domainforge 0.13.0

package/docs/explanations/versioning-strategy.md

@@ -0,0 +1,45 @@
+# Versioning Strategy
+
+DomainForge follows [Semantic Versioning 2.0.0](https://semver.org/).
+
+## Version Format: `MAJOR.MINOR.PATCH`
+
+- **MAJOR**: Incompatible API changes or breaking grammar changes.
+- **MINOR**: Functionality added in a backward-compatible manner.
+- **PATCH**: Backward-compatible bug fixes.
+
+## What Constitutes a Breaking Change?
+
+### 1. Grammar Changes
+
+- **Breaking**: Removing a keyword, changing the syntax of an existing primitive, making an optional field mandatory.
+- **Non-Breaking**: Adding a new primitive, adding an optional field, relaxing a constraint.
+
+### 2. Core API (Rust)
+
+- **Breaking**: Changing public struct fields, altering function signatures in `domainforge-core`.
+- **Non-Breaking**: Adding new methods, internal performance improvements.
+
+### 3. Bindings (Python/TS)
+
+- **Breaking**: Renaming a class or method exposed to the host language.
+- **Non-Breaking**: Exposing previously internal methods.
+
+## Release Coordination
+
+Because `domainforge-core` and the bindings are in the same repository (monorepo style), they share a version number.
+
+- When `domainforge-core` bumps to `0.5.0`, the Python package `domainforge` and NPM package `domainforge` also bump to `0.5.0`.
+
+## Deprecation Policy
+
+Before removing a feature:
+
+1. Mark it as deprecated in the documentation.
+2. Add a warning log in the CLI/Parser when the feature is used.
+3. Maintain support for at least one MINOR release cycle.
+
+## See Also
+
+- [Releasing Beta](../playbooks/releasing-beta.md)
+- [Migrating Schema Versions](../playbooks/migrating-schema-versions.md)

package/docs/governance.md

@@ -0,0 +1,168 @@
+# Repository Governance
+
+Branch protection, deployment environments, and release routing for DomainForge.
+
+## Branch Protection: `main`
+
+`main` is the only protected branch. All changes must arrive via pull request.
+
+| Rule | Setting |
+|---|---|
+| Pull request required | Yes |
+| Required approvals | 0 |
+| Dismiss stale reviews | Yes |
+| Require code owner reviews | No |
+| Enforce for admins | Yes |
+| Linear history | Required (squash-merge or rebase-merge; no merge commits) |
+| Force pushes | Blocked |
+| Branch deletions | Blocked |
+| Branch must be up to date | Yes (`strict: true`) |
+
+### Required status checks
+
+A PR cannot merge until all of these pass. Approvals are not required because
+this is currently a solo-maintainer repository; CI remains the merge gate.
+
+| Check | Source workflow | Job |
+|---|---|---|
+| `Lint & Format` | `ci.yml` | `lint` |
+| `Test Rust (ubuntu-latest)` | `ci.yml` | `test-rust` matrix leg |
+| `Test Rust (macos-latest)` | `ci.yml` | `test-rust` matrix leg |
+| `Test Rust (windows-2025-vs2026)` | `ci.yml` | `test-rust` matrix leg |
+| `Test Python (3.11)` | `ci.yml` | `test-python` matrix leg |
+| `Test Python (3.12)` | `ci.yml` | `test-python` matrix leg |
+| `Test TypeScript` | `ci.yml` | `test-typescript` |
+| `Minimal Integration Check` | `ci.yml` | `test-integration` |
+| `Test WASM` | `ci.yml` | `test-wasm` |
+| `Security Audit` | `ci.yml` | `security` (`cargo audit`, blocking) |
+| `dependency-review` | `dependency-review.yml` | `dependency-review` |
+
+### What this means for contributors
+
+- **No direct pushes to `main`.** Push to a feature branch and open a PR.
+- **PR must be up to date** with `main` before merging. Rebase or merge `main` into your branch if CI fails on staleness.
+- **Linear history required.** Use squash-merge or rebase-merge when merging PRs. Do not use create-merge-commit.
+- **Admins are not exempt.** The `enforce_admins` flag is on.
+
+## Environments
+
+This repository does not use GitHub deployment environments. There is no
+`stage` or `prod` environment gate.
+
+Publishing is triggered directly by component tag pushes. The publish
+workflows (`release-crates.yml`, `release-pypi.yml`, `release-npm.yml`)
+handle their own idempotency:
+- crates.io: detects "already published" from cargo output
+- PyPI: `--skip-existing` flag on maturin
+- npm: `npm view <pkg>@<version>` pre-check
+
+This matches the solo-maintainer model: CI on `main` is the merge gate, and
+a component tag push is the publish signal.
+
+## Deploy Pipeline
+
+```
+tag push (domainforge-core-v*, domainforge-v*, domainforge-typescript-v*)
+  │
+  ▼
+deploy.yml (router)
+  ├── identify    (parse tag → component + version)
+  └── dispatch to publish workflow based on component:
+      ├── domainforge-core → release-crates.yml  (crates.io)
+      ├── domainforge      → release-pypi.yml    (PyPI, multi-platform matrix)
+      └── domainforge-typescript → release-npm.yml     (npm + WASM)
+```
+
+Tag shape: `<component>-v<version>` where component is one of `domainforge-core`, `domainforge`, `domainforge-typescript`.
+
+`deploy.yml` does NOT contain build or publish logic itself. It dispatches to
+the same reusable publish workflows that the legacy `release.yml` uses. This
+avoids duplication and keeps a single source of truth for each registry's
+publish process.
+
+## Release Routing (release-please)
+
+`release-please-config.json` and `.release-please-manifest.json` configure independent per-package versioning. Each package gets its own release PR and component-prefixed tag.
+
+| Package | Component | Release type | Tag form |
+|---|---|---|---|
+| `domainforge-core` (Rust) | `domainforge-core` | rust | `domainforge-core-vX.Y.Z` |
+| `domainforge` (Python) | `domainforge` | python | `domainforge-vX.Y.Z` |
+| `@godspeedai/domainforge` (TypeScript) | `domainforge-typescript` | node | `domainforge-typescript-vX.Y.Z` |
+
+### Release-please trigger
+
+`.github/workflows/release-please.yml` triggers on `push: branches: [main]` and opens/updates release PRs for each configured package.
+
+## Conventional Commits Enforcement
+
+`commitlint` + `lefthook` enforce conventional commit format on every commit via a `commit-msg` hook.
+
+- Config: `commitlint.config.cjs`
+- Hook: `lefthook.yml` → `commit-msg` → `npx commitlint --edit {1}`
+
+### Required format
+
+```
+<type>(<scope>): <subject>
+```
+
+- `type` must be a conventional type (`feat`, `fix`, `docs`, `refactor`, `test`, `chore`, `build`, `ci`, `perf`, `revert`, etc.)
+- `scope` is **required** and must be one of 29 allowed values (see `commitlint.config.cjs` for the full list)
+- `subject` must be non-empty
+
+### Allowed scopes
+
+**Release-please components:** `domainforge-core`, `domainforge`, `domainforge-typescript`
+
+**Meta:** `ci`, `deps`, `repo`
+
+**Historical (from commit history):** `bindings`, `calm`, `cli`, `code`, `core`, `docs`, `format`, `grammar`, `graph`, `new_docs`, `parser`, `pkg`, `pyo3`, `policy`, `python`, `registry`, `release`, `semantic-pack`, `authority`, `test`, `tests`, `units`, `wasm`
+
+**Note:** commitlint uses `scope-case: kebab-case` enforcement only (no static allowlist). The components above reflect the release-please package keys and historical usage.
+
+### Bypass
+
+The hook is local-only (lefthook installs to `.git/hooks/`). CI does not run commitlint. To bypass locally, use `git commit --no-verify` (discouraged).
+
+## Package Layout
+
+release-please v4 manifest mode resolves file paths as `<package-key>/<file>`.
+Each package's version file must live in a directory matching its key:
+
+| Package | Directory | Version file |
+|---|---|---|
+| `domainforge-core` | `domainforge-core/` | `Cargo.toml` |
+| `domainforge` | `domainforge-python/` | `pyproject.toml` |
+| `domainforge-typescript` | `domainforge-typescript/` | `package.json` |
+
+The root `package.json` is a private workspace root for dev dependencies
+(commitlint, lefthook, vitest). It is NOT published. The root `Cargo.toml`
+defines the Rust workspace; `domainforge-core/Cargo.toml` is the sole published crate.
+
+## Secrets
+
+| Secret | Used by | Purpose |
+|---|---|---|
+| `GITHUB_TOKEN` | All workflows | Automatic GitHub API token (cannot trigger downstream workflows) |
+| `CREATE_PR_TOKEN` | `release-please.yml`, `prepare-release.yml` | PAT for creating PRs and tags that trigger downstream workflows |
+| `SOPS_AGE_KEY` | `release-pypi.yml`, `release-npm.yml`, `release-crates.yml` | Decrypts `secrets/secrets.yaml` via sops |
+| `PYPI_API_TOKEN` | `release-pypi.yml` | PyPI publishing fallback (primary token is sops-decrypted) |
+
+## Tool Versions
+
+| Tool | Required version | Verification |
+|---|---|---|
+| `release-please-action` | `v4.4.1`, pinned in `.github/workflows/release-please.yml` by commit SHA | Inspect the workflow `uses:` line |
+| `@commitlint/cli` | `^21.0.2`, installed from `package.json` | `npx commitlint --version` |
+| `@commitlint/config-conventional` | `^21.0.2`, installed from `package.json` | `npm ls @commitlint/config-conventional` |
+| `lefthook` | `^2.1.9`, installed from `package.json` | `npx lefthook version` |
+
+Keep commitlint packages on the same major version. Lefthook v2 syntax is used
+in `lefthook.yml`; do not downgrade to v1 without testing hook compatibility.
+
+## See Also
+
+- [Release Process](./RELEASE_PROCESS.md) — How to cut a release
+- [Workflows](../.github/workflows/README.md) — CI/CD workflow documentation
+- [Contributing](../CONTRIBUTING.md) — Developer setup and PR process

package/docs/how-tos/README.md

@@ -0,0 +1,46 @@
+# How-Tos — DomainForge
+
+Purpose: Solve a single task quickly and efficiently with concise, practical instructions.
+
+## MECE checklist for a How-To page
+
+- Short summary of the outcome
+- Required prerequisites (tools, permissions, environment)
+- Step-by-step instructions
+- Common pitfalls and troubleshooting
+- Links to related Tutorials, Reference, and Playbooks
+
+## Current Guides
+
+### Setup & Installation
+
+- [Install CLI](install-cli.md)
+
+### Parsing & Validation
+
+- [Parse SEA Files](parse-sea-files.md)
+
+### Domain Modeling
+
+- [Define Policies](define-policies.md)
+- [Create Custom Units](create-custom-units.md)
+- [Policy Evaluation Modes](policy-evaluation-modes.md)
+- [Use Modules and Imports](use-modules-imports.md) ⭐ NEW
+
+### Export & Projection
+
+- [Export to CALM](export-to-calm.md)
+- [Export to Protobuf](export-to-protobuf.md) ⭐ NEW
+- [Generate RDF/Turtle](generate-rdf-turtle.md)
+
+### Import
+
+- [Import from CALM](import-from-calm.md)
+- [Import from SBVR](import-from-sbvr.md) ⭐ NEW
+
+### Development & CI
+
+- [Run Cross-Language Tests](run-cross-language-tests.md)
+- [CI/CD Validation](ci-cd-validation.md)
+- [Troubleshoot NAPI Builds](troubleshoot-napi-builds.md)
+- [Extend Grammar](extend-grammar.md)

package/docs/how-tos/ci-cd-validation.md

@@ -0,0 +1,93 @@
+# Validate SEA Models in CI/CD
+
+Goal: run `sea` validation in CI pipelines with machine-readable output and PR feedback.
+
+## Prerequisites
+
+- Rust toolchain installed in the CI runner.
+- Access to the repository containing `.sea` models (checked out in the workflow).
+- Optional: Python/Node for post-processing JSON results.
+
+## Steps
+
+1. **Install and build the CLI**
+
+   ```yaml
+   - uses: actions/checkout@v4
+   - uses: actions-rust-lang/setup-rust-toolchain@v1
+   - name: Build SEA CLI
+     run: |
+       cd domainforge-core
+       cargo build --release --bin domainforge --features cli
+   ```
+
+2. **Validate models with JSON output**
+
+   ```yaml
+   - name: Validate models
+     run: |
+       ./target/release/domainforge validate --format json models/ > validation-results.json
+   ```
+
+   - Exit code is non-zero on failure; wrap with `|| true` if you want to parse the report first.
+
+3. **Parse and fail the job on violations**
+
+   ```yaml
+   - name: Parse validation results
+     if: always()
+     run: |
+       python3 <<'PY'
+       import json, sys
+       results = json.load(open("validation-results.json"))
+       errors = results.get("error_count", 0)
+       if errors:
+           print(f"❌ Validation failed with {errors} errors")
+           for v in results.get("violations", []):
+               print(f"- [{v.get('severity','').upper()}] {v.get('policy_name')}: {v.get('message')}")
+           sys.exit(1)
+       print(f"✅ Validation passed ({len(results.get('violations', []))} checks)")
+       PY
+   ```
+
+4. **Optional: Comment on pull requests**
+
+   ```yaml
+   - name: Comment on PR
+     if: github.event_name == 'pull_request' && always()
+     uses: actions/github-script@v7
+     with:
+       script: |
+         const fs = require('fs');
+         const results = JSON.parse(fs.readFileSync('validation-results.json', 'utf8'));
+         let body = '## SEA DSL Validation Results\n\n';
+         if (results.error_count > 0) {
+           body += `❌ **${results.error_count} errors found**\n\n`;
+           body += '### Violations:\n';
+           results.violations.forEach(v => { body += `- **[${v.severity.toUpperCase()}]** ${v.policy_name}: ${v.message}\n`; });
+         } else {
+           body += `✅ **All validations passed** (${results.violations.length} checks)\n`;
+         }
+         github.rest.issues.createComment({ issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo, body });
+   ```
+
+5. **Publish artifacts for debugging (optional)**
+
+   ```yaml
+   - uses: actions/upload-artifact@v4
+     if: always()
+     with:
+       name: sea-validation
+       path: validation-results.json
+   ```
+
+## Verification
+
+- Workflow fails when `error_count > 0`.
+- `validation-results.json` contains error codes, locations, and suggestions for CI parsing.
+
+## See also
+
+- [CLI Commands](../reference/cli-commands.md) (`validate`, `explain` flags)
+- [Error Codes](../reference/error-codes.md) for interpreting violations
+- [Configuration](../reference/configuration.md) for registry and logging options

package/docs/how-tos/create-custom-units.md

@@ -0,0 +1,125 @@
+# Create Custom Units
+
+Goal: Define custom dimensions/units and validate quantities using them in SEA models.
+
+- ## Prerequisites
+
+- SEA CLI installed.
+
+   - For developers building from source: `cargo install --path domainforge-core --features cli` (produces the `sea` binary).
+   - Recommended: install the official GitHub Releases binary for your platform.
+   - Alternates: `cargo install domainforge-core` from crates.io when published, or use the packaged release/installer provided for your OS.
+- Familiarity with resources and flows in the SEA DSL.
+- Optional: Python/TypeScript bindings if you want to assert units programmatically.
+
+## Steps (be concise)
+
+1. **Declare dimensions and units in DSL**
+
+   ```sea
+   Dimension "Currency"
+   Unit "USD" of "Currency" factor 1 base "USD"
+   Unit "EUR" of "Currency" factor 1.07 base "USD"
+   ```
+
+   - `factor` sets the multiplier relative to the base unit.
+   - Always include `base` to avoid ambiguous conversions.
+
+2. **Attach units to resources and flows**
+
+```sea
+Resource "Money" USD
+Entity "Alice"
+Entity "Bob"
+Flow "Money" from "Alice" to "Bob" quantity 100
+```
+
+   - Resources reference the canonical unit.
+   - Flows inherit the resource unit unless explicitly overridden.
+
+3. **Convert units in policies or aggregations**
+
+   ```sea
+   Policy euro_cap as:
+     forall f in flows: (f.resource = "Money" and f.quantity <= 10000)
+   ```
+
+   - Keep comparisons in the resource's canonical unit to avoid ambiguous conversions.
+
+4. **Create the example file and validate with the CLI**
+
+   Create `examples/custom_units.sea` (this file contains the model used by the following examples):
+
+```bash
+mkdir -p examples
+cat > examples/custom_units.sea <<'SEA'
+Dimension "Currency"
+Unit "USD" of "Currency" factor 1 base "USD"
+Unit "EUR" of "Currency" factor 1.07 base "USD"
+
+Resource "Money" USD
+Entity "Alice"
+Entity "Bob"
+Flow "Money" from "Alice" to "Bob" quantity 100
+SEA
+```
+
+   Now validate the file with the CLI:
+
+   ```bash
+   domainforge validate --format human examples/custom_units.sea
+   ```
+
+   This validation will fail if a unit or dimension is missing, duplicated, or forms a circular base chain.
+
+5. **Inspect units in Python (re-using examples/custom_units.sea)**
+
+```python
+from domainforge import Graph
+
+with open("examples/custom_units.sea") as f:
+    graph = Graph.parse(f.read())
+resource = graph.all_resources()[0]
+assert resource.unit == "USD"
+```
+
+6. **Inspect units in TypeScript (re-using examples/custom_units.sea)**
+
+   ```ts
+   import { Graph } from "@godspeedai/domainforge";
+   import { readFileSync } from "fs";
+
+   const graph = Graph.parse(readFileSync("examples/custom_units.sea", "utf8"));
+   console.log(graph.allResources()[0].unit);
+   ```
+
+## Edge Cases
+
+- **Circular bases**: Avoid `USD` base `EUR` and `EUR` base `USD`; validation will fail with a descriptive error.
+- **Precision**: Use decimal notation (`1.07`) to prevent rounding surprises; avoid locale-specific commas.
+- **Namespace scoping**: Declare dimensions/units in the same namespace as consuming resources to prevent lookup failures.
+- **Unit reuse**: Reusing unit names across dimensions is not allowed; pick unique names or namespace them explicitly.
+
+## Testing and Validation Tips
+
+- Add a small regression test under `tests/` that parses the DSL and asserts `graph.all_resources()[0].unit`.
+- When exporting to CALM, confirm that quantities carry the correct `unit` field; run `jq '.models[0].flows[0].quantity' file.calm.json`.
+- Use `domainforge project --format kg` and inspect the Turtle output to ensure unit annotations appear in the KG representation.
+
+## Troubleshooting
+
+- **Unknown unit error**: Define the unit before referencing it in resources/flows.
+- **Factor mismatch**: Ensure factors are numeric; strings or missing values cause parse failures.
+- **Conversion failures**: If policy evaluation fails due to missing conversion paths, verify the base chain is fully connected.
+
+## Verification Checklist
+
+- [ ] Dimension and unit declarations parse without errors.
+- [ ] Resources reference valid units and flows inherit them correctly.
+- [ ] Policy comparisons use consistent units (or canonical units) to avoid mismatches.
+- [ ] CALM/KG exports include the units and survive round-trip import.
+
+## Links
+
+- Tutorials: [First SEA Model](../tutorials/first-sea-model.md)
+- Reference: [Grammar Spec](../reference/grammar-spec.md), [Primitives API](../reference/primitives-api.md)

package/docs/how-tos/define-policies.md

@@ -0,0 +1,119 @@
+# Define Policies
+
+Goal: Author policies in SEA DSL and verify they evaluate correctly across CLI and bindings.
+
+## Prerequisites
+
+- SEA CLI installed with `cli` feature.
+- A validated model that includes entities/resources/flows referenced by the policy.
+- Optional bindings (Python/TypeScript) for programmatic evaluation.
+
+## Steps (be concise)
+
+1. **Write a policy in DSL**
+
+    ```sea
+    Policy payment_threshold as:
+       forall f in flows: (f.resource = "Money" and f.quantity <= 10000 "USD")
+    ```
+
+   - Use comprehensions (`forall`, `exists`) and comparisons (`=`, `<=`, `matches`).
+   - Qualify names with namespaces when needed (`finance/Money`).
+
+2. **Attach predicates to roles or relations**
+
+   ```sea
+   Role "Payer"
+   Role "Payee"
+   Relation "Payment"
+     subject: "Payer"
+     predicate: "pays"
+     object: "Payee"
+     via: flow "Money"
+
+   Policy payer_must_exist as:
+     forall r in relations: (r.name = "Payment" and r.subject = "Payer")
+   ```
+
+3. **Validate the policy with the CLI**
+
+   ```bash
+   domainforge validate --format human examples/policies.sea
+   ```
+
+   - Reports semantic errors (unknown identifiers, unit mismatches) with line/column.
+   - Use `--format json` for machine-readable diagnostics.
+
+4. **Evaluate a policy in Python**
+
+   ```python
+   from domainforge import Graph
+   from pathlib import Path
+
+   graph = Graph.parse(Path("examples/policies.sea").read_text())
+   # `policy.json` must be the JSON representation of the Policy object (crate::policy::Policy).
+   # You can create this file by authoring JSON manually or by exporting a policy from an authoring tool.
+   # Example quick generation:
+   # echo '{"id":"policy-uuid","name":"Limit","expression":"forall f in flows: f.quantity <= 1000"}' > policy.json
+   policy_json = Path("policy.json").read_text()
+   result = graph.evaluate_policy(policy_json)
+   print(result.violations)
+   ```
+
+   - Enable three-valued logic for partial data: `graph.set_evaluation_mode(True)`.
+
+5. **Evaluate a policy in TypeScript**
+
+   ```ts
+   import { Graph } from "@godspeedai/domainforge";
+   import { readFileSync } from "fs";
+
+   const graph = Graph.parse(readFileSync("examples/policies.sea", "utf8"));
+   // `policy.json` is a JSON payload matching crate::policy::Policy (id, name, expression, modality)
+   // Create with an authoring tool or echo the JSON as a quick example
+   // echo '{"id":"policy-uuid","name":"Limit","expression":"forall f in flows: f.quantity <= 1000"}' > policy.json
+   const policyJson = readFileSync("policy.json", "utf8");
+   const outcome = graph.evaluatePolicy(policyJson);
+   console.log(outcome.violations);
+   ```
+
+6. **Test policies as part of CI**
+
+   - Add a Rust test under `domainforge-core/tests/` that parses the DSL and calls `graph.evaluate_policy` on representative inputs.
+   - Mirror the test in Python/TypeScript to maintain parity. Use the same DSL snippet to avoid drift.
+   - Run `just all-tests` before merging changes.
+
+## Expression Basics
+
+- **Boolean logic**: `and`, `or`, `not` with standard precedence; wrap complex conditions in parentheses.
+- **Comparisons**: `=`, `!=`, `<`, `<=`, `>`, `>=`, `matches` (regex-like), `contains`, `startswith`, `endswith`.
+- **Quantifiers**: `forall <var> in <collection>: (<predicate>)` and `exists <var> in <collection>: (<predicate>)`.
+- **Three-valued logic**: `Unknown` propagates when operands lack data; enable it when modeling incomplete datasets.
+
+## Best Practices
+
+- Keep policies near the DSL constructs they reference or register them via `.sea-registry.toml` so namespace resolution works.
+- Normalize units before comparison. Prefer quantity literals (e.g., `100 "USD"`) and numeric + quoted unit for annotations (e.g., `@refresh_interval 60 "seconds"`).
+- Use `as "<Unit>"` only where the grammar explicitly supports it — for example as a coercion suffix in an aggregation comprehension (`sum(f in flows: f.quantity as "USD")`).
+- Note: Some examples use the `as "<Unit>"` form where the grammar allows it (e.g., aggregation coercion) to make conversions explicit. Annotation durations and quantity literals follow the canonical forms shown above.
+- Avoid side effects; policies should be deterministic for reproducible validation.
+- Document intent with comments; the parser ignores lines starting with `#`.
+
+## Troubleshooting
+
+- **Unknown identifier**: Ensure entities/resources/roles exist and are in scope; namespaces must match.
+- **Unit mismatch**: Define units and dimensions before using them in policies.
+- **Empty collections**: If `flows` or `relations` are empty, quantifiers may vacuously pass; add explicit existence checks when necessary.
+- **Evaluation differences across bindings**: Rebuild bindings (`maturin develop`, `npm run build`) after changing policy evaluation logic in Rust.
+
+## Verification Checklist
+
+- [ ] `domainforge validate` passes for the policy file.
+- [ ] Policy evaluates consistently in Rust, Python, and TypeScript for the same input.
+- [ ] Unit conversions behave as expected where used.
+- [ ] Documentation and examples updated when adding new operators or predicates.
+
+## Links
+
+- Tutorials: [Getting Started](../tutorials/getting-started.md)
+- Reference: [Grammar Spec](../reference/grammar-spec.md), [Policy Evaluation Logic](../explanations/policy-evaluation-logic.md), [Three-Valued Logic](../explanations/three-valued-logic.md)