palaryn 0.1.0

package/dist/tests/unit/policy-engine.test.js

@@ -0,0 +1,1345 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+const engine_1 = require("../../src/policy/engine");
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+/** Create a temporary directory that is cleaned up automatically. */
+let tmpDir;
+beforeAll(() => {
+    tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'policy-engine-test-'));
+});
+afterAll(() => {
+    fs.rmSync(tmpDir, { recursive: true, force: true });
+});
+/** Write a YAML string to a temporary file and return its path. */
+function writeTmpYaml(filename, content) {
+    const filePath = path.join(tmpDir, filename);
+    fs.writeFileSync(filePath, content, 'utf-8');
+    return filePath;
+}
+/** Build a minimal valid ToolCall for testing. */
+function buildToolCall(overrides = {}) {
+    return {
+        tool_call_id: 'tc-001',
+        task_id: 'task-001',
+        workspace_id: 'ws-default',
+        actor: {
+            type: 'agent',
+            id: 'agent-1',
+            ...(overrides.actor || {}),
+        },
+        source: {
+            platform: 'langgraph',
+            ...(overrides.source || {}),
+        },
+        tool: {
+            name: 'http.request',
+            capability: 'read',
+            ...(overrides.tool || {}),
+        },
+        args: {
+            method: 'GET',
+            url: 'https://api.github.com/repos',
+            ...(overrides.args || {}),
+        },
+        context: overrides.context,
+        constraints: overrides.constraints,
+        timestamp: overrides.timestamp,
+    };
+}
+// ---------------------------------------------------------------------------
+// A valid minimal policy pack YAML
+// ---------------------------------------------------------------------------
+const VALID_PACK_YAML = `
+name: test_pack
+version: "1.0.0"
+description: "Test policy pack"
+
+rules:
+  - name: "allow-reads"
+    description: "Allow read operations"
+    effect: ALLOW
+    priority: 10
+    conditions:
+      capabilities:
+        - "read"
+
+  - name: "deny-all"
+    description: "Default deny everything else"
+    effect: DENY
+    priority: 100
+    conditions: {}
+`;
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+describe('PolicyEngine', () => {
+    // -----------------------------------------------------------------------
+    // Loading & Parsing
+    // -----------------------------------------------------------------------
+    describe('loadPack (constructor)', () => {
+        it('should load a valid YAML policy pack from disk', () => {
+            const packPath = writeTmpYaml('valid.yaml', VALID_PACK_YAML);
+            const engine = new engine_1.PolicyEngine(packPath);
+            const pack = engine.getPack();
+            expect(pack.name).toBe('test_pack');
+            expect(pack.version).toBe('1.0.0');
+            expect(pack.rules).toHaveLength(2);
+        });
+        it('should throw when the policy pack file does not exist', () => {
+            const missingPath = path.join(tmpDir, 'nonexistent.yaml');
+            expect(() => new engine_1.PolicyEngine(missingPath)).toThrow(/Failed to read policy pack file/);
+        });
+        it('should throw on invalid YAML syntax', () => {
+            const badYaml = writeTmpYaml('bad-syntax.yaml', '{ invalid: yaml: [');
+            expect(() => new engine_1.PolicyEngine(badYaml)).toThrow(/Failed to parse YAML/);
+        });
+        it('should throw when the YAML file contains a non-object (e.g. a scalar)', () => {
+            const scalarYaml = writeTmpYaml('scalar.yaml', 'just a string');
+            expect(() => new engine_1.PolicyEngine(scalarYaml)).toThrow(/does not contain a valid YAML object/);
+        });
+        it('should throw when the YAML file is empty (null content)', () => {
+            const emptyYaml = writeTmpYaml('empty.yaml', '');
+            expect(() => new engine_1.PolicyEngine(emptyYaml)).toThrow(/does not contain a valid YAML object/);
+        });
+        it('should sort rules by priority (ascending) on load', () => {
+            const yaml = `
+name: priority_test
+version: "1.0.0"
+rules:
+  - name: "low-priority"
+    effect: DENY
+    priority: 50
+    conditions: {}
+  - name: "high-priority"
+    effect: ALLOW
+    priority: 5
+    conditions: {}
+  - name: "medium-priority"
+    effect: DENY
+    priority: 25
+    conditions: {}
+`;
+            const packPath = writeTmpYaml('priority.yaml', yaml);
+            const engine = new engine_1.PolicyEngine(packPath);
+            const pack = engine.getPack();
+            expect(pack.rules[0].name).toBe('high-priority');
+            expect(pack.rules[1].name).toBe('medium-priority');
+            expect(pack.rules[2].name).toBe('low-priority');
+        });
+        it('should place rules without explicit priority at the end', () => {
+            const yaml = `
+name: no_priority_test
+version: "1.0.0"
+rules:
+  - name: "no-priority"
+    effect: DENY
+    conditions: {}
+  - name: "has-priority"
+    effect: ALLOW
+    priority: 10
+    conditions: {}
+`;
+            const packPath = writeTmpYaml('no-priority.yaml', yaml);
+            const engine = new engine_1.PolicyEngine(packPath);
+            const pack = engine.getPack();
+            expect(pack.rules[0].name).toBe('has-priority');
+            expect(pack.rules[1].name).toBe('no-priority');
+        });
+        it('should load the real default.yaml policy pack successfully', () => {
+            const defaultPath = path.resolve(__dirname, '../../policy-packs/default.yaml');
+            const engine = new engine_1.PolicyEngine(defaultPath);
+            const pack = engine.getPack();
+            expect(pack.name).toBe('default');
+            expect(pack.rules.length).toBeGreaterThanOrEqual(4);
+            expect(pack.rules[0].name).toBe('Block metadata endpoints');
+        });
+    });
+    // -----------------------------------------------------------------------
+    // Validation
+    // -----------------------------------------------------------------------
+    describe('validate', () => {
+        it('should return valid for a correctly structured policy pack', () => {
+            const pack = {
+                name: 'valid_pack',
+                version: '1.0.0',
+                rules: [
+                    {
+                        name: 'rule1',
+                        effect: 'ALLOW',
+                        conditions: {},
+                    },
+                ],
+            };
+            const result = engine_1.PolicyEngine.validate(pack);
+            expect(result.valid).toBe(true);
+            expect(result.errors).toHaveLength(0);
+        });
+        it('should return errors when name is missing', () => {
+            const pack = {
+                name: '',
+                version: '1.0.0',
+                rules: [{ name: 'r', effect: 'ALLOW', conditions: {} }],
+            };
+            const result = engine_1.PolicyEngine.validate(pack);
+            expect(result.valid).toBe(false);
+            expect(result.errors).toEqual(expect.arrayContaining([expect.stringMatching(/non-empty "name" string/)]));
+        });
+        it('should return errors when version is missing', () => {
+            const pack = {
+                name: 'test',
+                version: '',
+                rules: [{ name: 'r', effect: 'ALLOW', conditions: {} }],
+            };
+            const result = engine_1.PolicyEngine.validate(pack);
+            expect(result.valid).toBe(false);
+            expect(result.errors).toEqual(expect.arrayContaining([expect.stringMatching(/non-empty "version" string/)]));
+        });
+        it('should return errors when rules is not an array', () => {
+            const pack = {
+                name: 'test',
+                version: '1.0.0',
+                rules: 'not-an-array',
+            };
+            const result = engine_1.PolicyEngine.validate(pack);
+            expect(result.valid).toBe(false);
+            expect(result.errors).toEqual(expect.arrayContaining([expect.stringMatching(/"rules" array/)]));
+        });
+        it('should return errors for a rule with no name', () => {
+            const pack = {
+                name: 'test',
+                version: '1.0.0',
+                rules: [{ name: '', effect: 'ALLOW', conditions: {} }],
+            };
+            const result = engine_1.PolicyEngine.validate(pack);
+            expect(result.valid).toBe(false);
+            expect(result.errors).toEqual(expect.arrayContaining([expect.stringMatching(/Rule\[0\].*non-empty "name"/)]));
+        });
+        it('should return errors for a rule with missing effect', () => {
+            const pack = {
+                name: 'test',
+                version: '1.0.0',
+                rules: [{ name: 'r', effect: '', conditions: {} }],
+            };
+            const result = engine_1.PolicyEngine.validate(pack);
+            expect(result.valid).toBe(false);
+            expect(result.errors).toEqual(expect.arrayContaining([expect.stringMatching(/must have an "effect" string/)]));
+        });
+        it('should return errors for a rule with invalid effect value', () => {
+            const pack = {
+                name: 'test',
+                version: '1.0.0',
+                rules: [{ name: 'r', effect: 'EXECUTE', conditions: {} }],
+            };
+            const result = engine_1.PolicyEngine.validate(pack);
+            expect(result.valid).toBe(false);
+            expect(result.errors).toEqual(expect.arrayContaining([expect.stringMatching(/invalid effect "EXECUTE"/)]));
+        });
+        it('should return errors for a rule with missing conditions', () => {
+            const pack = {
+                name: 'test',
+                version: '1.0.0',
+                rules: [{ name: 'r', effect: 'ALLOW' }],
+            };
+            const result = engine_1.PolicyEngine.validate(pack);
+            expect(result.valid).toBe(false);
+            expect(result.errors).toEqual(expect.arrayContaining([expect.stringMatching(/must have a "conditions" object/)]));
+        });
+        it('should return errors when priority is not a finite number', () => {
+            const pack = {
+                name: 'test',
+                version: '1.0.0',
+                rules: [
+                    {
+                        name: 'r',
+                        effect: 'ALLOW',
+                        priority: Infinity,
+                        conditions: {},
+                    },
+                ],
+            };
+            const result = engine_1.PolicyEngine.validate(pack);
+            expect(result.valid).toBe(false);
+            expect(result.errors).toEqual(expect.arrayContaining([expect.stringMatching(/"priority" must be a finite number/)]));
+        });
+        it('should return errors for an invalid tool_match regex', () => {
+            const pack = {
+                name: 'test',
+                version: '1.0.0',
+                rules: [
+                    {
+                        name: 'r',
+                        effect: 'ALLOW',
+                        conditions: { tool_match: '[invalid(' },
+                    },
+                ],
+            };
+            const result = engine_1.PolicyEngine.validate(pack);
+            expect(result.valid).toBe(false);
+            expect(result.errors).toEqual(expect.arrayContaining([expect.stringMatching(/conditions.tool_match.*not a valid regex/)]));
+        });
+        it('should return errors for an invalid label_match regex', () => {
+            const pack = {
+                name: 'test',
+                version: '1.0.0',
+                rules: [
+                    {
+                        name: 'r',
+                        effect: 'ALLOW',
+                        conditions: { label_match: '[bad regex(' },
+                    },
+                ],
+            };
+            const result = engine_1.PolicyEngine.validate(pack);
+            expect(result.valid).toBe(false);
+            expect(result.errors).toEqual(expect.arrayContaining([expect.stringMatching(/conditions.label_match.*not a valid regex/)]));
+        });
+        it('should accept valid tool_match and label_match regex patterns', () => {
+            const pack = {
+                name: 'test',
+                version: '1.0.0',
+                rules: [
+                    {
+                        name: 'r',
+                        effect: 'ALLOW',
+                        conditions: {
+                            tool_match: '^http\\.',
+                            label_match: 'prod|staging',
+                        },
+                    },
+                ],
+            };
+            const result = engine_1.PolicyEngine.validate(pack);
+            expect(result.valid).toBe(true);
+        });
+    });
+    // -----------------------------------------------------------------------
+    // evaluate() -- Decision Types
+    // -----------------------------------------------------------------------
+    describe('evaluate - decisions', () => {
+        it('should return ALLOW decision when a matching ALLOW rule is found', () => {
+            const yaml = `
+name: allow_test
+version: "1.0.0"
+rules:
+  - name: "allow-reads"
+    effect: ALLOW
+    priority: 1
+    conditions:
+      capabilities:
+        - "read"
+`;
+            const packPath = writeTmpYaml('allow.yaml', yaml);
+            const engine = new engine_1.PolicyEngine(packPath);
+            const result = engine.evaluate(buildToolCall());
+            expect(result.decision).toBe('allow');
+            expect(result.rule_name).toBe('allow-reads');
+        });
+        it('should return DENY decision when a matching DENY rule is found', () => {
+            const yaml = `
+name: deny_test
+version: "1.0.0"
+rules:
+  - name: "deny-writes"
+    effect: DENY
+    priority: 1
+    conditions:
+      capabilities:
+        - "write"
+`;
+            const packPath = writeTmpYaml('deny.yaml', yaml);
+            const engine = new engine_1.PolicyEngine(packPath);
+            const tc = buildToolCall({ tool: { name: 'db.write', capability: 'write' } });
+            const result = engine.evaluate(tc);
+            expect(result.decision).toBe('deny');
+            expect(result.rule_name).toBe('deny-writes');
+        });
+        it('should return TRANSFORM decision', () => {
+            const yaml = `
+name: transform_test
+version: "1.0.0"
+rules:
+  - name: "strip-auth"
+    description: "Strip authorization header"
+    effect: TRANSFORM
+    priority: 1
+    conditions:
+      tools:
+        - "http.request"
+    transformations:
+      - type: strip_header
+        target: "Authorization"
+`;
+            const packPath = writeTmpYaml('transform.yaml', yaml);
+            const engine = new engine_1.PolicyEngine(packPath);
+            const result = engine.evaluate(buildToolCall());
+            expect(result.decision).toBe('transform');
+            expect(result.rule_name).toBe('strip-auth');
+            expect(result.transformations).toEqual([
+                { type: 'strip_header', target: 'Authorization' },
+            ]);
+        });
+        it('should return REQUIRE_APPROVAL decision with approval metadata', () => {
+            const yaml = `
+name: approval_test
+version: "1.0.0"
+rules:
+  - name: "require-approval-writes"
+    description: "Writes need approval"
+    effect: REQUIRE_APPROVAL
+    priority: 1
+    conditions:
+      capabilities:
+        - "write"
+    approval:
+      scope: "team_lead"
+      ttl_seconds: 1800
+      reason: "Write operations require approval"
+`;
+            const packPath = writeTmpYaml('approval.yaml', yaml);
+            const engine = new engine_1.PolicyEngine(packPath);
+            const tc = buildToolCall({ tool: { name: 'db.update', capability: 'write' } });
+            const result = engine.evaluate(tc);
+            expect(result.decision).toBe('require_approval');
+            expect(result.approval).toBeDefined();
+            expect(result.approval.scope).toBe('team_lead');
+            expect(result.approval.ttl_seconds).toBe(1800);
+            expect(result.approval.reason).toBe('Write operations require approval');
+        });
+        it('should apply default DENY when no rules match and no pack default_effect', () => {
+            const yaml = `
+name: no_match_test
+version: "1.0.0"
+rules:
+  - name: "only-specific-tool"
+    effect: ALLOW
+    priority: 1
+    conditions:
+      tools:
+        - "very.specific.tool"
+`;
+            const packPath = writeTmpYaml('no-match.yaml', yaml);
+            const engine = new engine_1.PolicyEngine(packPath, 'DENY');
+            const result = engine.evaluate(buildToolCall());
+            expect(result.decision).toBe('deny');
+            expect(result.rule_name).toBe('__default');
+            expect(result.reasons).toEqual(expect.arrayContaining([expect.stringMatching(/No matching rule found/)]));
+        });
+        it('should use pack-level default_effect when no rules match', () => {
+            const yaml = `
+name: pack_default_test
+version: "1.0.0"
+default_effect: ALLOW
+rules:
+  - name: "only-specific-tool"
+    effect: DENY
+    priority: 1
+    conditions:
+      tools:
+        - "very.specific.tool"
+`;
+            const packPath = writeTmpYaml('pack-default.yaml', yaml);
+            const engine = new engine_1.PolicyEngine(packPath, 'DENY');
+            const result = engine.evaluate(buildToolCall());
+            // Pack-level default_effect takes precedence over constructor default
+            expect(result.decision).toBe('allow');
+            expect(result.rule_name).toBe('__default');
+        });
+        it('should include description in reasons when rule has a description', () => {
+            const yaml = `
+name: desc_test
+version: "1.0.0"
+rules:
+  - name: "described-rule"
+    description: "This rule has a detailed description"
+    effect: ALLOW
+    priority: 1
+    conditions: {}
+`;
+            const packPath = writeTmpYaml('desc.yaml', yaml);
+            const engine = new engine_1.PolicyEngine(packPath);
+            const result = engine.evaluate(buildToolCall());
+            expect(result.reasons).toContain('This rule has a detailed description');
+            expect(result.reasons).toContain('Matched rule "described-rule"');
+        });
+    });
+    // -----------------------------------------------------------------------
+    // evaluate() -- Condition Matching
+    // -----------------------------------------------------------------------
+    describe('evaluate - condition matching', () => {
+        it('should match on tool name (tools condition)', () => {
+            const yaml = `
+name: tool_name_test
+version: "1.0.0"
+rules:
+  - name: "match-http"
+    effect: ALLOW
+    priority: 1
+    conditions:
+      tools:
+        - "http.request"
+  - name: "deny-all"
+    effect: DENY
+    priority: 100
+    conditions: {}
+`;
+            const packPath = writeTmpYaml('tool-name.yaml', yaml);
+            const engine = new engine_1.PolicyEngine(packPath);
+            const httpCall = buildToolCall({ tool: { name: 'http.request', capability: 'read' } });
+            expect(engine.evaluate(httpCall).decision).toBe('allow');
+            const dbCall = buildToolCall({ tool: { name: 'db.query', capability: 'read' } });
+            expect(engine.evaluate(dbCall).decision).toBe('deny');
+        });
+        it('should match on tool_match regex', () => {
+            const yaml = `
+name: tool_regex_test
+version: "1.0.0"
+rules:
+  - name: "match-http-wildcard"
+    effect: ALLOW
+    priority: 1
+    conditions:
+      tool_match: "^http\\\\."
+  - name: "deny-all"
+    effect: DENY
+    priority: 100
+    conditions: {}
+`;
+            const packPath = writeTmpYaml('tool-regex.yaml', yaml);
+            const engine = new engine_1.PolicyEngine(packPath);
+            const httpCall = buildToolCall({ tool: { name: 'http.request', capability: 'read' } });
+            expect(engine.evaluate(httpCall).decision).toBe('allow');
+            const httpPostCall = buildToolCall({ tool: { name: 'http.post', capability: 'write' } });
+            expect(engine.evaluate(httpPostCall).decision).toBe('allow');
+            const dbCall = buildToolCall({ tool: { name: 'db.query', capability: 'read' } });
+            expect(engine.evaluate(dbCall).decision).toBe('deny');
+        });
+        it('should match on capability', () => {
+            const yaml = `
+name: cap_test
+version: "1.0.0"
+rules:
+  - name: "allow-reads"
+    effect: ALLOW
+    priority: 1
+    conditions:
+      capabilities:
+        - "read"
+  - name: "deny-all"
+    effect: DENY
+    priority: 100
+    conditions: {}
+`;
+            const packPath = writeTmpYaml('capability.yaml', yaml);
+            const engine = new engine_1.PolicyEngine(packPath);
+            const readCall = buildToolCall({ tool: { name: 'http.request', capability: 'read' } });
+            expect(engine.evaluate(readCall).decision).toBe('allow');
+            const writeCall = buildToolCall({ tool: { name: 'http.request', capability: 'write' } });
+            expect(engine.evaluate(writeCall).decision).toBe('deny');
+        });
+        it('should match on domain extracted from URL in args', () => {
+            const yaml = `
+name: domain_test
+version: "1.0.0"
+rules:
+  - name: "allow-github"
+    effect: ALLOW
+    priority: 1
+    conditions:
+      domains:
+        - "api.github.com"
+  - name: "deny-all"
+    effect: DENY
+    priority: 100
+    conditions: {}
+`;
+            const packPath = writeTmpYaml('domain-match.yaml', yaml);
+            const engine = new engine_1.PolicyEngine(packPath);
+            const githubCall = buildToolCall({ args: { url: 'https://api.github.com/repos', method: 'GET' } });
+            expect(engine.evaluate(githubCall).decision).toBe('allow');
+            const otherCall = buildToolCall({ args: { url: 'https://evil.com/data', method: 'GET' } });
+            expect(engine.evaluate(otherCall).decision).toBe('deny');
+        });
+        it('should match wildcard subdomain patterns (*.example.com)', () => {
+            const yaml = `
+name: wildcard_domain_test
+version: "1.0.0"
+rules:
+  - name: "allow-aws"
+    effect: ALLOW
+    priority: 1
+    conditions:
+      domains:
+        - "*.amazonaws.com"
+  - name: "deny-all"
+    effect: DENY
+    priority: 100
+    conditions: {}
+`;
+            const packPath = writeTmpYaml('wildcard-domain.yaml', yaml);
+            const engine = new engine_1.PolicyEngine(packPath);
+            const s3Call = buildToolCall({ args: { url: 'https://s3.amazonaws.com/bucket/key', method: 'GET' } });
+            expect(engine.evaluate(s3Call).decision).toBe('allow');
+            const deepSubCall = buildToolCall({ args: { url: 'https://us-east-1.s3.amazonaws.com/b', method: 'GET' } });
+            expect(engine.evaluate(deepSubCall).decision).toBe('allow');
+            const otherCall = buildToolCall({ args: { url: 'https://evil.com/data', method: 'GET' } });
+            expect(engine.evaluate(otherCall).decision).toBe('deny');
+        });
+        it('should fail domain match when tool call has no URL', () => {
+            const yaml = `
+name: no_url_domain_test
+version: "1.0.0"
+rules:
+  - name: "require-domain"
+    effect: ALLOW
+    priority: 1
+    conditions:
+      domains:
+        - "api.github.com"
+  - name: "deny-all"
+    effect: DENY
+    priority: 100
+    conditions: {}
+`;
+            const packPath = writeTmpYaml('no-url.yaml', yaml);
+            const engine = new engine_1.PolicyEngine(packPath);
+            // Must explicitly set url to undefined to override the default in buildToolCall
+            const noUrlCall = buildToolCall({ args: { method: 'GET', url: undefined } });
+            expect(engine.evaluate(noUrlCall).decision).toBe('deny');
+        });
+        it('should match on HTTP method (case-insensitive)', () => {
+            const yaml = `
+name: method_test
+version: "1.0.0"
+rules:
+  - name: "allow-gets"
+    effect: ALLOW
+    priority: 1
+    conditions:
+      methods:
+        - "GET"
+        - "HEAD"
+  - name: "deny-all"
+    effect: DENY
+    priority: 100
+    conditions: {}
+`;
+            const packPath = writeTmpYaml('method.yaml', yaml);
+            const engine = new engine_1.PolicyEngine(packPath);
+            const getCall = buildToolCall({ args: { method: 'get', url: 'https://api.github.com/repos' } });
+            expect(engine.evaluate(getCall).decision).toBe('allow');
+            const postCall = buildToolCall({ args: { method: 'POST', url: 'https://api.github.com/repos' } });
+            expect(engine.evaluate(postCall).decision).toBe('deny');
+        });
+        it('should fail method match when tool call has no method', () => {
+            const yaml = `
+name: no_method_test
+version: "1.0.0"
+rules:
+  - name: "require-method"
+    effect: ALLOW
+    priority: 1
+    conditions:
+      methods:
+        - "GET"
+  - name: "deny-all"
+    effect: DENY
+    priority: 100
+    conditions: {}
+`;
+            const packPath = writeTmpYaml('no-method.yaml', yaml);
+            const engine = new engine_1.PolicyEngine(packPath);
+            // Must explicitly set method to undefined to override the default in buildToolCall
+            const noMethodCall = buildToolCall({ args: { url: 'https://api.github.com/repos', method: undefined } });
+            expect(engine.evaluate(noMethodCall).decision).toBe('deny');
+        });
+        it('should match on actor type (actor_types condition)', () => {
+            const yaml = `
+name: actor_type_test
+version: "1.0.0"
+rules:
+  - name: "allow-agents"
+    effect: ALLOW
+    priority: 1
+    conditions:
+      actor_types:
+        - "agent"
+  - name: "deny-all"
+    effect: DENY
+    priority: 100
+    conditions: {}
+`;
+            const packPath = writeTmpYaml('actor-type.yaml', yaml);
+            const engine = new engine_1.PolicyEngine(packPath);
+            const agentCall = buildToolCall({ actor: { type: 'agent', id: 'a1' } });
+            expect(engine.evaluate(agentCall).decision).toBe('allow');
+            const userCall = buildToolCall({ actor: { type: 'user', id: 'u1' } });
+            expect(engine.evaluate(userCall).decision).toBe('deny');
+        });
+        it('should match on actor id (actors condition)', () => {
+            const yaml = `
+name: actor_id_test
+version: "1.0.0"
+rules:
+  - name: "allow-specific-actor"
+    effect: ALLOW
+    priority: 1
+    conditions:
+      actors:
+        - "trusted-agent-1"
+  - name: "deny-all"
+    effect: DENY
+    priority: 100
+    conditions: {}
+`;
+            const packPath = writeTmpYaml('actor-id.yaml', yaml);
+            const engine = new engine_1.PolicyEngine(packPath);
+            const trustedCall = buildToolCall({ actor: { type: 'agent', id: 'trusted-agent-1' } });
+            expect(engine.evaluate(trustedCall).decision).toBe('allow');
+            const untrustedCall = buildToolCall({ actor: { type: 'agent', id: 'unknown-agent' } });
+            expect(engine.evaluate(untrustedCall).decision).toBe('deny');
+        });
+        it('should match on labels (at least one label matches)', () => {
+            const yaml = `
+name: label_test
+version: "1.0.0"
+rules:
+  - name: "allow-production"
+    effect: ALLOW
+    priority: 1
+    conditions:
+      labels:
+        - "production"
+        - "staging"
+  - name: "deny-all"
+    effect: DENY
+    priority: 100
+    conditions: {}
+`;
+            const packPath = writeTmpYaml('labels.yaml', yaml);
+            const engine = new engine_1.PolicyEngine(packPath);
+            const prodCall = buildToolCall({ context: { labels: ['production', 'important'] } });
+            expect(engine.evaluate(prodCall).decision).toBe('allow');
+            const stagingCall = buildToolCall({ context: { labels: ['staging'] } });
+            expect(engine.evaluate(stagingCall).decision).toBe('allow');
+            const devCall = buildToolCall({ context: { labels: ['development'] } });
+            expect(engine.evaluate(devCall).decision).toBe('deny');
+            const noLabelsCall = buildToolCall();
+            expect(engine.evaluate(noLabelsCall).decision).toBe('deny');
+        });
+        it('should match on label_match regex', () => {
+            const yaml = `
+name: label_regex_test
+version: "1.0.0"
+rules:
+  - name: "allow-env-labels"
+    effect: ALLOW
+    priority: 1
+    conditions:
+      label_match: "^(prod|staging)"
+  - name: "deny-all"
+    effect: DENY
+    priority: 100
+    conditions: {}
+`;
+            const packPath = writeTmpYaml('label-regex.yaml', yaml);
+            const engine = new engine_1.PolicyEngine(packPath);
+            const prodCall = buildToolCall({ context: { labels: ['production'] } });
+            expect(engine.evaluate(prodCall).decision).toBe('allow');
+            const stagingCall = buildToolCall({ context: { labels: ['staging-test'] } });
+            expect(engine.evaluate(stagingCall).decision).toBe('allow');
+            const devCall = buildToolCall({ context: { labels: ['development'] } });
+            expect(engine.evaluate(devCall).decision).toBe('deny');
+        });
+        it('should match on platforms', () => {
+            const yaml = `
+name: platform_test
+version: "1.0.0"
+rules:
+  - name: "allow-langgraph"
+    effect: ALLOW
+    priority: 1
+    conditions:
+      platforms:
+        - "langgraph"
+  - name: "deny-all"
+    effect: DENY
+    priority: 100
+    conditions: {}
+`;
+            const packPath = writeTmpYaml('platforms.yaml', yaml);
+            const engine = new engine_1.PolicyEngine(packPath);
+            const lgCall = buildToolCall({ source: { platform: 'langgraph' } });
+            expect(engine.evaluate(lgCall).decision).toBe('allow');
+            const n8nCall = buildToolCall({ source: { platform: 'n8n' } });
+            expect(engine.evaluate(n8nCall).decision).toBe('deny');
+        });
+        it('should match on workspace_ids', () => {
+            const yaml = `
+name: workspace_test
+version: "1.0.0"
+rules:
+  - name: "allow-specific-ws"
+    effect: ALLOW
+    priority: 1
+    conditions:
+      workspace_ids:
+        - "ws-alpha"
+        - "ws-beta"
+  - name: "deny-all"
+    effect: DENY
+    priority: 100
+    conditions: {}
+`;
+            const packPath = writeTmpYaml('workspace.yaml', yaml);
+            const engine = new engine_1.PolicyEngine(packPath);
+            const alphaCall = buildToolCall();
+            alphaCall.workspace_id = 'ws-alpha';
+            expect(engine.evaluate(alphaCall).decision).toBe('allow');
+            const gammaCall = buildToolCall();
+            gammaCall.workspace_id = 'ws-gamma';
+            expect(engine.evaluate(gammaCall).decision).toBe('deny');
+        });
+        it('should apply AND logic for multiple conditions in a single rule', () => {
+            const yaml = `
+name: and_logic_test
+version: "1.0.0"
+rules:
+  - name: "specific-combo"
+    effect: ALLOW
+    priority: 1
+    conditions:
+      tools:
+        - "http.request"
+      capabilities:
+        - "read"
+      methods:
+        - "GET"
+  - name: "deny-all"
+    effect: DENY
+    priority: 100
+    conditions: {}
+`;
+            const packPath = writeTmpYaml('and-logic.yaml', yaml);
+            const engine = new engine_1.PolicyEngine(packPath);
+            // All three conditions match
+            const fullMatch = buildToolCall({
+                tool: { name: 'http.request', capability: 'read' },
+                args: { method: 'GET', url: 'https://example.com' },
+            });
+            expect(engine.evaluate(fullMatch).decision).toBe('allow');
+            // Tool matches, capability matches, but method doesn't
+            const partialMatch = buildToolCall({
+                tool: { name: 'http.request', capability: 'read' },
+                args: { method: 'POST', url: 'https://example.com' },
+            });
+            expect(engine.evaluate(partialMatch).decision).toBe('deny');
+        });
+        it('should match everything when conditions object is empty', () => {
+            const yaml = `
+name: empty_conditions_test
+version: "1.0.0"
+rules:
+  - name: "catch-all"
+    effect: ALLOW
+    priority: 1
+    conditions: {}
+`;
+            const packPath = writeTmpYaml('empty-conditions.yaml', yaml);
+            const engine = new engine_1.PolicyEngine(packPath);
+            const anyCall = buildToolCall({
+                tool: { name: 'anything', capability: 'admin' },
+                args: { method: 'DELETE', url: 'https://evil.com/destroy' },
+            });
+            expect(engine.evaluate(anyCall).decision).toBe('allow');
+            expect(engine.evaluate(anyCall).rule_name).toBe('catch-all');
+        });
+    });
+    // -----------------------------------------------------------------------
+    // evaluate() -- Priority Ordering
+    // -----------------------------------------------------------------------
+    describe('evaluate - priority ordering', () => {
+        it('should return the first matching rule by priority (lower = higher precedence)', () => {
+            const yaml = `
+name: priority_order_test
+version: "1.0.0"
+rules:
+  - name: "low-priority-allow"
+    effect: ALLOW
+    priority: 50
+    conditions:
+      capabilities:
+        - "read"
+  - name: "high-priority-deny"
+    effect: DENY
+    priority: 5
+    conditions:
+      capabilities:
+        - "read"
+`;
+            const packPath = writeTmpYaml('priority-order.yaml', yaml);
+            const engine = new engine_1.PolicyEngine(packPath);
+            const readCall = buildToolCall({ tool: { name: 'http.request', capability: 'read' } });
+            const result = engine.evaluate(readCall);
+            // The higher-precedence (lower number) rule should win
+            expect(result.decision).toBe('deny');
+            expect(result.rule_name).toBe('high-priority-deny');
+        });
+        it('should match more specific rules before catch-all when priorities enforce it', () => {
+            const yaml = `
+name: specificity_test
+version: "1.0.0"
+rules:
+  - name: "specific-allow"
+    effect: ALLOW
+    priority: 10
+    conditions:
+      tools:
+        - "http.request"
+      methods:
+        - "GET"
+  - name: "broad-deny"
+    effect: DENY
+    priority: 20
+    conditions: {}
+`;
+            const packPath = writeTmpYaml('specificity.yaml', yaml);
+            const engine = new engine_1.PolicyEngine(packPath);
+            const getCall = buildToolCall({
+                tool: { name: 'http.request', capability: 'read' },
+                args: { method: 'GET', url: 'https://example.com' },
+            });
+            expect(engine.evaluate(getCall).decision).toBe('allow');
+            const postCall = buildToolCall({
+                tool: { name: 'http.request', capability: 'write' },
+                args: { method: 'POST', url: 'https://example.com' },
+            });
+            expect(engine.evaluate(postCall).decision).toBe('deny');
+        });
+    });
+    // -----------------------------------------------------------------------
+    // evaluate() -- Domain Blocklist / Allowlist (Pack-level)
+    // -----------------------------------------------------------------------
+    describe('evaluate - pack-level domain lists', () => {
+        it('should DENY when domain is in pack-level domain_blocklist', () => {
+            const yaml = `
+name: blocklist_test
+version: "1.0.0"
+domain_blocklist:
+  - "evil.com"
+  - "metadata.google.internal"
+rules:
+  - name: "allow-all"
+    effect: ALLOW
+    priority: 1
+    conditions: {}
+`;
+            const packPath = writeTmpYaml('blocklist.yaml', yaml);
+            const engine = new engine_1.PolicyEngine(packPath);
+            const evilCall = buildToolCall({ args: { url: 'https://evil.com/steal', method: 'GET' } });
+            const result = engine.evaluate(evilCall);
+            expect(result.decision).toBe('deny');
+            expect(result.rule_name).toBe('__pack_domain_blocklist');
+            expect(result.reasons[0]).toContain('evil.com');
+        });
+        it('should DENY when domain is not in pack-level domain_allowlist', () => {
+            const yaml = `
+name: allowlist_test
+version: "1.0.0"
+domain_allowlist:
+  - "api.github.com"
+  - "api.slack.com"
+rules:
+  - name: "allow-all"
+    effect: ALLOW
+    priority: 1
+    conditions: {}
+`;
+            const packPath = writeTmpYaml('allowlist.yaml', yaml);
+            const engine = new engine_1.PolicyEngine(packPath);
+            // Allowed domain
+            const githubCall = buildToolCall({ args: { url: 'https://api.github.com/repos', method: 'GET' } });
+            expect(engine.evaluate(githubCall).decision).toBe('allow');
+            // Not in allowlist
+            const unknownCall = buildToolCall({ args: { url: 'https://unknown.io/api', method: 'GET' } });
+            const result = engine.evaluate(unknownCall);
+            expect(result.decision).toBe('deny');
+            expect(result.rule_name).toBe('__pack_domain_allowlist');
+        });
+        it('should ALLOW tool calls without URL even when domain_allowlist is set', () => {
+            const yaml = `
+name: no_url_allowlist_test
+version: "1.0.0"
+domain_allowlist:
+  - "api.github.com"
+rules:
+  - name: "allow-all"
+    effect: ALLOW
+    priority: 1
+    conditions: {}
+`;
+            const packPath = writeTmpYaml('no-url-allowlist.yaml', yaml);
+            const engine = new engine_1.PolicyEngine(packPath);
+            // No URL in args -- domain checks should be skipped
+            const noUrlCall = buildToolCall({ args: { method: 'GET' } });
+            expect(engine.evaluate(noUrlCall).decision).toBe('allow');
+        });
+        it('should support wildcard domains in pack-level blocklist', () => {
+            const yaml = `
+name: wildcard_blocklist_test
+version: "1.0.0"
+domain_blocklist:
+  - "*.evil.com"
+rules:
+  - name: "allow-all"
+    effect: ALLOW
+    priority: 1
+    conditions: {}
+`;
+            const packPath = writeTmpYaml('wildcard-blocklist.yaml', yaml);
+            const engine = new engine_1.PolicyEngine(packPath);
+            const subdomainCall = buildToolCall({ args: { url: 'https://api.evil.com/steal', method: 'GET' } });
+            expect(engine.evaluate(subdomainCall).decision).toBe('deny');
+            // The root domain itself should also match (*.evil.com -> evil.com)
+            const rootCall = buildToolCall({ args: { url: 'https://evil.com/steal', method: 'GET' } });
+            expect(engine.evaluate(rootCall).decision).toBe('deny');
+        });
+        it('should check blocklist before allowlist', () => {
+            const yaml = `
+name: blocklist_before_allowlist_test
+version: "1.0.0"
+domain_allowlist:
+  - "*.example.com"
+domain_blocklist:
+  - "bad.example.com"
+rules:
+  - name: "allow-all"
+    effect: ALLOW
+    priority: 1
+    conditions: {}
+`;
+            const packPath = writeTmpYaml('blocklist-first.yaml', yaml);
+            const engine = new engine_1.PolicyEngine(packPath);
+            // Domain is in both allowlist (via wildcard) and blocklist -- blocklist wins
+            const badCall = buildToolCall({ args: { url: 'https://bad.example.com/data', method: 'GET' } });
+            expect(engine.evaluate(badCall).decision).toBe('deny');
+            expect(engine.evaluate(badCall).rule_name).toBe('__pack_domain_blocklist');
+            // Good subdomain is fine
+            const goodCall = buildToolCall({ args: { url: 'https://good.example.com/data', method: 'GET' } });
+            expect(engine.evaluate(goodCall).decision).toBe('allow');
+        });
+    });
+    // -----------------------------------------------------------------------
+    // evaluate() -- Rule-level domain_blocklist
+    // -----------------------------------------------------------------------
+    describe('evaluate - rule-level domain_blocklist', () => {
+        it('should not match rule when call domain is in rule-level domain_blocklist', () => {
+            const yaml = `
+name: rule_blocklist_test
+version: "1.0.0"
+rules:
+  - name: "allow-gets-except-bad"
+    effect: ALLOW
+    priority: 1
+    conditions:
+      methods:
+        - "GET"
+      domain_blocklist:
+        - "bad.example.com"
+  - name: "deny-all"
+    effect: DENY
+    priority: 100
+    conditions: {}
+`;
+            const packPath = writeTmpYaml('rule-blocklist.yaml', yaml);
+            const engine = new engine_1.PolicyEngine(packPath);
+            const badCall = buildToolCall({ args: { url: 'https://bad.example.com/data', method: 'GET' } });
+            expect(engine.evaluate(badCall).decision).toBe('deny');
+            expect(engine.evaluate(badCall).rule_name).toBe('deny-all');
+            const goodCall = buildToolCall({ args: { url: 'https://good.example.com/data', method: 'GET' } });
+            expect(engine.evaluate(goodCall).decision).toBe('allow');
+        });
+    });
+    // -----------------------------------------------------------------------
+    // reload()
+    // -----------------------------------------------------------------------
+    describe('reload', () => {
+        it('should reload policy pack from disk reflecting file changes', () => {
+            const yaml1 = `
+name: reload_v1
+version: "1.0.0"
+rules:
+  - name: "deny-all"
+    effect: DENY
+    priority: 1
+    conditions: {}
+`;
+            const packPath = writeTmpYaml('reload.yaml', yaml1);
+            const engine = new engine_1.PolicyEngine(packPath);
+            expect(engine.getPack().name).toBe('reload_v1');
+            expect(engine.evaluate(buildToolCall()).decision).toBe('deny');
+            // Overwrite the file with a new pack
+            const yaml2 = `
+name: reload_v2
+version: "2.0.0"
+rules:
+  - name: "allow-all"
+    effect: ALLOW
+    priority: 1
+    conditions: {}
+`;
+            fs.writeFileSync(packPath, yaml2, 'utf-8');
+            engine.reload();
+            expect(engine.getPack().name).toBe('reload_v2');
+            expect(engine.evaluate(buildToolCall()).decision).toBe('allow');
+        });
+        it('should throw if the reloaded file is invalid', () => {
+            const validYaml = `
+name: reload_valid
+version: "1.0.0"
+rules:
+  - name: "allow-all"
+    effect: ALLOW
+    priority: 1
+    conditions: {}
+`;
+            const packPath = writeTmpYaml('reload-invalid.yaml', validYaml);
+            const engine = new engine_1.PolicyEngine(packPath);
+            expect(engine.getPack().name).toBe('reload_valid');
+            // Overwrite with invalid YAML
+            fs.writeFileSync(packPath, 'just a scalar string', 'utf-8');
+            expect(() => engine.reload()).toThrow(/does not contain a valid YAML object/);
+            // The original pack should still be loaded (reload failed, old pack retained)
+            // Actually, per the implementation, reload() throws, so the internal state
+            // stays as-is because the assignment only happens after loadPack succeeds.
+            expect(engine.getPack().name).toBe('reload_valid');
+        });
+    });
+    // -----------------------------------------------------------------------
+    // fromPack() -- Static Factory
+    // -----------------------------------------------------------------------
+    describe('fromPack', () => {
+        it('should create a working engine from an in-memory PolicyPack', () => {
+            const pack = {
+                name: 'in_memory_pack',
+                version: '1.0.0',
+                rules: [
+                    {
+                        name: 'allow-reads',
+                        effect: 'ALLOW',
+                        priority: 10,
+                        conditions: { capabilities: ['read'] },
+                    },
+                    {
+                        name: 'deny-all',
+                        effect: 'DENY',
+                        priority: 100,
+                        conditions: {},
+                    },
+                ],
+            };
+            const engine = engine_1.PolicyEngine.fromPack(pack);
+            const loaded = engine.getPack();
+            expect(loaded.name).toBe('in_memory_pack');
+            expect(loaded.version).toBe('1.0.0');
+            expect(loaded.rules).toHaveLength(2);
+        });
+        it('should throw on an invalid pack', () => {
+            const badPack = {
+                name: '',
+                version: '1.0.0',
+                rules: [{ name: 'r', effect: 'ALLOW', conditions: {} }],
+            };
+            expect(() => engine_1.PolicyEngine.fromPack(badPack)).toThrow(/Invalid policy pack/);
+        });
+        it('should evaluate rules correctly', () => {
+            const pack = {
+                name: 'eval_test',
+                version: '1.0.0',
+                rules: [
+                    {
+                        name: 'allow-reads',
+                        effect: 'ALLOW',
+                        priority: 10,
+                        conditions: { capabilities: ['read'] },
+                    },
+                    {
+                        name: 'deny-all',
+                        effect: 'DENY',
+                        priority: 100,
+                        conditions: {},
+                    },
+                ],
+            };
+            const engine = engine_1.PolicyEngine.fromPack(pack);
+            const readCall = buildToolCall({ tool: { name: 'http.request', capability: 'read' } });
+            expect(engine.evaluate(readCall).decision).toBe('allow');
+            const writeCall = buildToolCall({ tool: { name: 'http.request', capability: 'write' } });
+            expect(engine.evaluate(writeCall).decision).toBe('deny');
+        });
+        it('should sort rules by priority', () => {
+            const pack = {
+                name: 'sort_test',
+                version: '1.0.0',
+                rules: [
+                    { name: 'low-priority', effect: 'DENY', priority: 50, conditions: {} },
+                    { name: 'high-priority', effect: 'ALLOW', priority: 5, conditions: {} },
+                    { name: 'medium-priority', effect: 'DENY', priority: 25, conditions: {} },
+                ],
+            };
+            const engine = engine_1.PolicyEngine.fromPack(pack);
+            const loaded = engine.getPack();
+            expect(loaded.rules[0].name).toBe('high-priority');
+            expect(loaded.rules[1].name).toBe('medium-priority');
+            expect(loaded.rules[2].name).toBe('low-priority');
+        });
+        it('should not mutate the original pack', () => {
+            const pack = {
+                name: 'no_mutate_test',
+                version: '1.0.0',
+                rules: [
+                    { name: 'z-rule', effect: 'DENY', priority: 50, conditions: {} },
+                    { name: 'a-rule', effect: 'ALLOW', priority: 5, conditions: {} },
+                ],
+            };
+            const originalFirstRule = pack.rules[0].name;
+            engine_1.PolicyEngine.fromPack(pack);
+            // Original pack should be unchanged
+            expect(pack.rules[0].name).toBe(originalFirstRule);
+        });
+        it('should respect the defaultEffect parameter', () => {
+            const pack = {
+                name: 'default_effect_test',
+                version: '1.0.0',
+                rules: [
+                    {
+                        name: 'only-specific',
+                        effect: 'DENY',
+                        priority: 1,
+                        conditions: { tools: ['very.specific.tool'] },
+                    },
+                ],
+            };
+            const engine = engine_1.PolicyEngine.fromPack(pack, 'ALLOW');
+            const result = engine.evaluate(buildToolCall());
+            expect(result.decision).toBe('allow');
+            expect(result.rule_name).toBe('__default');
+        });
+        it('should support domain_allowlist and domain_blocklist', () => {
+            const pack = {
+                name: 'domain_list_test',
+                version: '1.0.0',
+                domain_blocklist: ['evil.com'],
+                domain_allowlist: ['api.github.com'],
+                rules: [
+                    { name: 'allow-all', effect: 'ALLOW', priority: 1, conditions: {} },
+                ],
+            };
+            const engine = engine_1.PolicyEngine.fromPack(pack);
+            const evilCall = buildToolCall({ args: { url: 'https://evil.com/steal', method: 'GET' } });
+            expect(engine.evaluate(evilCall).decision).toBe('deny');
+            const githubCall = buildToolCall({ args: { url: 'https://api.github.com/repos', method: 'GET' } });
+            expect(engine.evaluate(githubCall).decision).toBe('allow');
+            const unknownCall = buildToolCall({ args: { url: 'https://unknown.io/api', method: 'GET' } });
+            expect(engine.evaluate(unknownCall).decision).toBe('deny');
+        });
+    });
+    // -----------------------------------------------------------------------
+    // getPack()
+    // -----------------------------------------------------------------------
+    describe('getPack', () => {
+        it('should return the currently loaded policy pack', () => {
+            const packPath = writeTmpYaml('getpack.yaml', VALID_PACK_YAML);
+            const engine = new engine_1.PolicyEngine(packPath);
+            const pack = engine.getPack();
+            expect(pack).toBeDefined();
+            expect(pack.name).toBe('test_pack');
+            expect(pack.version).toBe('1.0.0');
+        });
+    });
+    // -----------------------------------------------------------------------
+    // SSRF Bypass Tests (IPv6 variants)
+    // -----------------------------------------------------------------------
+    describe('SSRF protection - IPv6 bypass vectors', () => {
+        // Use a policy with a domain_allowlist to activate SSRF protection
+        const ssrfPack = {
+            name: 'ssrf_test',
+            version: '1.0.0',
+            domain_allowlist: ['api.github.com', 'api.slack.com'],
+            rules: [
+                {
+                    name: 'allow-all',
+                    effect: 'ALLOW',
+                    priority: 1,
+                    conditions: {},
+                },
+            ],
+        };
+        it('should deny IPv6 unspecified address (::)', () => {
+            const engine = engine_1.PolicyEngine.fromPack(ssrfPack);
+            const tc = buildToolCall({ args: { url: 'http://[::]/secret', method: 'GET' } });
+            const result = engine.evaluate(tc);
+            expect(result.decision).toBe('deny');
+            expect(result.rule_name).toBe('__ssrf_protection');
+        });
+        it('should deny IPv6 documentation range (2001:db8::1)', () => {
+            const engine = engine_1.PolicyEngine.fromPack(ssrfPack);
+            const tc = buildToolCall({ args: { url: 'http://[2001:db8::1]/data', method: 'GET' } });
+            const result = engine.evaluate(tc);
+            expect(result.decision).toBe('deny');
+            expect(result.rule_name).toBe('__ssrf_protection');
+        });
+        it('should deny IPv4-mapped IPv6 loopback (::ffff:127.0.0.1)', () => {
+            const engine = engine_1.PolicyEngine.fromPack(ssrfPack);
+            const tc = buildToolCall({ args: { url: 'http://[::ffff:127.0.0.1]/internal', method: 'GET' } });
+            const result = engine.evaluate(tc);
+            expect(result.decision).toBe('deny');
+            expect(result.rule_name).toBe('__ssrf_protection');
+        });
+        it('should deny IPv4-mapped IPv6 private address (::ffff:10.0.0.1)', () => {
+            const engine = engine_1.PolicyEngine.fromPack(ssrfPack);
+            const tc = buildToolCall({ args: { url: 'http://[::ffff:10.0.0.1]/internal', method: 'GET' } });
+            const result = engine.evaluate(tc);
+            expect(result.decision).toBe('deny');
+            expect(result.rule_name).toBe('__ssrf_protection');
+        });
+    });
+});
+//# sourceMappingURL=policy-engine.test.js.map