@neurcode-ai/governance-runtime 0.1.1 → 0.1.3

package/src/constraints.ts

@@ -7,6 +7,22 @@ export interface DeterministicConstraintRule {
   displayName: string;
   pattern: RegExp;
   matchToken: string;
+  provenance?: DeterministicConstraintProvenance;
+  pathIncludePatterns?: string[];
+  pathExcludePatterns?: string[];
+  pathIncludes?: RegExp[];
+  pathExcludes?: RegExp[];
+  minMatchesPerFile?: number;
+  maxMatchesPerFile?: number;
+  evaluationMode?: 'added_lines' | 'full_file' | 'signature_delta';
+  evaluationScope?: 'file' | 'repo';
+}
+
+export interface DeterministicConstraintProvenance {
+  why: string;
+  evidence: string[];
+  contributingGraphPaths: string[];
+  trustBoundaries: string[];
 }
 
 export interface DeterministicConstraintCompilation {
@@ -27,6 +43,11 @@ interface ConstraintTemplate {
   matchToken: string;
 }
 
+interface PathScopeMatch {
+  includePatterns: string[];
+  excludePatterns: string[];
+}
+
 const PROHIBITIVE_PATTERN = /\b(no|do not|don't|without|avoid|ban|disallow|never|must not)\b/i;
 
 const CONSTRAINT_TEMPLATES: ConstraintTemplate[] = [
@@ -79,6 +100,27 @@ const CONSTRAINT_TEMPLATES: ConstraintTemplate[] = [
     pattern: /\b(TODO|FIXME)\b/i,
     matchToken: 'todo/fixme',
   },
+  {
+    id: 'no_network_calls',
+    displayName: 'No network calls',
+    triggerTokens: ['network call', 'network calls', 'http call', 'api call', 'external call'],
+    pattern: /\b(fetch\s*\(|axios\.[a-z]+\s*\(|axios\s*\(|XMLHttpRequest\b|http\.request\s*\(|https\.request\s*\(|got\s*\(|superagent\s*\()/i,
+    matchToken: 'network-call',
+  },
+  {
+    id: 'no_child_process',
+    displayName: 'No child_process execution',
+    triggerTokens: ['child_process', 'shell command', 'exec(', 'spawn('],
+    pattern: /\b(child_process|exec\s*\(|execFile\s*\(|spawn\s*\(|fork\s*\()/i,
+    matchToken: 'child_process',
+  },
+  {
+    id: 'no_innerhtml',
+    displayName: 'No innerHTML / dangerouslySetInnerHTML',
+    triggerTokens: ['innerhtml', 'dangerouslysetinnerhtml', 'dom injection'],
+    pattern: /\b(innerHTML|dangerouslySetInnerHTML)\b/i,
+    matchToken: 'innerHTML',
+  },
 ];
 
 function splitStatements(raw: string): string[] {
@@ -95,6 +137,536 @@ function normalizeStatement(statement: string): string {
     .toLowerCase();
 }
 
+function normalizePathScopeToken(rawValue: string): string {
+  return rawValue
+    .trim()
+    .replace(/^[`'"]+|[`'"]+$/g, '')
+    .replace(/\\/g, '/')
+    .replace(/^\.\//, '')
+    .replace(/\/{2,}/g, '/');
+}
+
+function looksLikePathScope(token: string): boolean {
+  if (!token) return false;
+  if (/\s/.test(token)) return false;
+  if (token.includes('/')) return true;
+  if (token.includes('*')) return true;
+  return /\.[a-z0-9]{1,8}$/i.test(token);
+}
+
+function globLikeToRegex(pattern: string): RegExp {
+  const escaped = pattern
+    .split('*')
+    .map((segment) => segment.replace(/[.+^${}()|[\]\\]/g, '\\$&'))
+    .join('.*');
+  return new RegExp(`^${escaped}$`, 'i');
+}
+
+function compilePathPatterns(patterns: string[]): RegExp[] {
+  return patterns
+    .map((pattern) => {
+      try {
+        return globLikeToRegex(pattern);
+      } catch {
+        return null;
+      }
+    })
+    .filter((item): item is RegExp => item instanceof RegExp);
+}
+
+function parsePathScopes(statement: string): PathScopeMatch {
+  const includePatterns = new Set<string>();
+  const excludePatterns = new Set<string>();
+
+  const includeRegex = /\b(?:in|within|under|inside)\s+[`'"]?([A-Za-z0-9_./*?-]+)[`'"]?/gi;
+  const excludeRegex = /\b(?:except|excluding|but\s+not\s+in|not\s+in)\s+[`'"]?([A-Za-z0-9_./*?-]+)[`'"]?/gi;
+
+  for (const match of statement.matchAll(includeRegex)) {
+    const candidate = normalizePathScopeToken(match[1] || '');
+    if (looksLikePathScope(candidate)) {
+      includePatterns.add(candidate);
+    }
+  }
+  for (const match of statement.matchAll(excludeRegex)) {
+    const candidate = normalizePathScopeToken(match[1] || '');
+    if (looksLikePathScope(candidate)) {
+      excludePatterns.add(candidate);
+    }
+  }
+
+  return {
+    includePatterns: [...includePatterns],
+    excludePatterns: [...excludePatterns],
+  };
+}
+
+function uniqueSorted(values: string[]): string[] {
+  return [...new Set(values.filter(Boolean))].sort((left, right) => left.localeCompare(right));
+}
+
+function buildProvenance(input: {
+  why: string;
+  evidence: string[];
+  trustBoundaries: string[];
+  pathScopes: PathScopeMatch;
+}): DeterministicConstraintProvenance {
+  const contributingGraphPaths = input.pathScopes.includePatterns.length > 0
+    ? uniqueSorted(input.pathScopes.includePatterns)
+    : ['<repo-scope>'];
+  return {
+    why: input.why,
+    evidence: uniqueSorted(input.evidence),
+    contributingGraphPaths,
+    trustBoundaries: uniqueSorted(input.trustBoundaries),
+  };
+}
+
+function applyPathScopes(
+  rule: Omit<DeterministicConstraintRule, 'pathIncludePatterns' | 'pathExcludePatterns' | 'pathIncludes' | 'pathExcludes'>,
+  pathScopes: PathScopeMatch
+): DeterministicConstraintRule {
+  const includePatterns = [...pathScopes.includePatterns];
+  const excludePatterns = [...pathScopes.excludePatterns];
+
+  return {
+    ...rule,
+    ...(includePatterns.length > 0
+      ? {
+          pathIncludePatterns: includePatterns,
+          pathIncludes: compilePathPatterns(includePatterns),
+        }
+      : {}),
+    ...(excludePatterns.length > 0
+      ? {
+          pathExcludePatterns: excludePatterns,
+          pathExcludes: compilePathPatterns(excludePatterns),
+        }
+      : {}),
+  };
+}
+
+function escapeRegex(value: string): string {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
+function parseInvocationLimitRule(
+  statement: string,
+  source: DeterministicConstraintSource,
+  pathScopes: PathScopeMatch
+): DeterministicConstraintRule | null {
+  const normalized = normalizeStatement(statement);
+
+  const fnPatterns: Array<{
+    regex: RegExp;
+    fnIndex: number;
+    countIndex: number;
+    comparator: 'max' | 'min' | 'exact';
+  }> = [
+    {
+      regex: /\b([a-z_$][a-z0-9_$]*)\s+(?:function\s+)?(?:should\s+be\s+)?(?:invoked|called)\s+(?:only\s+)?(\d+)\s+times?\b/i,
+      fnIndex: 1,
+      countIndex: 2,
+      comparator: 'max',
+    },
+    {
+      regex: /\b([a-z_$][a-z0-9_$]*)\s+(?:function\s+)?(?:should\s+be\s+)?(?:invoked|called)\s+(?:at\s+most|no\s+more\s+than|maximum)\s+(\d+)\s+times?\b/i,
+      fnIndex: 1,
+      countIndex: 2,
+      comparator: 'max',
+    },
+    {
+      regex: /\b([a-z_$][a-z0-9_$]*)\s+(?:function\s+)?(?:should\s+be\s+)?(?:invoked|called)\s+(?:at\s+least|no\s+less\s+than|minimum)\s+(\d+)\s+times?\b/i,
+      fnIndex: 1,
+      countIndex: 2,
+      comparator: 'min',
+    },
+    {
+      regex: /\b([a-z_$][a-z0-9_$]*)\s+(?:function\s+)?(?:should\s+be\s+)?(?:invoked|called)\s+(?:exactly)\s+(\d+)\s+times?\b/i,
+      fnIndex: 1,
+      countIndex: 2,
+      comparator: 'exact',
+    },
+    {
+      regex: /\bonly\s+(\d+)\s+calls?\s+to\s+([a-z_$][a-z0-9_$]*)\b/i,
+      fnIndex: 2,
+      countIndex: 1,
+      comparator: 'max',
+    },
+    {
+      regex: /\bat\s+most\s+(\d+)\s+calls?\s+to\s+([a-z_$][a-z0-9_$]*)\b/i,
+      fnIndex: 2,
+      countIndex: 1,
+      comparator: 'max',
+    },
+    {
+      regex: /\bat\s+least\s+(\d+)\s+calls?\s+to\s+([a-z_$][a-z0-9_$]*)\b/i,
+      fnIndex: 2,
+      countIndex: 1,
+      comparator: 'min',
+    },
+    {
+      regex: /\bexactly\s+(\d+)\s+calls?\s+to\s+([a-z_$][a-z0-9_$]*)\b/i,
+      fnIndex: 2,
+      countIndex: 1,
+      comparator: 'exact',
+    },
+  ];
+
+  let fnName: string | null = null;
+  let rawLimit: string | null = null;
+  let comparator: 'max' | 'min' | 'exact' = 'max';
+
+  for (const pattern of fnPatterns) {
+    const match = normalized.match(pattern.regex);
+    if (!match) {
+      continue;
+    }
+    fnName = match[pattern.fnIndex] || null;
+    rawLimit = match[pattern.countIndex] || null;
+    comparator = pattern.comparator;
+    break;
+  }
+
+  if (!fnName || !rawLimit) {
+    return null;
+  }
+  const limit = Number(rawLimit);
+  if (!Number.isFinite(limit) || limit < 0) {
+    return null;
+  }
+
+  const repoScopeHint = /\b(across\s+(?:the\s+)?(?:repo|repository|codebase)|globally|in\s+the\s+entire\s+repo)\b/i.test(
+    normalized
+  );
+  const displaySuffix =
+    comparator === 'exact'
+      ? `exactly ${limit}`
+      : comparator === 'min'
+        ? `at least ${limit}`
+        : `at most ${limit}`;
+  const minMatches = comparator === 'min' || comparator === 'exact' ? limit : undefined;
+  const maxMatches = comparator === 'max' || comparator === 'exact' ? limit : undefined;
+
+  return applyPathScopes(
+    {
+      id: `${source}:${comparator}_invocations_${fnName.toLowerCase()}${repoScopeHint ? '_repo' : ''}`,
+      source,
+      statement,
+      displayName: `${fnName}() invocation limit (${displaySuffix}${repoScopeHint ? ', repo-wide' : ''})`,
+      pattern: new RegExp(`(?<!function\\s)\\b${escapeRegex(fnName)}\\s*\\(`, 'i'),
+      matchToken: `${fnName}(`,
+      ...(typeof minMatches === 'number' ? { minMatchesPerFile: minMatches } : {}),
+      ...(typeof maxMatches === 'number' ? { maxMatchesPerFile: maxMatches } : {}),
+      evaluationMode: 'full_file',
+      evaluationScope: repoScopeHint ? 'repo' : 'file',
+      provenance: buildProvenance({
+        why: 'Statement imposes deterministic invocation cardinality limits.',
+        evidence: [fnName, rawLimit, comparator, repoScopeHint ? 'repo-scope' : 'file-scope'],
+        trustBoundaries: repoScopeHint ? ['cross-module'] : ['local-module'],
+        pathScopes,
+      }),
+    },
+    pathScopes
+  );
+}
+
+const EXPORTED_SIGNATURE_PATTERN =
+  /\bexport\s+(?:async\s+)?function\s+[A-Za-z_$][A-Za-z0-9_$]*\s*\(|\bexport\s+const\s+[A-Za-z_$][A-Za-z0-9_$]*\s*=\s*(?:async\s*)?\([^)]*\)\s*=>|\bexport\s+(?:interface|type)\s+[A-Za-z_$][A-Za-z0-9_$]*/i;
+
+function parseSignatureDriftRule(
+  statement: string,
+  source: DeterministicConstraintSource,
+  pathScopes: PathScopeMatch
+): DeterministicConstraintRule | null {
+  const normalized = normalizeStatement(statement);
+  const mentionsSignature =
+    /\b(signature|contract|public api|api surface|exported api)\b/i.test(normalized);
+  const mentionsChange =
+    /\b(change|changed|modify|modified|drift|mutation|alter)\b/i.test(normalized);
+  const prohibitive =
+    PROHIBITIVE_PATTERN.test(normalized)
+    || /\bkeep\b/i.test(normalized)
+    || /\bpreserve\b/i.test(normalized);
+
+  if (!mentionsSignature || !mentionsChange || !prohibitive) {
+    return null;
+  }
+
+  return applyPathScopes(
+    {
+      id: `${source}:no_api_signature_drift`,
+      source,
+      statement,
+      displayName: 'No exported API signature drift',
+      pattern: EXPORTED_SIGNATURE_PATTERN,
+      matchToken: 'api-signature-drift',
+      evaluationMode: 'signature_delta',
+      evaluationScope: 'file',
+      provenance: buildProvenance({
+        why: 'Statement protects external API signature stability.',
+        evidence: ['signature', 'public api', 'change/modify'],
+        trustBoundaries: ['public-api', 'external-consumer'],
+        pathScopes,
+      }),
+    },
+    pathScopes
+  );
+}
+
+function parseBackwardCompatibilityRule(
+  statement: string,
+  source: DeterministicConstraintSource,
+  pathScopes: PathScopeMatch
+): DeterministicConstraintRule | null {
+  const normalized = normalizeStatement(statement);
+  const mentionsCompatibility =
+    /\b(backward compatibility|backwards compatibility|breaking change|non-breaking|existing consumers?)\b/i.test(
+      normalized
+    );
+
+  if (!mentionsCompatibility) {
+    return null;
+  }
+
+  return applyPathScopes(
+    {
+      id: `${source}:backward_compatibility`,
+      source,
+      statement,
+      displayName: 'Backward compatibility guard (public contract drift)',
+      pattern: EXPORTED_SIGNATURE_PATTERN,
+      matchToken: 'backward-compatibility',
+      evaluationMode: 'signature_delta',
+      evaluationScope: 'file',
+      provenance: buildProvenance({
+        why: 'Statement requires non-breaking compatibility guarantees for existing consumers.',
+        evidence: ['backward compatibility', 'breaking change', 'existing consumers'],
+        trustBoundaries: ['public-api', 'external-consumer'],
+        pathScopes,
+      }),
+    },
+    pathScopes
+  );
+}
+
+function parseAsyncOrderingRule(
+  statement: string,
+  source: DeterministicConstraintSource,
+  pathScopes: PathScopeMatch
+): DeterministicConstraintRule | null {
+  const normalized = normalizeStatement(statement);
+  const mentionsOrdering =
+    /\b(async ordering|message ordering|out of order|preserve order|ordered workflow|ordering guarantees?|fifo)\b/i.test(
+      normalized
+    );
+  const mentionsParallelRisk =
+    /\b(parallel|promise\.all|allsettled|race|fan-?out|parallelize)\b/i.test(normalized);
+
+  if (!mentionsOrdering && !mentionsParallelRisk) {
+    return null;
+  }
+
+  return applyPathScopes(
+    {
+      id: `${source}:async_ordering`,
+      source,
+      statement,
+      displayName: 'Async ordering guard (parallelization risk)',
+      pattern: /\bPromise\.(?:all|allSettled|race|any)\s*\(|\bp-?map\s*\(|\bparallel(?:ize|Map)?\s*\(/i,
+      matchToken: 'async-ordering',
+      evaluationMode: 'added_lines',
+      evaluationScope: 'file',
+      provenance: buildProvenance({
+        why: 'Statement flags async ordering sensitivity and blocks risky parallel fan-out patterns.',
+        evidence: ['ordering', 'out of order', 'parallel execution'],
+        trustBoundaries: ['async-workflow', 'downstream-capacity'],
+        pathScopes,
+      }),
+    },
+    pathScopes
+  );
+}
+
+function parseEventSchemaConsistencyRule(
+  statement: string,
+  source: DeterministicConstraintSource,
+  pathScopes: PathScopeMatch
+): DeterministicConstraintRule | null {
+  const normalized = normalizeStatement(statement);
+  const mentionsEventSchema =
+    /\b(event schema|event payload|event contract|subscriber|downstream event|schema evolution|required fields?)\b/i.test(
+      normalized
+    );
+
+  if (!mentionsEventSchema) {
+    return null;
+  }
+
+  return applyPathScopes(
+    {
+      id: `${source}:event_schema_consistency`,
+      source,
+      statement,
+      displayName: 'Event/schema consistency guard',
+      pattern:
+        /\b(?:interface|type)\s+[A-Za-z_$][A-Za-z0-9_$]*(?:Event|Payload|Message|Envelope)\b|\bevent[A-Za-z0-9_$]*\s*:\s*|\bschemaVersion\b/i,
+      matchToken: 'event-schema-drift',
+      evaluationMode: 'signature_delta',
+      evaluationScope: 'file',
+      provenance: buildProvenance({
+        why: 'Statement requires event contract continuity for downstream consumers.',
+        evidence: ['event schema', 'subscriber', 'required fields'],
+        trustBoundaries: ['event-bus', 'external-subscriber'],
+        pathScopes,
+      }),
+    },
+    pathScopes
+  );
+}
+
+function parseMultiTenantIsolationRule(
+  statement: string,
+  source: DeterministicConstraintSource,
+  pathScopes: PathScopeMatch
+): DeterministicConstraintRule | null {
+  const normalized = normalizeStatement(statement);
+  const mentionsTenantIsolation =
+    /\b(multi-tenant|tenant isolation|cross-tenant|tenant boundaries?|tenant_id|tenant guard)\b/i.test(normalized);
+
+  if (!mentionsTenantIsolation) {
+    return null;
+  }
+
+  return applyPathScopes(
+    {
+      id: `${source}:multi_tenant_isolation`,
+      source,
+      statement,
+      displayName: 'Multi-tenant isolation guard',
+      pattern:
+        /\b(?:bypassTenant(?:Guard|Scope)?|ignoreTenant(?:Scope)?|crossTenant|allTenants|tenantScope\s*:\s*false|setTenantContext\s*\(\s*null\s*\)|withoutTenantScope)\b/i,
+      matchToken: 'tenant-isolation',
+      evaluationMode: 'full_file',
+      evaluationScope: 'file',
+      provenance: buildProvenance({
+        why: 'Statement enforces tenant boundary safety and isolation constraints.',
+        evidence: ['multi-tenant', 'tenant_id', 'cross-tenant'],
+        trustBoundaries: ['tenant-boundary', 'data-access-layer'],
+        pathScopes,
+      }),
+    },
+    pathScopes
+  );
+}
+
+function parseCacheInvariantRule(
+  statement: string,
+  source: DeterministicConstraintSource,
+  pathScopes: PathScopeMatch
+): DeterministicConstraintRule | null {
+  const normalized = normalizeStatement(statement);
+  const mentionsCache = /\b(cache invalidation|cache invariant|cache keys?|cache consistency|evict cache|clear(?:ing)? (?:shared )?cache|shared cache|invalidate .*cache)\b/i.test(
+    normalized
+  );
+
+  if (!mentionsCache) {
+    return null;
+  }
+
+  return applyPathScopes(
+    {
+      id: `${source}:cache_invariant`,
+      source,
+      statement,
+      displayName: 'Cache invariant guard (global invalidation risk)',
+      pattern:
+        /\b(?:cache\.(?:clear|reset)\s*\(\s*\)|invalidateAll\s*\(|flushAll\s*\(|redis\.flush(?:all|db)\s*\(|\bFLUSH(?:ALL|DB)\b)\b/i,
+      matchToken: 'cache-invariant',
+      evaluationMode: 'added_lines',
+      evaluationScope: 'file',
+      provenance: buildProvenance({
+        why: 'Statement marks cache behavior as operationally sensitive and blocks global flush patterns.',
+        evidence: ['cache invalidation', 'cache key', 'clear cache'],
+        trustBoundaries: ['cache-layer', 'operational-safety'],
+        pathScopes,
+      }),
+    },
+    pathScopes
+  );
+}
+
+function parseIdempotencyRule(
+  statement: string,
+  source: DeterministicConstraintSource,
+  pathScopes: PathScopeMatch
+): DeterministicConstraintRule | null {
+  const normalized = normalizeStatement(statement);
+  const mentionsIdempotency =
+    /\b(idempotency|idempotent|retryable write|retries|exactly once|at-least-once)\b/i.test(normalized);
+
+  if (!mentionsIdempotency) {
+    return null;
+  }
+
+  return applyPathScopes(
+    {
+      id: `${source}:idempotency`,
+      source,
+      statement,
+      displayName: 'Idempotency expectation guard',
+      pattern: /\b(?:idempotency[-_ ]key|x-idempotency-key|idempotencyKey|dedupe(?:Key|Id)?)\b/i,
+      matchToken: 'idempotency-key',
+      minMatchesPerFile: 1,
+      evaluationMode: 'full_file',
+      evaluationScope: 'repo',
+      provenance: buildProvenance({
+        why: 'Statement requires deterministic retry safety via idempotency markers.',
+        evidence: ['idempotency', 'retryable write', 'exactly once'],
+        trustBoundaries: ['api-edge', 'write-path'],
+        pathScopes,
+      }),
+    },
+    pathScopes
+  );
+}
+
+function parseMigrationSafetyRule(
+  statement: string,
+  source: DeterministicConstraintSource,
+  pathScopes: PathScopeMatch
+): DeterministicConstraintRule | null {
+  const normalized = normalizeStatement(statement);
+  const mentionsMigration =
+    /\b(migration safety|schema migration|destructive migration|drop column|drop table|truncate table|backfill safety)\b/i.test(
+      normalized
+    );
+
+  if (!mentionsMigration) {
+    return null;
+  }
+
+  return applyPathScopes(
+    {
+      id: `${source}:migration_safety`,
+      source,
+      statement,
+      displayName: 'Migration safety guard (destructive operation risk)',
+      pattern:
+        /\b(?:DROP\s+COLUMN|DROP\s+TABLE|TRUNCATE\s+TABLE|ALTER\s+TABLE\s+[A-Za-z0-9_`".]+\s+DROP\s+COLUMN|DELETE\s+FROM\s+[A-Za-z0-9_`".]+\s*;)\b/i,
+      matchToken: 'destructive-migration',
+      evaluationMode: 'added_lines',
+      evaluationScope: 'file',
+      provenance: buildProvenance({
+        why: 'Statement requires non-destructive migration behavior for production safety.',
+        evidence: ['migration safety', 'drop column', 'truncate table'],
+        trustBoundaries: ['data-store', 'migration-pipeline'],
+        pathScopes,
+      }),
+    },
+    pathScopes
+  );
+}
+
 function statementMatchesTemplate(normalizedStatement: string, template: ConstraintTemplate): boolean {
   return template.triggerTokens.some((token) => normalizedStatement.includes(token));
 }
@@ -102,16 +674,26 @@ function statementMatchesTemplate(normalizedStatement: string, template: Constra
 function createRule(
   template: ConstraintTemplate,
   source: DeterministicConstraintSource,
-  statement: string
+  statement: string,
+  pathScopes: PathScopeMatch
 ): DeterministicConstraintRule {
-  return {
-    id: `${source}:${template.id}`,
-    source,
-    statement,
-    displayName: template.displayName,
-    pattern: template.pattern,
-    matchToken: template.matchToken,
-  };
+  return applyPathScopes(
+    {
+      id: `${source}:${template.id}`,
+      source,
+      statement,
+      displayName: template.displayName,
+      pattern: template.pattern,
+      matchToken: template.matchToken,
+      provenance: buildProvenance({
+        why: 'Statement matched deterministic constraint template.',
+        evidence: template.triggerTokens,
+        trustBoundaries: ['code-hygiene'],
+        pathScopes,
+      }),
+    },
+    pathScopes
+  );
 }
 
 function compileStatements(
@@ -126,6 +708,60 @@ function compileStatements(
     if (!normalized) {
       continue;
     }
+    const pathScopes = parsePathScopes(rawStatement);
+    const invocationLimitRule = parseInvocationLimitRule(rawStatement, source, pathScopes);
+    if (invocationLimitRule) {
+      rules.push(invocationLimitRule);
+      continue;
+    }
+
+    const signatureDriftRule = parseSignatureDriftRule(rawStatement, source, pathScopes);
+    if (signatureDriftRule) {
+      rules.push(signatureDriftRule);
+      continue;
+    }
+
+    const backwardCompatibilityRule = parseBackwardCompatibilityRule(rawStatement, source, pathScopes);
+    if (backwardCompatibilityRule) {
+      rules.push(backwardCompatibilityRule);
+      continue;
+    }
+
+    const asyncOrderingRule = parseAsyncOrderingRule(rawStatement, source, pathScopes);
+    if (asyncOrderingRule) {
+      rules.push(asyncOrderingRule);
+      continue;
+    }
+
+    const eventSchemaRule = parseEventSchemaConsistencyRule(rawStatement, source, pathScopes);
+    if (eventSchemaRule) {
+      rules.push(eventSchemaRule);
+      continue;
+    }
+
+    const multiTenantRule = parseMultiTenantIsolationRule(rawStatement, source, pathScopes);
+    if (multiTenantRule) {
+      rules.push(multiTenantRule);
+      continue;
+    }
+
+    const cacheInvariantRule = parseCacheInvariantRule(rawStatement, source, pathScopes);
+    if (cacheInvariantRule) {
+      rules.push(cacheInvariantRule);
+      continue;
+    }
+
+    const idempotencyRule = parseIdempotencyRule(rawStatement, source, pathScopes);
+    if (idempotencyRule) {
+      rules.push(idempotencyRule);
+      continue;
+    }
+
+    const migrationSafetyRule = parseMigrationSafetyRule(rawStatement, source, pathScopes);
+    if (migrationSafetyRule) {
+      rules.push(migrationSafetyRule);
+      continue;
+    }
 
     const requiresProhibitiveLanguage = source === 'intent';
     if (requiresProhibitiveLanguage && !PROHIBITIVE_PATTERN.test(normalized)) {
@@ -139,7 +775,7 @@ function compileStatements(
     }
 
     for (const match of matches) {
-      rules.push(createRule(match, source, rawStatement));
+      rules.push(createRule(match, source, rawStatement, pathScopes));
     }
   }
 
@@ -154,7 +790,16 @@ function dedupeRules(rules: DeterministicConstraintRule[]): DeterministicConstra
   const deduped: DeterministicConstraintRule[] = [];
 
   for (const rule of rules) {
-    const key = `${rule.id}::${rule.statement.toLowerCase()}`;
+    const key = [
+      rule.id,
+      rule.statement.toLowerCase(),
+      rule.pathIncludePatterns?.join('|') || '',
+      rule.pathExcludePatterns?.join('|') || '',
+      typeof rule.minMatchesPerFile === 'number' ? String(rule.minMatchesPerFile) : '',
+      typeof rule.maxMatchesPerFile === 'number' ? String(rule.maxMatchesPerFile) : '',
+      rule.evaluationMode || '',
+      rule.evaluationScope || '',
+    ].join('::');
     if (seen.has(key)) {
       continue;
     }