptional<z.ZodObject<{
+        cannot: z.ZodString;
+        required: z.ZodArray<z.ZodString, "many">;
+        run: z.ZodArray<z.ZodString, "many">;
+    }, "strict", z.ZodTypeAny, {
+        cannot: string;
+        required: string[];
+        run: string[];
+    }, {
+        cannot: string;
+        required: string[];
+        run: string[];
+    }>>;
+    producers: z.ZodOptional<z.ZodArray<z.ZodDiscriminatedUnion<"kind", [z.ZodObject<{
+        kind: z.ZodLiteral<"bash">;
+        command: z.ZodString;
+        description: z.ZodString;
+    }, "strict", z.ZodTypeAny, {
+        command: string;
+        description: string;
+        kind: "bash";
+    }, {
+        command: string;
+        description: string;
+        kind: "bash";
+    }>, z.ZodObject<{
+        kind: z.ZodLiteral<"mcp">;
+        verb: z.ZodString;
+        example: z.ZodString;
+        description: z.ZodString;
+    }, "strict", z.ZodTypeAny, {
+        description: string;
+        kind: "mcp";
+        verb: string;
+        example: string;
+    }, {
+        description: string;
+        kind: "mcp";
+        verb: string;
+        example: string;
+    }>, z.ZodObject<{
+        kind: z.ZodLiteral<"ask">;
+        command: z.ZodString;
+        description: z.ZodString;
+    }, "strict", z.ZodTypeAny, {
+        command: string;
+        description: string;
+        kind: "ask";
+    }, {
+        command: string;
+        description: string;
+        kind: "ask";
+    }>]>, "many">>;
+}, "strict", z.ZodTypeAny, {
+    producers?: ({
+        command: string;
+        description: string;
+        kind: "bash";
+    } | {
+        description: string;
+        kind: "mcp";
+        verb: string;
+        example: string;
+    } | {
+        command: string;
+        description: string;
+        kind: "ask";
+    })[] | undefined;
+    ux?: {
+        cannot: string;
+        required: string[];
+        run: string[];
+    } | undefined;
+    mode?: Mode | undefined;
+    permission_profile?: string | undefined;
+    approval_lifecycle?: {
+        mode?: "session" | undefined;
+        expire_on_tool_match?: string[] | undefined;
+        expire_on_bash_match?: string[] | undefined;
+        max_age?: string | undefined;
+    } | undefined;
+}, {
+    producers?: ({
+        command: string;
+        description: string;
+        kind: "bash";
+    } | {
+        description: string;
+        kind: "mcp";
+        verb: string;
+        example: string;
+    } | {
+        command: string;
+        description: string;
+        kind: "ask";
+    })[] | undefined;
+    ux?: {
+        cannot: string;
+        required: string[];
+        run: string[];
+    } | undefined;
+    mode?: Mode | undefined;
+    permission_profile?: string | undefined;
+    approval_lifecycle?: {
+        mode?: "session" | undefined;
+        expire_on_tool_match?: string[] | undefined;
+        expire_on_bash_match?: string[] | undefined;
+        max_age?: string | undefined;
+    } | undefined;
+}>;
 export interface ResolvePackOptions {
     /**
      * Absolute path to the persisted-report directory the pack's hooks

package/dist/policy-packs/builtin/understanding-before-execution.js

@@ -10,11 +10,23 @@
 // the audit copy), distinct from drift on the package's own templates
 // (which the package's own drift detection would handle on a future
 // `understanding-gate init` reinstall).
+import { z } from "zod";
+import { PolicyUxSchema, ProducerSchema } from "../../schema/policies.js";
 import { profileToSettingsPermissions } from "../permission-translator.js";
 import { DEFAULT_RUNTIME } from "../runtime.js";
 import { isKnownProfileName, resolveProfile, KNOWN_PROFILE_NAMES, } from "./permission-profiles.js";
 import { REPORTS_DIR_ENV } from "./understanding-before-execution-runtime.js";
 export const PACK_NAME = "understanding-before-execution";
+// Canonical version probe for the pack's package-side bin. Consumed by
+// `harness doctor` when the operator declares a pack-level `min_version`
+// floor. Mirrors the hook-level UG_VERSION_COMMAND (which is scoped to
+// individual hooks); a pack-level floor exists so a `config:` key only
+// the newer package honours (e.g. the v0.25.0 `--task` variadic flag)
+// can be caught at health-check time independent of any one hook.
+export const VERSION_COMMAND = [
+    "understanding-gate",
+    "--version",
+];
 const MODES = ["fast_confirm", "grill_me", "strict"];
 export const DEFAULT_MODE = "grill_me";
 const HOOK_NAME_PREFIX = `policy-pack:${PACK_NAME}`;
@@ -61,6 +73,55 @@ const COMMAND_PRE_TOOL_USE_CODEX = "harness pack hook codex-pre-tool-use";
 export function isMode(value) {
     return (typeof value === "string" && MODES.includes(value));
 }
+/**
+ * Zod schema for this pack's `config:` block. Surfaced via
+ * `resolveBuiltinConfigSchema()` and consumed by `harness validate` /
+ * `harness doctor` so typo'd keys (e.g. `permision_profile`) or values
+ * (e.g. `mode: fastConfirm`) fail loud at lint time instead of falling
+ * through to the runtime fallback. Each shape mirrors what the pack's
+ * own resolvers (`resolveMode`, `resolveExpireOnToolMatch`,
+ * `resolvePermissionProfile`) accept — the schema is a typo guard, not
+ * a replacement parser; the resolvers still own defaults + warnings for
+ * borderline cases the schema lets through.
+ *
+ * `.strict()` is intentional: this pack already documents every
+ * supported key, and an unknown key in the operator's manifest is far
+ * more likely to be a typo than forward-compat. New keys added in a
+ * future harness version land in this schema first, then in the pack.
+ */
+export const configSchema = z
+    .object({
+    mode: z.enum(MODES).optional(),
+    permission_profile: z
+        .enum(KNOWN_PROFILE_NAMES)
+        .optional(),
+    approval_lifecycle: z
+        .object({
+        // `mode: session` opts out of the PostToolUse marker-expiry hook
+        // entirely (legacy "one approval per session" UX).
+        mode: z.literal("session").optional(),
+        // Tool-name boundaries: clear the marker after one of these
+        // agent-tasks (or operator-overridden) MCP tools fires.
+        expire_on_tool_match: z.array(z.string().min(1)).optional(),
+        // Bash-command boundaries: clear the marker when a Bash call
+        // matches any of these regexes (e.g. `^gh pr (merge|close)\b`).
+        // Operators on gh-cli workflows use this in place of MCP tools.
+        expire_on_bash_match: z.array(z.string().min(1)).optional(),
+        // Safety net for sessions that never hit a listed tool/Bash
+        // boundary. Duration strings like `1h`, `4h`, `30m` are parsed
+        // by the post-tool-use hook; format validation lives there.
+        max_age: z.string().min(1).optional(),
+    })
+        .strict()
+        .optional(),
+    // `ux` + `producers` are consumed by the PreToolUse blocker
+    // (`src/cli/pack/hook-pre-tool-use.ts`) to render an agent-facing
+    // remediation block when the gate trips. Same shape as the
+    // policy-layer `ux:` / `producers:` keys.
+    ux: PolicyUxSchema.optional(),
+    producers: z.array(ProducerSchema).min(1).optional(),
+})
+    .strict();
 /**
  * POSIX single-quote-escape for an arbitrary path. Safe inside the
  * `VAR=<value>` prefix of a `sh -c` command line. Always quotes — paths
@@ -182,16 +243,17 @@ function buildHooks(runtime, pack, opts = {}) {
             },
         ];
     }
-    // `min_version` floor on the npm-backed bins: 0.3.1 is the first release
-    // whose published `understanding-gate --version` reports the actual
-    // installed version rather than a stale literal (agent-grounding PRs
-    // #80 + #81). 0.3.0 shipped the parser-side fast_confirm fix but the
-    // dist cli.js hardcoded "0.2.3" so every install looked stale to
-    // doctor; without this floor, an operator on 0.2.x would silently get
-    // the no_marker_fast_confirm_attempt parse-error noise documented in
-    // harness PR #169. The PreToolUse blocker below is the harness CLI
-    // itself, not an npm-backed bin, so it does not carry a floor here.
-    const UG_MIN_VERSION = "0.3.1";
+    // `min_version` floor on the npm-backed bins: 0.4.0 ships the
+    // required "Prior Art" 10th section of the Understanding Report
+    // (agent-grounding PR #85, harness task 798d7173). Operators below
+    // this floor would silently miss the section because the Stop-capture
+    // parser doesn't yet enforce it. The prior floor was 0.3.1 (first
+    // release whose `understanding-gate --version` reported the actual
+    // installed version rather than a stale literal; agent-grounding PRs
+    // #80 + #81); 0.4.0 supersedes it. The PreToolUse blocker below is
+    // the harness CLI itself, not an npm-backed bin, so it does not carry
+    // a floor here.
+    const UG_MIN_VERSION = "0.4.0";
     const UG_VERSION_COMMAND = [
         "understanding-gate",
         "--version",

package/dist/policy-packs/builtin/understanding-before-execution.js.map

@@ -1 +1 @@
-{"version":3,"file":"understanding-before-execution.js","sourceRoot":"","sources":["../../../src/policy-packs/builtin/understanding-before-execution.ts"],"names":[],"mappings":"AAAA,yDAAyD;AACzD,EAAE;AACF,sEAAsE;AACtE,yEAAyE;AACzE,yEAAyE;AACzE,8EAA8E;AAC9E,0EAA0E;AAC1E,yEAAyE;AACzE,yEAAyE;AACzE,sEAAsE;AACtE,oEAAoE;AACpE,wCAAwC;AAGxC,OAAO,EAAE,4BAA4B,EAAE,MAAM,6BAA6B,CAAC;AAC3E,OAAO,EAAE,eAAe,EAAgB,MAAM,eAAe,CAAC;AAM9D,OAAO,EACL,kBAAkB,EAClB,cAAc,EACd,mBAAmB,GACpB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,eAAe,EAAE,MAAM,6CAA6C,CAAC;AAE9E,MAAM,CAAC,MAAM,SAAS,GAAG,gCAAgC,CAAC;AAI1D,MAAM,KAAK,GAAoB,CAAC,cAAc,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;AAEtE,MAAM,CAAC,MAAM,YAAY,GAAS,UAAU,CAAC;AAE7C,MAAM,gBAAgB,GAAG,eAAe,SAAS,EAAE,CAAC;AAEpD,6EAA6E;AAC7E,yEAAyE;AACzE,4EAA4E;AAC5E,uEAAuE;AACvE,yEAAyE;AACzE,0EAA0E;AAC1E,UAAU;AACV,MAAM,yBAAyB,GAAG,iBAAiB,CAAC;AACpD,MAAM,wBAAwB,GAC5B,4DAA4D,CAAC;AAE/D,2EAA2E;AAC3E,sEAAsE;AACtE,sEAAsE;AACtE,sEAAsE;AACtE,+BAA+B;AAC/B,MAAM,6BAA6B,GAAG,gCAAgC,CAAC;AACvE,MAAM,eAAe,GAAG,gCAAgC,CAAC;AACzD,yEAAyE;AACzE,sEAAsE;AACtE,iEAAiE;AACjE,yEAAyE;AACzE,mEAAmE;AACnE,0BAA0B;AAC1B,MAAM,2BAA2B,GAAG,gCAAgC,CAAC;AAErE,qEAAqE;AACrE,wDAAwD;AACxD,EAAE;AACF,yDAAyD;AACzD,kEAAkE;AAClE,8BAA8B;AAC9B,+EAA+E;AAC/E,EAAE;AACF,sEAAsE;AACtE,iEAAiE;AACjE,mEAAmE;AACnE,oEAAoE;AACpE,oEAAoE;AACpE,0DAA0D;AAC1D,MAAM,gCAAgC,GACpC,4CAA4C,CAAC;AAC/C,MAAM,kBAAkB,GAAG,8BAA8B,CAAC;AAC1D,MAAM,0BAA0B,GAAG,sCAAsC,CAAC;AAE1E,MAAM,UAAU,MAAM,CAAC,KAAc;IACnC,OAAO,CACL,OAAO,KAAK,KAAK,QAAQ,IAAK,KAA2B,CAAC,QAAQ,CAAC,KAAK,CAAC,CAC1E,CAAC;AACJ,CAAC;AAkBD;;;;;GAKG;AACH,SAAS,gBAAgB,CAAC,CAAS;IACjC,OAAO,IAAI,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC;AACzC,CAAC;AAED,SAAS,2BAA2B,CAClC,OAAe,EACf,UAA8B;IAE9B,IAAI,CAAC,UAAU;QAAE,OAAO,OAAO,CAAC;IAChC,OAAO,GAAG,eAAe,IAAI,gBAAgB,CAAC,UAAU,CAAC,IAAI,OAAO,EAAE,CAAC;AACzE,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,IAAgB;IAI1C,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAChC,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IACpE,IAAI,MAAM,CAAC,GAAG,CAAC;QAAE,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IACrD,MAAM,OAAO,GAAG,gBAAgB,IAAI,CAAC,IAAI,qCAAqC,IAAI,CAAC,SAAS,CAC1F,GAAG,CACJ,sBAAsB,YAAY,eAAe,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;IACtE,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,CAAC;AACzC,CAAC;AAED,uEAAuE;AACvE,uEAAuE;AACvE,uEAAuE;AACvE,uEAAuE;AACvE,uEAAuE;AACvE,iDAAiD;AACjD,MAAM,4BAA4B,GAA0B;IAC1D,+BAA+B;IAC/B,gCAAgC;IAChC,uCAAuC;IACvC,yEAAyE;IACzE,sEAAsE;IACtE,qEAAqE;IACrE,uDAAuD;IACvD,oCAAoC;CACrC,CAAC;AAEF,MAAM,4BAA4B,GAAG,iCAAiC,CAAC;AACvE,MAAM,iCAAiC,GACrC,sCAAsC,CAAC;AAEzC,wEAAwE;AACxE,sEAAsE;AACtE,sEAAsE;AACtE,mEAAmE;AACnE,MAAM,wBAAwB,GAC5B,oIAAoI,CAAC;AAEvI;;;;;;;GAOG;AACH,SAAS,uBAAuB,CAAC,KAA4B;IAC3D,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC,CAAC;IAC3E,OAAO,OAAO,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC;AACtC,CAAC;AAED,SAAS,wBAAwB,CAAC,IAAgB;IAIhD,MAAM,GAAG,GAAI,IAAI,CAAC,MAAkC,CAAC,oBAAoB,CAAC,CAAC;IAC3E,qEAAqE;IACrE,oEAAoE;IACpE,4DAA4D;IAC5D,2CAA2C;IAC3C,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;QACtC,OAAO,EAAE,KAAK,EAAE,CAAC,GAAG,4BAA4B,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IACtE,CAAC;IACD,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAClD,OAAO,EAAE,KAAK,EAAE,CAAC,GAAG,4BAA4B,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IACtE,CAAC;IACD,MAAM,GAAG,GAAG,GAA8B,CAAC;IAC3C,IAAI,GAAG,CAAC,MAAM,CAAC,KAAK,SAAS,EAAE,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;IACxC,CAAC;IACD,MAAM,IAAI,GAAG,GAAG,CAAC,sBAAsB,CAAC,CAAC;IACzC,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QACxB,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CACvB,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAC1D,CAAC;QACF,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;IAC/C,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,CAAC,GAAG,4BAA4B,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;AACtE,CAAC;AAED,SAAS,UAAU,CACjB,OAAgB,EAChB,IAAgB,EAChB,OAA2B,EAAE;IAE7B,mEAAmE;IACnE,oEAAoE;IACpE,sEAAsE;IACtE,mEAAmE;IACnE,EAAE;IACF,kEAAkE;IAClE,wEAAwE;IACxE,oEAAoE;IACpE,2CAA2C;IAC3C,MAAM,IAAI,GAAG,CAAC,GAAW,EAAU,EAAE,CACnC,2BAA2B,CAAC,GAAG,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IACpD,IAAI,OAAO,KAAK,OAAO,EAAE,CAAC;QACxB,OAAO;YACL;gBACE,IAAI,EAAE,GAAG,gBAAgB,2BAA2B;gBACpD,KAAK,EAAE,kBAAkB;gBACzB,OAAO,EAAE,gCAAgC;gBACzC,QAAQ,EAAE,KAAK;gBACf,SAAS,EAAE,IAAI;gBACf,WAAW,EACT,sGAAsG;aACzG;YACD;gBACE,IAAI,EAAE,GAAG,gBAAgB,aAAa;gBACtC,KAAK,EAAE,MAAM;gBACb,OAAO,EAAE,IAAI,CAAC,kBAAkB,CAAC;gBACjC,QAAQ,EAAE,KAAK;gBACf,SAAS,EAAE,IAAI;gBACf,WAAW,EACT,4IAA4I;aAC/I;YACD;gBACE,IAAI,EAAE,GAAG,gBAAgB,qBAAqB;gBAC9C,KAAK,EAAE,YAAY;gBACnB,KAAK,EAAE,wBAAwB;gBAC/B,OAAO,EAAE,IAAI,CAAC,0BAA0B,CAAC;gBACzC,QAAQ,EAAE,MAAM;gBAChB,SAAS,EAAE,IAAI;gBACf,WAAW,EACT,4LAA4L;aAC/L;SACF,CAAC;IACJ,CAAC;IACD,yEAAyE;IACzE,oEAAoE;IACpE,qEAAqE;IACrE,qEAAqE;IACrE,iEAAiE;IACjE,sEAAsE;IACtE,qEAAqE;IACrE,mEAAmE;IACnE,oEAAoE;IACpE,MAAM,cAAc,GAAG,OAAO,CAAC;IAC/B,MAAM,kBAAkB,GAAqB;QAC3C,oBAAoB;QACpB,WAAW;KACZ,CAAC;IACF,OAAO;QACL;YACE,IAAI,EAAE,GAAG,gBAAgB,qBAAqB;YAC9C,KAAK,EAAE,kBAAkB;YACzB,OAAO,EAAE,6BAA6B;YACtC,QAAQ,EAAE,KAAK;YACf,SAAS,EAAE,IAAI;YACf,WAAW,EAAE,cAAc;YAC3B,eAAe,EAAE,kBAAkB;YACnC,WAAW,EACT,oHAAoH;SACvH;QACD;YACE,IAAI,EAAE,GAAG,gBAAgB,OAAO;YAChC,KAAK,EAAE,MAAM;YACb,OAAO,EAAE,IAAI,CAAC,eAAe,CAAC;YAC9B,QAAQ,EAAE,KAAK;YACf,SAAS,EAAE,IAAI;YACf,WAAW,EAAE,cAAc;YAC3B,eAAe,EAAE,kBAAkB;YACnC,WAAW,EACT,sHAAsH;SACzH;QACD;YACE,IAAI,EAAE,GAAG,gBAAgB,eAAe;YACxC,KAAK,EAAE,YAAY;YACnB,KAAK,EAAE,yBAAyB;YAChC,OAAO,EAAE,IAAI,CAAC,2BAA2B,CAAC;YAC1C,QAAQ,EAAE,MAAM;YAChB,SAAS,EAAE,IAAI;YACf,WAAW,EACT,kMAAkM;SACrM;QACD,sEAAsE;QACtE,oEAAoE;QACpE,oEAAoE;QACpE,wEAAwE;QACxE,oEAAoE;QACpE,mEAAmE;QACnE,gEAAgE;QAChE,kDAAkD;QAClD,GAAG,CAAC,GAAW,EAAE;YACf,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,wBAAwB,CAAC,IAAI,CAAC,CAAC;YAC3D,IAAI,CAAC,QAAQ;gBAAE,OAAO,EAAE,CAAC;YACzB,MAAM,IAAI,GAAS;gBACjB,IAAI,EAAE,GAAG,gBAAgB,gBAAgB;gBACzC,KAAK,EAAE,aAAa;gBACpB,KAAK,EAAE,uBAAuB,CAAC,KAAK,CAAC;gBACrC,+DAA+D;gBAC/D,4DAA4D;gBAC5D,gEAAgE;gBAChE,4DAA4D;gBAC5D,OAAO,EAAE,IAAI,CAAC,4BAA4B,CAAC;gBAC3C,QAAQ,EAAE,KAAK;gBACf,SAAS,EAAE,IAAI;gBACf,WAAW,EACT,0NAA0N;aAC7N,CAAC;YACF,OAAO,CAAC,IAAI,CAAC,CAAC;QAChB,CAAC,CAAC,EAAE;QACJ,+DAA+D;QAC/D,mEAAmE;QACnE,gEAAgE;QAChE,6DAA6D;QAC7D,iEAAiE;QACjE,6DAA6D;QAC7D,+CAA+C;QAC/C;YACE,IAAI,EAAE,GAAG,gBAAgB,qBAAqB;YAC9C,KAAK,EAAE,aAAa;YACpB,KAAK,EAAE,wBAAwB;YAC/B,OAAO,EAAE,iCAAiC;YAC1C,QAAQ,EAAE,KAAK;YACf,SAAS,EAAE,IAAI;YACf,WAAW,EACT,kNAAkN;SACrN;KACF,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,IAAU;IAC9B,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,cAAc;YACjB,OAAO,oIAAoI,CAAC;QAC9I,KAAK,UAAU;YACb,OAAO,wNAAwN,CAAC;QAClO,KAAK,QAAQ;YACX,OAAO,8IAA8I,CAAC;IAC1J,CAAC;AACH,CAAC;AAED,SAAS,iBAAiB,CACxB,IAAgB,EAChB,IAAU,EACV,OAAgB;IAEhB,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACnD,MAAM,OAAO,GAAG,OAAO,KAAK,OAAO,CAAC;IACpC,MAAM,WAAW,GAAG,OAAO;QACzB,CAAC,CAAC,gCAAgC;QAClC,CAAC,CAAC,6BAA6B,CAAC;IAClC,MAAM,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,eAAe,CAAC;IAC/D,MAAM,UAAU,GAAG,OAAO;QACxB,CAAC,CAAC,0BAA0B;QAC5B,CAAC,CAAC,2BAA2B,CAAC;IAChC,MAAM,YAAY,GAAG,OAAO;QAC1B,CAAC,CAAC,wBAAwB;QAC1B,CAAC,CAAC,yBAAyB,CAAC;IAC9B,MAAM,gBAAgB,GAAG,OAAO;QAC9B,CAAC,CAAC,uCAAuC;QACzC,CAAC,CAAC,iCAAiC,CAAC;IACtC,MAAM,UAAU,GAAG,0BAA0B,OAAO;;;CAGrD,CAAC;IACA,MAAM,cAAc,GAAG,GAAG,CAAC;IAC3B,OAAO,kBAAkB,SAAS;;;UAG1B,WAAW;;;;;;;EAOnB,OAAO;;;;EAIP,IAAI;;EAEJ,YAAY,CAAC,IAAI,CAAC;;;;uDAImC,gBAAgB;;sCAEjC,WAAW;;EAE/C,UAAU,GAAG,cAAc,+BAA+B,UAAU;UAC5D,YAAY;;;;;;;;;;;;;;;;;EAiBpB,WAAW,CAAC,CAAC,CAAC,OAAO,WAAW,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;;YAEtD,SAAS;YACT,IAAI;eACD,OAAO;;;;;;CAMrB,CAAC;AACF,CAAC;AAED,SAAS,wBAAwB,CAAC,IAAgB;IAIhD,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;IAC9C,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IACnE,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,OAAO;YACL,WAAW,EAAE,IAAI;YACjB,OAAO,EAAE,gBAAgB,IAAI,CAAC,IAAI,uDAAuD,OAAO,GAAG,qCAAqC;SACzI,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,EAAE,CAAC;QAC7B,OAAO;YACL,WAAW,EAAE,IAAI;YACjB,OAAO,EAAE,gBAAgB,IAAI,CAAC,IAAI,qDAAqD,IAAI,CAAC,SAAS,CACnG,GAAG,CACJ,cAAc,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,qCAAqC;SACnF,CAAC;IACJ,CAAC;IACD,MAAM,OAAO,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,CAAC,OAAO;QAAE,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC1D,OAAO,EAAE,WAAW,EAAE,4BAA4B,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC/E,CAAC;AAED,MAAM,UAAU,OAAO,CACrB,IAAgB,EAChB,UAAmB,eAAe,EAClC,OAA2B,EAAE;IAE7B,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;IAC5C,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;IAC9C,MAAM,mBAAmB,GAAG,iBAAiB,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IACnE,MAAM,KAAK,GAA2B;QACpC;YACE,YAAY,EAAE,gBAAgB,SAAS,kBAAkB;YACzD,OAAO,EAAE,mBAAmB;SAC7B;KACF,CAAC;IACF,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,IAAI,OAAO;QAAE,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAEpC,MAAM,aAAa,GAAG,wBAAwB,CAAC,IAAI,CAAC,CAAC;IACrD,IAAI,aAAa,CAAC,OAAO;QAAE,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;IAChE,MAAM,YAAY,GAAqB,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;IACxD,IAAI,aAAa,CAAC,WAAW;QAC3B,YAAY,CAAC,WAAW,GAAG,aAAa,CAAC,WAAW,CAAC;IAEvD,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,CAAC;AACpC,CAAC"}
+{"version":3,"file":"understanding-before-execution.js","sourceRoot":"","sources":["../../../src/policy-packs/builtin/understanding-before-execution.ts"],"names":[],"mappings":"AAAA,yDAAyD;AACzD,EAAE;AACF,sEAAsE;AACtE,yEAAyE;AACzE,yEAAyE;AACzE,8EAA8E;AAC9E,0EAA0E;AAC1E,yEAAyE;AACzE,yEAAyE;AACzE,sEAAsE;AACtE,oEAAoE;AACpE,wCAAwC;AAExC,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAE1E,OAAO,EAAE,4BAA4B,EAAE,MAAM,6BAA6B,CAAC;AAC3E,OAAO,EAAE,eAAe,EAAgB,MAAM,eAAe,CAAC;AAM9D,OAAO,EACL,kBAAkB,EAClB,cAAc,EACd,mBAAmB,GACpB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,eAAe,EAAE,MAAM,6CAA6C,CAAC;AAE9E,MAAM,CAAC,MAAM,SAAS,GAAG,gCAAgC,CAAC;AAE1D,uEAAuE;AACvE,yEAAyE;AACzE,uEAAuE;AACvE,uEAAuE;AACvE,sEAAsE;AACtE,kEAAkE;AAClE,MAAM,CAAC,MAAM,eAAe,GAA8B;IACxD,oBAAoB;IACpB,WAAW;CACZ,CAAC;AAIF,MAAM,KAAK,GAAoB,CAAC,cAAc,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;AAEtE,MAAM,CAAC,MAAM,YAAY,GAAS,UAAU,CAAC;AAE7C,MAAM,gBAAgB,GAAG,eAAe,SAAS,EAAE,CAAC;AAEpD,6EAA6E;AAC7E,yEAAyE;AACzE,4EAA4E;AAC5E,uEAAuE;AACvE,yEAAyE;AACzE,0EAA0E;AAC1E,UAAU;AACV,MAAM,yBAAyB,GAAG,iBAAiB,CAAC;AACpD,MAAM,wBAAwB,GAC5B,4DAA4D,CAAC;AAE/D,2EAA2E;AAC3E,sEAAsE;AACtE,sEAAsE;AACtE,sEAAsE;AACtE,+BAA+B;AAC/B,MAAM,6BAA6B,GAAG,gCAAgC,CAAC;AACvE,MAAM,eAAe,GAAG,gCAAgC,CAAC;AACzD,yEAAyE;AACzE,sEAAsE;AACtE,iEAAiE;AACjE,yEAAyE;AACzE,mEAAmE;AACnE,0BAA0B;AAC1B,MAAM,2BAA2B,GAAG,gCAAgC,CAAC;AAErE,qEAAqE;AACrE,wDAAwD;AACxD,EAAE;AACF,yDAAyD;AACzD,kEAAkE;AAClE,8BAA8B;AAC9B,+EAA+E;AAC/E,EAAE;AACF,sEAAsE;AACtE,iEAAiE;AACjE,mEAAmE;AACnE,oEAAoE;AACpE,oEAAoE;AACpE,0DAA0D;AAC1D,MAAM,gCAAgC,GACpC,4CAA4C,CAAC;AAC/C,MAAM,kBAAkB,GAAG,8BAA8B,CAAC;AAC1D,MAAM,0BAA0B,GAAG,sCAAsC,CAAC;AAE1E,MAAM,UAAU,MAAM,CAAC,KAAc;IACnC,OAAO,CACL,OAAO,KAAK,KAAK,QAAQ,IAAK,KAA2B,CAAC,QAAQ,CAAC,KAAK,CAAC,CAC1E,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,CAAC;KAC1B,MAAM,CAAC;IACN,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,KAAmC,CAAC,CAAC,QAAQ,EAAE;IAC5D,kBAAkB,EAAE,CAAC;SAClB,IAAI,CAAC,mBAAqD,CAAC;SAC3D,QAAQ,EAAE;IACb,kBAAkB,EAAE,CAAC;SAClB,MAAM,CAAC;QACN,iEAAiE;QACjE,mDAAmD;QACnD,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,QAAQ,EAAE;QACrC,4DAA4D;QAC5D,wDAAwD;QACxD,oBAAoB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;QAC3D,6DAA6D;QAC7D,gEAAgE;QAChE,gEAAgE;QAChE,oBAAoB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;QAC3D,4DAA4D;QAC5D,+DAA+D;QAC/D,4DAA4D;QAC5D,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;KACtC,CAAC;SACD,MAAM,EAAE;SACR,QAAQ,EAAE;IACb,4DAA4D;IAC5D,kEAAkE;IAClE,2DAA2D;IAC3D,0CAA0C;IAC1C,EAAE,EAAE,cAAc,CAAC,QAAQ,EAAE;IAC7B,SAAS,EAAE,CAAC,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;CACrD,CAAC;KACD,MAAM,EAAE,CAAC;AAkBZ;;;;;GAKG;AACH,SAAS,gBAAgB,CAAC,CAAS;IACjC,OAAO,IAAI,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC;AACzC,CAAC;AAED,SAAS,2BAA2B,CAClC,OAAe,EACf,UAA8B;IAE9B,IAAI,CAAC,UAAU;QAAE,OAAO,OAAO,CAAC;IAChC,OAAO,GAAG,eAAe,IAAI,gBAAgB,CAAC,UAAU,CAAC,IAAI,OAAO,EAAE,CAAC;AACzE,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,IAAgB;IAI1C,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAChC,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IACpE,IAAI,MAAM,CAAC,GAAG,CAAC;QAAE,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IACrD,MAAM,OAAO,GAAG,gBAAgB,IAAI,CAAC,IAAI,qCAAqC,IAAI,CAAC,SAAS,CAC1F,GAAG,CACJ,sBAAsB,YAAY,eAAe,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;IACtE,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,CAAC;AACzC,CAAC;AAED,uEAAuE;AACvE,uEAAuE;AACvE,uEAAuE;AACvE,uEAAuE;AACvE,uEAAuE;AACvE,iDAAiD;AACjD,MAAM,4BAA4B,GAA0B;IAC1D,+BAA+B;IAC/B,gCAAgC;IAChC,uCAAuC;IACvC,yEAAyE;IACzE,sEAAsE;IACtE,qEAAqE;IACrE,uDAAuD;IACvD,oCAAoC;CACrC,CAAC;AAEF,MAAM,4BAA4B,GAAG,iCAAiC,CAAC;AACvE,MAAM,iCAAiC,GACrC,sCAAsC,CAAC;AAEzC,wEAAwE;AACxE,sEAAsE;AACtE,sEAAsE;AACtE,mEAAmE;AACnE,MAAM,wBAAwB,GAC5B,oIAAoI,CAAC;AAEvI;;;;;;;GAOG;AACH,SAAS,uBAAuB,CAAC,KAA4B;IAC3D,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC,CAAC;IAC3E,OAAO,OAAO,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC;AACtC,CAAC;AAED,SAAS,wBAAwB,CAAC,IAAgB;IAIhD,MAAM,GAAG,GAAI,IAAI,CAAC,MAAkC,CAAC,oBAAoB,CAAC,CAAC;IAC3E,qEAAqE;IACrE,oEAAoE;IACpE,4DAA4D;IAC5D,2CAA2C;IAC3C,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;QACtC,OAAO,EAAE,KAAK,EAAE,CAAC,GAAG,4BAA4B,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IACtE,CAAC;IACD,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAClD,OAAO,EAAE,KAAK,EAAE,CAAC,GAAG,4BAA4B,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IACtE,CAAC;IACD,MAAM,GAAG,GAAG,GAA8B,CAAC;IAC3C,IAAI,GAAG,CAAC,MAAM,CAAC,KAAK,SAAS,EAAE,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;IACxC,CAAC;IACD,MAAM,IAAI,GAAG,GAAG,CAAC,sBAAsB,CAAC,CAAC;IACzC,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QACxB,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CACvB,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAC1D,CAAC;QACF,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;IAC/C,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,CAAC,GAAG,4BAA4B,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;AACtE,CAAC;AAED,SAAS,UAAU,CACjB,OAAgB,EAChB,IAAgB,EAChB,OAA2B,EAAE;IAE7B,mEAAmE;IACnE,oEAAoE;IACpE,sEAAsE;IACtE,mEAAmE;IACnE,EAAE;IACF,kEAAkE;IAClE,wEAAwE;IACxE,oEAAoE;IACpE,2CAA2C;IAC3C,MAAM,IAAI,GAAG,CAAC,GAAW,EAAU,EAAE,CACnC,2BAA2B,CAAC,GAAG,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IACpD,IAAI,OAAO,KAAK,OAAO,EAAE,CAAC;QACxB,OAAO;YACL;gBACE,IAAI,EAAE,GAAG,gBAAgB,2BAA2B;gBACpD,KAAK,EAAE,kBAAkB;gBACzB,OAAO,EAAE,gCAAgC;gBACzC,QAAQ,EAAE,KAAK;gBACf,SAAS,EAAE,IAAI;gBACf,WAAW,EACT,sGAAsG;aACzG;YACD;gBACE,IAAI,EAAE,GAAG,gBAAgB,aAAa;gBACtC,KAAK,EAAE,MAAM;gBACb,OAAO,EAAE,IAAI,CAAC,kBAAkB,CAAC;gBACjC,QAAQ,EAAE,KAAK;gBACf,SAAS,EAAE,IAAI;gBACf,WAAW,EACT,4IAA4I;aAC/I;YACD;gBACE,IAAI,EAAE,GAAG,gBAAgB,qBAAqB;gBAC9C,KAAK,EAAE,YAAY;gBACnB,KAAK,EAAE,wBAAwB;gBAC/B,OAAO,EAAE,IAAI,CAAC,0BAA0B,CAAC;gBACzC,QAAQ,EAAE,MAAM;gBAChB,SAAS,EAAE,IAAI;gBACf,WAAW,EACT,4LAA4L;aAC/L;SACF,CAAC;IACJ,CAAC;IACD,8DAA8D;IAC9D,gEAAgE;IAChE,mEAAmE;IACnE,sEAAsE;IACtE,kEAAkE;IAClE,mEAAmE;IACnE,qEAAqE;IACrE,mEAAmE;IACnE,sEAAsE;IACtE,gBAAgB;IAChB,MAAM,cAAc,GAAG,OAAO,CAAC;IAC/B,MAAM,kBAAkB,GAAqB;QAC3C,oBAAoB;QACpB,WAAW;KACZ,CAAC;IACF,OAAO;QACL;YACE,IAAI,EAAE,GAAG,gBAAgB,qBAAqB;YAC9C,KAAK,EAAE,kBAAkB;YACzB,OAAO,EAAE,6BAA6B;YACtC,QAAQ,EAAE,KAAK;YACf,SAAS,EAAE,IAAI;YACf,WAAW,EAAE,cAAc;YAC3B,eAAe,EAAE,kBAAkB;YACnC,WAAW,EACT,oHAAoH;SACvH;QACD;YACE,IAAI,EAAE,GAAG,gBAAgB,OAAO;YAChC,KAAK,EAAE,MAAM;YACb,OAAO,EAAE,IAAI,CAAC,eAAe,CAAC;YAC9B,QAAQ,EAAE,KAAK;YACf,SAAS,EAAE,IAAI;YACf,WAAW,EAAE,cAAc;YAC3B,eAAe,EAAE,kBAAkB;YACnC,WAAW,EACT,sHAAsH;SACzH;QACD;YACE,IAAI,EAAE,GAAG,gBAAgB,eAAe;YACxC,KAAK,EAAE,YAAY;YACnB,KAAK,EAAE,yBAAyB;YAChC,OAAO,EAAE,IAAI,CAAC,2BAA2B,CAAC;YAC1C,QAAQ,EAAE,MAAM;YAChB,SAAS,EAAE,IAAI;YACf,WAAW,EACT,kMAAkM;SACrM;QACD,sEAAsE;QACtE,oEAAoE;QACpE,oEAAoE;QACpE,wEAAwE;QACxE,oEAAoE;QACpE,mEAAmE;QACnE,gEAAgE;QAChE,kDAAkD;QAClD,GAAG,CAAC,GAAW,EAAE;YACf,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,wBAAwB,CAAC,IAAI,CAAC,CAAC;YAC3D,IAAI,CAAC,QAAQ;gBAAE,OAAO,EAAE,CAAC;YACzB,MAAM,IAAI,GAAS;gBACjB,IAAI,EAAE,GAAG,gBAAgB,gBAAgB;gBACzC,KAAK,EAAE,aAAa;gBACpB,KAAK,EAAE,uBAAuB,CAAC,KAAK,CAAC;gBACrC,+DAA+D;gBAC/D,4DAA4D;gBAC5D,gEAAgE;gBAChE,4DAA4D;gBAC5D,OAAO,EAAE,IAAI,CAAC,4BAA4B,CAAC;gBAC3C,QAAQ,EAAE,KAAK;gBACf,SAAS,EAAE,IAAI;gBACf,WAAW,EACT,0NAA0N;aAC7N,CAAC;YACF,OAAO,CAAC,IAAI,CAAC,CAAC;QAChB,CAAC,CAAC,EAAE;QACJ,+DAA+D;QAC/D,mEAAmE;QACnE,gEAAgE;QAChE,6DAA6D;QAC7D,iEAAiE;QACjE,6DAA6D;QAC7D,+CAA+C;QAC/C;YACE,IAAI,EAAE,GAAG,gBAAgB,qBAAqB;YAC9C,KAAK,EAAE,aAAa;YACpB,KAAK,EAAE,wBAAwB;YAC/B,OAAO,EAAE,iCAAiC;YAC1C,QAAQ,EAAE,KAAK;YACf,SAAS,EAAE,IAAI;YACf,WAAW,EACT,kNAAkN;SACrN;KACF,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,IAAU;IAC9B,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,cAAc;YACjB,OAAO,oIAAoI,CAAC;QAC9I,KAAK,UAAU;YACb,OAAO,wNAAwN,CAAC;QAClO,KAAK,QAAQ;YACX,OAAO,8IAA8I,CAAC;IAC1J,CAAC;AACH,CAAC;AAED,SAAS,iBAAiB,CACxB,IAAgB,EAChB,IAAU,EACV,OAAgB;IAEhB,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACnD,MAAM,OAAO,GAAG,OAAO,KAAK,OAAO,CAAC;IACpC,MAAM,WAAW,GAAG,OAAO;QACzB,CAAC,CAAC,gCAAgC;QAClC,CAAC,CAAC,6BAA6B,CAAC;IAClC,MAAM,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,eAAe,CAAC;IAC/D,MAAM,UAAU,GAAG,OAAO;QACxB,CAAC,CAAC,0BAA0B;QAC5B,CAAC,CAAC,2BAA2B,CAAC;IAChC,MAAM,YAAY,GAAG,OAAO;QAC1B,CAAC,CAAC,wBAAwB;QAC1B,CAAC,CAAC,yBAAyB,CAAC;IAC9B,MAAM,gBAAgB,GAAG,OAAO;QAC9B,CAAC,CAAC,uCAAuC;QACzC,CAAC,CAAC,iCAAiC,CAAC;IACtC,MAAM,UAAU,GAAG,0BAA0B,OAAO;;;CAGrD,CAAC;IACA,MAAM,cAAc,GAAG,GAAG,CAAC;IAC3B,OAAO,kBAAkB,SAAS;;;UAG1B,WAAW;;;;;;;EAOnB,OAAO;;;;EAIP,IAAI;;EAEJ,YAAY,CAAC,IAAI,CAAC;;;;uDAImC,gBAAgB;;sCAEjC,WAAW;;EAE/C,UAAU,GAAG,cAAc,+BAA+B,UAAU;UAC5D,YAAY;;;;;;;;;;;;;;;;;EAiBpB,WAAW,CAAC,CAAC,CAAC,OAAO,WAAW,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;;YAEtD,SAAS;YACT,IAAI;eACD,OAAO;;;;;;CAMrB,CAAC;AACF,CAAC;AAED,SAAS,wBAAwB,CAAC,IAAgB;IAIhD,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;IAC9C,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IACnE,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,OAAO;YACL,WAAW,EAAE,IAAI;YACjB,OAAO,EAAE,gBAAgB,IAAI,CAAC,IAAI,uDAAuD,OAAO,GAAG,qCAAqC;SACzI,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,EAAE,CAAC;QAC7B,OAAO;YACL,WAAW,EAAE,IAAI;YACjB,OAAO,EAAE,gBAAgB,IAAI,CAAC,IAAI,qDAAqD,IAAI,CAAC,SAAS,CACnG,GAAG,CACJ,cAAc,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,qCAAqC;SACnF,CAAC;IACJ,CAAC;IACD,MAAM,OAAO,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,CAAC,OAAO;QAAE,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC1D,OAAO,EAAE,WAAW,EAAE,4BAA4B,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC/E,CAAC;AAED,MAAM,UAAU,OAAO,CACrB,IAAgB,EAChB,UAAmB,eAAe,EAClC,OAA2B,EAAE;IAE7B,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;IAC5C,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;IAC9C,MAAM,mBAAmB,GAAG,iBAAiB,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IACnE,MAAM,KAAK,GAA2B;QACpC;YACE,YAAY,EAAE,gBAAgB,SAAS,kBAAkB;YACzD,OAAO,EAAE,mBAAmB;SAC7B;KACF,CAAC;IACF,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,IAAI,OAAO;QAAE,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAEpC,MAAM,aAAa,GAAG,wBAAwB,CAAC,IAAI,CAAC,CAAC;IACrD,IAAI,aAAa,CAAC,OAAO;QAAE,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;IAChE,MAAM,YAAY,GAAqB,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;IACxD,IAAI,aAAa,CAAC,WAAW;QAC3B,YAAY,CAAC,WAAW,GAAG,aAAa,CAAC,WAAW,CAAC;IAEvD,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,CAAC;AACpC,CAAC"}

package/dist/policy-packs/config-check.d.ts

@@ -0,0 +1,31 @@
+import type { z } from "zod";
+import type { Manifest } from "../schema/index.js";
+export interface PolicyPackConfigIssue {
+    packIndex: number;
+    packName: string;
+    /**
+     * Dotted path inside `pack.config`, e.g. `mode`, `approval_lifecycle.mode`,
+     * `permission_profile`. Empty string means the issue applies to the
+     * config object itself (e.g. a wholly non-object value).
+     */
+    configPath: string;
+    message: string;
+    /**
+     * Zod issue code preserved so downstream renderers can group by
+     * kind (`invalid_enum_value`, `unrecognized_keys`, ...). Stable since
+     * zod 3.x.
+     */
+    code: z.ZodIssueCode;
+}
+/**
+ * Walks `manifest.policy_packs` in declared order. For each enabled
+ * builtin pack with a registered `configSchema`, runs `safeParse` and
+ * lifts every zod issue into a flat `PolicyPackConfigIssue`. Unknown
+ * pack names are skipped (their resolution gap is the
+ * `checkPolicyPackSources` helper's job); non-builtin sources are
+ * skipped (no schema to consult in v1).
+ *
+ * Output order is stable: packs in manifest order, issues in zod's
+ * native traversal order.
+ */
+export declare function checkPolicyPackConfigs(manifest: Manifest): PolicyPackConfigIssue[];

package/dist/policy-packs/config-check.js

@@ -0,0 +1,58 @@
+// Per-pack `config:` shape check, used by both `harness validate` and
+// `harness doctor`. The top-level `PolicyPackSchema` accepts
+// `config: z.record(string, unknown)` — any key, any value — because
+// each builtin pack owns its own config interpretation. That means a
+// typo like `mode: "fastConfirm"` (camelCase instead of `fast_confirm`)
+// or `permision_profile` (misspelled key) currently falls through to
+// the runtime fallback and the operator only finds out when the hook
+// finally fires. This helper consults the per-pack `configSchema`
+// exported from each builtin module and surfaces every issue at
+// lint-time.
+//
+// Order is deliberate: the source check (`checkPolicyPackSources`) runs
+// first to catch unknown pack `source:` / `name:`; only packs that pass
+// that gate carry a registered schema. Both helpers stay separate so
+// validate can emit BOTH a "this pack does not resolve" diagnostic and
+// the per-key config diagnostics for sibling packs in the same run.
+import { isBuiltinPackName, resolveBuiltinConfigSchema } from "./registry.js";
+/**
+ * Walks `manifest.policy_packs` in declared order. For each enabled
+ * builtin pack with a registered `configSchema`, runs `safeParse` and
+ * lifts every zod issue into a flat `PolicyPackConfigIssue`. Unknown
+ * pack names are skipped (their resolution gap is the
+ * `checkPolicyPackSources` helper's job); non-builtin sources are
+ * skipped (no schema to consult in v1).
+ *
+ * Output order is stable: packs in manifest order, issues in zod's
+ * native traversal order.
+ */
+export function checkPolicyPackConfigs(manifest) {
+    const issues = [];
+    manifest.policy_packs.forEach((pack, packIndex) => {
+        if (!pack.enabled)
+            return;
+        if (!isBuiltinPackName(pack.name))
+            return;
+        const schema = resolveBuiltinConfigSchema(pack.name);
+        if (!schema)
+            return;
+        const parsed = schema.safeParse(pack.config);
+        if (parsed.success)
+            return;
+        for (const issue of parsed.error.issues) {
+            const configPath = issue.path
+                .map((seg) => (typeof seg === "number" ? `[${seg}]` : String(seg)))
+                .join(".")
+                .replace(/\.\[/g, "[");
+            issues.push({
+                packIndex,
+                packName: pack.name,
+                configPath,
+                message: issue.message,
+                code: issue.code,
+            });
+        }
+    });
+    return issues;
+}
+//# sourceMappingURL=config-check.js.map

package/dist/policy-packs/config-check.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-check.js","sourceRoot":"","sources":["../../src/policy-packs/config-check.ts"],"names":[],"mappings":"AAAA,sEAAsE;AACtE,6DAA6D;AAC7D,qEAAqE;AACrE,qEAAqE;AACrE,wEAAwE;AACxE,qEAAqE;AACrE,qEAAqE;AACrE,kEAAkE;AAClE,gEAAgE;AAChE,aAAa;AACb,EAAE;AACF,wEAAwE;AACxE,wEAAwE;AACxE,qEAAqE;AACrE,uEAAuE;AACvE,oEAAoE;AAGpE,OAAO,EAAE,iBAAiB,EAAE,0BAA0B,EAAE,MAAM,eAAe,CAAC;AAqB9E;;;;;;;;;;GAUG;AACH,MAAM,UAAU,sBAAsB,CACpC,QAAkB;IAElB,MAAM,MAAM,GAA4B,EAAE,CAAC;IAC3C,QAAQ,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,SAAS,EAAE,EAAE;QAChD,IAAI,CAAC,IAAI,CAAC,OAAO;YAAE,OAAO;QAC1B,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,OAAO;QAC1C,MAAM,MAAM,GAAG,0BAA0B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrD,IAAI,CAAC,MAAM;YAAE,OAAO;QACpB,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,MAAM,CAAC,OAAO;YAAE,OAAO;QAC3B,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACxC,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI;iBAC1B,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,GAAG,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;iBAClE,IAAI,CAAC,GAAG,CAAC;iBACT,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YACzB,MAAM,CAAC,IAAI,CAAC;gBACV,SAAS;gBACT,QAAQ,EAAE,IAAI,CAAC,IAAI;gBACnB,UAAU;gBACV,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,IAAI,EAAE,KAAK,CAAC,IAAI;aACjB,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IACH,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/policy-packs/expand.js

@@ -2,10 +2,11 @@
 //
 // Walks the manifest's enabled packs, parses each `source:` string,
 // resolves builtin packs through the registry, and aggregates their
-// contributions (hooks + files). Unrecognised sources or unknown builtin
-// names produce non-fatal warnings here; `harness validate` is the
-// place that turns the same conditions into hard errors so the user
-// sees them at lint time, not silently at apply time.
+// contributions (hooks + files). Unrecognised sources / unknown builtin
+// names are caught up front by `checkPolicyPackSources` (called from
+// both `harness apply` and `harness validate`), so the warning + skip
+// branches below are belt-and-braces: they only trigger if a caller
+// invokes `expandPolicyPacks` directly without the pre-check.
 //
 // Hook-name collision handling: pack hooks are namespaced
 // (`policy-pack:<name>:<role>`) by the builtin definitions, so a user

package/dist/policy-packs/expand.js.map

@@ -1 +1 @@
-{"version":3,"file":"expand.js","sourceRoot":"","sources":["../../src/policy-packs/expand.ts"],"names":[],"mappings":"AAAA,oDAAoD;AACpD,EAAE;AACF,oEAAoE;AACpE,oEAAoE;AACpE,yEAAyE;AACzE,mEAAmE;AACnE,oEAAoE;AACpE,sDAAsD;AACtD,EAAE;AACF,0DAA0D;AAC1D,sEAAsE;AACtE,uEAAuE;AACvE,qEAAqE;AACrE,oEAAoE;AACpE,qCAAqC;AAIrC,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAC/C,OAAO,EAAE,eAAe,EAAgB,MAAM,cAAc,CAAC;AAC7D,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAK9C,MAAM,UAAU,iBAAiB,CAC/B,QAAkB,EAClB,UAAmB,eAAe,EAClC,OAAiC,EAAE;IAEnC,MAAM,GAAG,GAAwB,EAAE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACrF,IAAI,QAAQ,CAAC,YAAY,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,GAAG,CAAC;IAEnD,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACrE,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAAU,CAAC;IAC5C,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;IACnC,MAAM,MAAM,GAAG,IAAI,GAAG,EAAU,CAAC;IACjC,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;IAClC,IAAI,cAAc,GAAG,KAAK,CAAC;IAE3B,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,YAAY,EAAE,CAAC;QACzC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC5B,SAAS;QACX,CAAC;QACD,MAAM,YAAY,GAAG,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAClD,IAAI,YAAY,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YACpC,GAAG,CAAC,QAAQ,CAAC,IAAI,CACf,gBAAgB,IAAI,CAAC,IAAI,aAAa,IAAI,CAAC,SAAS,CAClD,IAAI,CAAC,MAAM,CACZ,+DAA+D,CACjE,CAAC;YACF,SAAS;QACX,CAAC;QACD,MAAM,QAAQ,GAAG,cAAc,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;QACrD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,GAAG,CAAC,QAAQ,CAAC,IAAI,CACf,gBAAgB,IAAI,CAAC,IAAI,oFAAoF,CAC9G,CAAC;YACF,SAAS;QACX,CAAC;QACD,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACxC,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;YAC/C,IAAI,iBAAiB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrC,GAAG,CAAC,QAAQ,CAAC,IAAI,CACf,gBAAgB,IAAI,CAAC,IAAI,iBAAiB,IAAI,CAAC,IAAI,wGAAwG,CAC5J,CAAC;gBACF,SAAS;YACX,CAAC;YACD,IAAI,iBAAiB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrC,GAAG,CAAC,QAAQ,CAAC,IAAI,CACf,gBAAgB,IAAI,CAAC,IAAI,iBAAiB,IAAI,CAAC,IAAI,oEAAoE,CACxH,CAAC;gBACF,SAAS;YACX,CAAC;YACD,iBAAiB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvB,CAAC;QACD,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;QAC/C,IAAI,QAAQ,CAAC,YAAY,CAAC,WAAW,EAAE,CAAC;YACtC,cAAc,GAAG,IAAI,CAAC;YACtB,KAAK,MAAM,CAAC,IAAI,QAAQ,CAAC,YAAY,CAAC,WAAW,CAAC,KAAK;gBAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACzE,KAAK,MAAM,CAAC,IAAI,QAAQ,CAAC,YAAY,CAAC,WAAW,CAAC,GAAG;gBAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACrE,KAAK,MAAM,CAAC,IAAI,QAAQ,CAAC,YAAY,CAAC,WAAW,CAAC,IAAI;gBAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACzE,CAAC;IACH,CAAC;IAED,IAAI,cAAc,EAAE,CAAC;QACnB,+DAA+D;QAC/D,gEAAgE;QAChE,+DAA+D;QAC/D,kEAAkE;QAClE,cAAc;QACd,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;YACxB,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YACjB,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACrB,CAAC;QACD,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;YACvB,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACrB,CAAC;QACD,MAAM,WAAW,GAAgC;YAC/C,KAAK,EAAE,CAAC,GAAG,QAAQ,CAAC,CAAC,IAAI,EAAE;YAC3B,GAAG,EAAE,CAAC,GAAG,MAAM,CAAC,CAAC,IAAI,EAAE;YACvB,IAAI,EAAE,CAAC,GAAG,OAAO,CAAC,CAAC,IAAI,EAAE;SAC1B,CAAC;QACF,GAAG,CAAC,WAAW,GAAG,WAAW,CAAC;IAChC,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC"}
+{"version":3,"file":"expand.js","sourceRoot":"","sources":["../../src/policy-packs/expand.ts"],"names":[],"mappings":"AAAA,oDAAoD;AACpD,EAAE;AACF,oEAAoE;AACpE,oEAAoE;AACpE,wEAAwE;AACxE,qEAAqE;AACrE,sEAAsE;AACtE,oEAAoE;AACpE,8DAA8D;AAC9D,EAAE;AACF,0DAA0D;AAC1D,sEAAsE;AACtE,uEAAuE;AACvE,qEAAqE;AACrE,oEAAoE;AACpE,qCAAqC;AAIrC,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAC/C,OAAO,EAAE,eAAe,EAAgB,MAAM,cAAc,CAAC;AAC7D,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAK9C,MAAM,UAAU,iBAAiB,CAC/B,QAAkB,EAClB,UAAmB,eAAe,EAClC,OAAiC,EAAE;IAEnC,MAAM,GAAG,GAAwB,EAAE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACrF,IAAI,QAAQ,CAAC,YAAY,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,GAAG,CAAC;IAEnD,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACrE,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAAU,CAAC;IAC5C,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;IACnC,MAAM,MAAM,GAAG,IAAI,GAAG,EAAU,CAAC;IACjC,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;IAClC,IAAI,cAAc,GAAG,KAAK,CAAC;IAE3B,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,YAAY,EAAE,CAAC;QACzC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC5B,SAAS;QACX,CAAC;QACD,MAAM,YAAY,GAAG,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAClD,IAAI,YAAY,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YACpC,GAAG,CAAC,QAAQ,CAAC,IAAI,CACf,gBAAgB,IAAI,CAAC,IAAI,aAAa,IAAI,CAAC,SAAS,CAClD,IAAI,CAAC,MAAM,CACZ,+DAA+D,CACjE,CAAC;YACF,SAAS;QACX,CAAC;QACD,MAAM,QAAQ,GAAG,cAAc,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;QACrD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,GAAG,CAAC,QAAQ,CAAC,IAAI,CACf,gBAAgB,IAAI,CAAC,IAAI,oFAAoF,CAC9G,CAAC;YACF,SAAS;QACX,CAAC;QACD,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACxC,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;YAC/C,IAAI,iBAAiB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrC,GAAG,CAAC,QAAQ,CAAC,IAAI,CACf,gBAAgB,IAAI,CAAC,IAAI,iBAAiB,IAAI,CAAC,IAAI,wGAAwG,CAC5J,CAAC;gBACF,SAAS;YACX,CAAC;YACD,IAAI,iBAAiB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrC,GAAG,CAAC,QAAQ,CAAC,IAAI,CACf,gBAAgB,IAAI,CAAC,IAAI,iBAAiB,IAAI,CAAC,IAAI,oEAAoE,CACxH,CAAC;gBACF,SAAS;YACX,CAAC;YACD,iBAAiB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvB,CAAC;QACD,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;QAC/C,IAAI,QAAQ,CAAC,YAAY,CAAC,WAAW,EAAE,CAAC;YACtC,cAAc,GAAG,IAAI,CAAC;YACtB,KAAK,MAAM,CAAC,IAAI,QAAQ,CAAC,YAAY,CAAC,WAAW,CAAC,KAAK;gBAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACzE,KAAK,MAAM,CAAC,IAAI,QAAQ,CAAC,YAAY,CAAC,WAAW,CAAC,GAAG;gBAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACrE,KAAK,MAAM,CAAC,IAAI,QAAQ,CAAC,YAAY,CAAC,WAAW,CAAC,IAAI;gBAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACzE,CAAC;IACH,CAAC;IAED,IAAI,cAAc,EAAE,CAAC;QACnB,+DAA+D;QAC/D,gEAAgE;QAChE,+DAA+D;QAC/D,kEAAkE;QAClE,cAAc;QACd,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;YACxB,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YACjB,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACrB,CAAC;QACD,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;YACvB,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACrB,CAAC;QACD,MAAM,WAAW,GAAgC;YAC/C,KAAK,EAAE,CAAC,GAAG,QAAQ,CAAC,CAAC,IAAI,EAAE;YAC3B,GAAG,EAAE,CAAC,GAAG,MAAM,CAAC,CAAC,IAAI,EAAE;YACvB,IAAI,EAAE,CAAC,GAAG,OAAO,CAAC,CAAC,IAAI,EAAE;SAC1B,CAAC;QACF,GAAG,CAAC,WAAW,GAAG,WAAW,CAAC;IAChC,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/policy-packs/index.d.ts

@@ -1,5 +1,8 @@
 export { expandPolicyPacks, type ExpandPolicyPacksOptions } from "./expand.js";
-export { KNOWN_BUILTIN_PACKS, isBuiltinPackName, resolveBuiltin, type BuiltinPackName, type ResolveBuiltinResult, } from "./registry.js";
+export { KNOWN_BUILTIN_PACKS, isBuiltinPackName, resolveBuiltin, resolveBuiltinConfigSchema, resolveBuiltinVersionCommand, type BuiltinPackName, type ResolveBuiltinResult, } from "./registry.js";
+export { checkPolicyPackConfigs, type PolicyPackConfigIssue, } from "./config-check.js";
+export { checkPolicyPackVersions, type PolicyPackVersionGap, type PolicyPackVersionGapKind, } from "./version-check.js";
 export { KNOWN_RUNTIMES, DEFAULT_RUNTIME, isRuntime, parseRuntime, type Runtime, } from "./runtime.js";
 export { parsePackSource, type PackSourceKind, type PackSourceParseResult } from "./source.js";
+export { checkPolicyPackSources, type PolicyPackSourceIssue, type PolicyPackSourceIssueKind, } from "./source-check.js";
 export type { PackContribution, PackContributionFile, PackExpansionResult, } from "./types.js";

package/dist/policy-packs/index.js

@@ -1,5 +1,8 @@
 export { expandPolicyPacks } from "./expand.js";
-export { KNOWN_BUILTIN_PACKS, isBuiltinPackName, resolveBuiltin, } from "./registry.js";
+export { KNOWN_BUILTIN_PACKS, isBuiltinPackName, resolveBuiltin, resolveBuiltinConfigSchema, resolveBuiltinVersionCommand, } from "./registry.js";
+export { checkPolicyPackConfigs, } from "./config-check.js";
+export { checkPolicyPackVersions, } from "./version-check.js";
 export { KNOWN_RUNTIMES, DEFAULT_RUNTIME, isRuntime, parseRuntime, } from "./runtime.js";
 export { parsePackSource } from "./source.js";
+export { checkPolicyPackSources, } from "./source-check.js";
 //# sourceMappingURL=index.js.map

package/dist/policy-packs/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/policy-packs/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAiC,MAAM,aAAa,CAAC;AAC/E,OAAO,EACL,mBAAmB,EACnB,iBAAiB,EACjB,cAAc,GAGf,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,cAAc,EACd,eAAe,EACf,SAAS,EACT,YAAY,GAEb,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,eAAe,EAAmD,MAAM,aAAa,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/policy-packs/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAiC,MAAM,aAAa,CAAC;AAC/E,OAAO,EACL,mBAAmB,EACnB,iBAAiB,EACjB,cAAc,EACd,0BAA0B,EAC1B,4BAA4B,GAG7B,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,sBAAsB,GAEvB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,uBAAuB,GAGxB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,cAAc,EACd,eAAe,EACf,SAAS,EACT,YAAY,GAEb,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,eAAe,EAAmD,MAAM,aAAa,CAAC;AAC/F,OAAO,EACL,sBAAsB,GAGvB,MAAM,mBAAmB,CAAC"}

package/dist/policy-packs/registry.d.ts

@@ -1,3 +1,4 @@
+import type { z } from "zod";
 import type { PolicyPack } from "../schema/index.js";
 import { type ResolvePackOptions } from "./builtin/understanding-before-execution.js";
 import { type Runtime } from "./runtime.js";
@@ -10,3 +11,22 @@ export interface ResolveBuiltinResult {
     warnings: string[];
 }
 export declare function resolveBuiltin(pack: PolicyPack, runtime?: Runtime, opts?: ResolvePackOptions): ResolveBuiltinResult | null;
+/**
+ * Per-builtin `config:` schema lookup. Returns null when the pack name
+ * is not a builtin (caller should already have flagged that via
+ * `checkPolicyPackSources`), and a schema when one is registered.
+ * Consumed by `checkPolicyPackConfigs` so `harness validate` /
+ * `harness doctor` catch typo'd keys at lint time.
+ */
+export declare function resolveBuiltinConfigSchema(packName: string): z.ZodTypeAny | null;
+/**
+ * Canonical version-probe command for a builtin pack's package-side bin.
+ * Returns `null` when the pack name is not a builtin (caller should
+ * already have flagged that via `checkPolicyPackSources`), or when the
+ * pack has no separate package-side bin (e.g. `branch-protection`'s
+ * blocker is harness itself, no external binary to probe). Consumed by
+ * `checkPolicyPackVersions` so `harness doctor` can compare the
+ * installed version against an operator-declared pack-level
+ * `min_version` floor.
+ */
+export declare function resolveBuiltinVersionCommand(packName: string): readonly [string, string] | null;

package/dist/policy-packs/registry.js

@@ -4,8 +4,8 @@
 // builtins are added by appending to `KNOWN_BUILTIN_PACKS` and a case
 // arm in `resolveBuiltin()`. Non-builtin sources (path/npm/git) are
 // out of scope for v1; their resolution lands in a later sub-task.
-import { PACK_NAME as BRANCH_PROTECTION, resolve as resolveBranchProtection, } from "./builtin/branch-protection.js";
-import { PACK_NAME as UNDERSTANDING_BEFORE_EXECUTION, resolve as resolveUnderstandingBeforeExecution, } from "./builtin/understanding-before-execution.js";
+import { configSchema as branchProtectionConfigSchema, PACK_NAME as BRANCH_PROTECTION, resolve as resolveBranchProtection, } from "./builtin/branch-protection.js";
+import { configSchema as understandingBeforeExecutionConfigSchema, PACK_NAME as UNDERSTANDING_BEFORE_EXECUTION, resolve as resolveUnderstandingBeforeExecution, VERSION_COMMAND as UNDERSTANDING_BEFORE_EXECUTION_VERSION_COMMAND, } from "./builtin/understanding-before-execution.js";
 import { DEFAULT_RUNTIME } from "./runtime.js";
 export const KNOWN_BUILTIN_PACKS = [
     UNDERSTANDING_BEFORE_EXECUTION,
@@ -24,4 +24,41 @@ export function resolveBuiltin(pack, runtime = DEFAULT_RUNTIME, opts = {}) {
             return resolveBranchProtection(pack, runtime);
     }
 }
+/**
+ * Per-builtin `config:` schema lookup. Returns null when the pack name
+ * is not a builtin (caller should already have flagged that via
+ * `checkPolicyPackSources`), and a schema when one is registered.
+ * Consumed by `checkPolicyPackConfigs` so `harness validate` /
+ * `harness doctor` catch typo'd keys at lint time.
+ */
+export function resolveBuiltinConfigSchema(packName) {
+    if (!isBuiltinPackName(packName))
+        return null;
+    switch (packName) {
+        case UNDERSTANDING_BEFORE_EXECUTION:
+            return understandingBeforeExecutionConfigSchema;
+        case BRANCH_PROTECTION:
+            return branchProtectionConfigSchema;
+    }
+}
+/**
+ * Canonical version-probe command for a builtin pack's package-side bin.
+ * Returns `null` when the pack name is not a builtin (caller should
+ * already have flagged that via `checkPolicyPackSources`), or when the
+ * pack has no separate package-side bin (e.g. `branch-protection`'s
+ * blocker is harness itself, no external binary to probe). Consumed by
+ * `checkPolicyPackVersions` so `harness doctor` can compare the
+ * installed version against an operator-declared pack-level
+ * `min_version` floor.
+ */
+export function resolveBuiltinVersionCommand(packName) {
+    if (!isBuiltinPackName(packName))
+        return null;
+    switch (packName) {
+        case UNDERSTANDING_BEFORE_EXECUTION:
+            return UNDERSTANDING_BEFORE_EXECUTION_VERSION_COMMAND;
+        case BRANCH_PROTECTION:
+            return null;
+    }
+}
 //# sourceMappingURL=registry.js.map

package/dist/policy-packs/registry.js.map

@@ -1 +1 @@
-{"version":3,"file":"registry.js","sourceRoot":"","sources":["../../src/policy-packs/registry.ts"],"names":[],"mappings":"AAAA,yCAAyC;AACzC,EAAE;AACF,kEAAkE;AAClE,sEAAsE;AACtE,oEAAoE;AACpE,mEAAmE;AAGnE,OAAO,EACL,SAAS,IAAI,iBAAiB,EAC9B,OAAO,IAAI,uBAAuB,GACnC,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,SAAS,IAAI,8BAA8B,EAC3C,OAAO,IAAI,mCAAmC,GAE/C,MAAM,6CAA6C,CAAC;AACrD,OAAO,EAAE,eAAe,EAAgB,MAAM,cAAc,CAAC;AAG7D,MAAM,CAAC,MAAM,mBAAmB,GAAG;IACjC,8BAA8B;IAC9B,iBAAiB;CACT,CAAC;AAGX,MAAM,UAAU,iBAAiB,CAAC,IAAY;IAC5C,OAAQ,mBAAyC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;AACnE,CAAC;AAOD,MAAM,UAAU,cAAc,CAC5B,IAAgB,EAChB,UAAmB,eAAe,EAClC,OAA2B,EAAE;IAE7B,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/C,QAAQ,IAAI,CAAC,IAAuB,EAAE,CAAC;QACrC,KAAK,8BAA8B;YACjC,OAAO,mCAAmC,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;QAClE,KAAK,iBAAiB;YACpB,OAAO,uBAAuB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAClD,CAAC;AACH,CAAC"}
+{"version":3,"file":"registry.js","sourceRoot":"","sources":["../../src/policy-packs/registry.ts"],"names":[],"mappings":"AAAA,yCAAyC;AACzC,EAAE;AACF,kEAAkE;AAClE,sEAAsE;AACtE,oEAAoE;AACpE,mEAAmE;AAInE,OAAO,EACL,YAAY,IAAI,4BAA4B,EAC5C,SAAS,IAAI,iBAAiB,EAC9B,OAAO,IAAI,uBAAuB,GACnC,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,YAAY,IAAI,wCAAwC,EACxD,SAAS,IAAI,8BAA8B,EAC3C,OAAO,IAAI,mCAAmC,EAC9C,eAAe,IAAI,8CAA8C,GAElE,MAAM,6CAA6C,CAAC;AACrD,OAAO,EAAE,eAAe,EAAgB,MAAM,cAAc,CAAC;AAG7D,MAAM,CAAC,MAAM,mBAAmB,GAAG;IACjC,8BAA8B;IAC9B,iBAAiB;CACT,CAAC;AAGX,MAAM,UAAU,iBAAiB,CAAC,IAAY;IAC5C,OAAQ,mBAAyC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;AACnE,CAAC;AAOD,MAAM,UAAU,cAAc,CAC5B,IAAgB,EAChB,UAAmB,eAAe,EAClC,OAA2B,EAAE;IAE7B,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/C,QAAQ,IAAI,CAAC,IAAuB,EAAE,CAAC;QACrC,KAAK,8BAA8B;YACjC,OAAO,mCAAmC,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;QAClE,KAAK,iBAAiB;YACpB,OAAO,uBAAuB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAClD,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,0BAA0B,CACxC,QAAgB;IAEhB,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IAC9C,QAAQ,QAA2B,EAAE,CAAC;QACpC,KAAK,8BAA8B;YACjC,OAAO,wCAAwC,CAAC;QAClD,KAAK,iBAAiB;YACpB,OAAO,4BAA4B,CAAC;IACxC,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,4BAA4B,CAC1C,QAAgB;IAEhB,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IAC9C,QAAQ,QAA2B,EAAE,CAAC;QACpC,KAAK,8BAA8B;YACjC,OAAO,8CAA8C,CAAC;QACxD,KAAK,iBAAiB;YACpB,OAAO,IAAI,CAAC;IAChB,CAAC;AACH,CAAC"}

package/dist/policy-packs/source-check.d.ts

@@ -0,0 +1,28 @@
+import type { Manifest } from "../schema/index.js";
+export type PolicyPackSourceIssueKind = "unknown-source" | "unknown-builtin";
+export interface PolicyPackSourceIssue {
+    packIndex: number;
+    packName: string;
+    kind: PolicyPackSourceIssueKind;
+    /** Raw `source:` string for `unknown-source`; absent for `unknown-builtin`. */
+    source?: string;
+    /**
+     * Path suffix matching the validate Diagnostic shape: `source` or `name`.
+     * Not independent of `kind` — `unknown-source` always pairs with `source`,
+     * `unknown-builtin` with `name`. Carried explicitly so call sites
+     * (apply error text, validate Diagnostic.path) don't each re-derive it.
+     */
+    field: "source" | "name";
+    message: string;
+}
+/**
+ * Walks `manifest.policy_packs` in declared order and returns one issue
+ * per offending enabled pack. Output order is stable and matches the
+ * manifest array order — call sites rely on this when aggregating
+ * messages, and `tests/policy-packs/source-check.test.ts` asserts it.
+ *
+ * `enabled: false` packs are skipped on both sides: an operator who has
+ * intentionally stashed an unfinished pack reference shouldn't have
+ * apply or validate red until they re-enable it.
+ */
+export declare function checkPolicyPackSources(manifest: Manifest): PolicyPackSourceIssue[];