cleanlib-sdk 0.4.1__tar.gz

cleanlib_sdk-0.4.1/.gitignore

@@ -0,0 +1,31 @@
+__pycache__/
+*.py[cod]
+*$py.class
+
+# Distribution / packaging
+build/
+dist/
+*.egg-info/
+.eggs/
+*.egg
+
+# Virtual environments
+.venv/
+venv/
+env/
+
+# Tools
+.pytest_cache/
+.ruff_cache/
+.mypy_cache/
+.tox/
+htmlcov/
+.coverage
+.coverage.*
+coverage.xml
+
+# IDE
+.vscode/
+.idea/
+*.swp
+.DS_Store

cleanlib_sdk-0.4.1/PKG-INFO

@@ -0,0 +1,102 @@
+Metadata-Version: 2.4
+Name: cleanlib-sdk
+Version: 0.4.1
+Summary: CleanLibrary Python SDK — mirrors cleanlib-client (Rust SDK) HTTP surface + cycle-5 cosign verdict-attestation
+Project-URL: Homepage, https://bitbucket.org/triamsec/cleanlib-sdk-py
+Project-URL: Source, https://bitbucket.org/triamsec/cleanlib-sdk-py
+Project-URL: Documentation, https://bitbucket.org/triamsec/cleanlib/src/main/workstream-specs/05-app/sdk-substrate-rev1.md
+Author: CleanStart
+License: Proprietary
+Classifier: Development Status :: 2 - Pre-Alpha
+Classifier: Intended Audience :: Developers
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Requires-Python: >=3.10
+Requires-Dist: httpx>=0.27
+Requires-Dist: pydantic>=2
+Provides-Extra: dev
+Requires-Dist: pytest-asyncio>=0.23; extra == 'dev'
+Requires-Dist: pytest>=8; extra == 'dev'
+Requires-Dist: ruff>=0.5; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# cleanlib-sdk-py
+
+CleanLibrary Python SDK — `asyncio` + `httpx`; mirrors the Rust `cleanlib-client` HTTP surface.
+
+**Status**: `v0.1.0-substrate` (cycle-4 §D.1). Substrate-only — `fetch_verdict` ships; remaining verbs (`scan` / `audit_recent` / `policy_preview` / `fetch_bytes`) iterate cycle-5+.
+
+## Install (cycle-5+; not yet on PyPI)
+
+```bash
+pip install cleanlib-sdk
+```
+
+For cycle-4 substrate, install from this repo:
+
+```bash
+pip install git+https://bitbucket.org/triamsec/cleanlib-sdk-py.git
+```
+
+## Usage
+
+```python
+import asyncio
+from cleanlib_sdk import Client, PolicyDenyError, RiskAcceptanceRequiredError
+
+async def main() -> None:
+    async with Client(
+        endpoint="https://cleanapp.clnstrt.dev",
+        api_key="clk_std_...",   # opaque CleanLibrary access key
+    ) as c:
+        try:
+            v = await c.fetch_verdict("npm", "lodash", "4.17.21")
+            print(f"{v.decision} composite_score={v.composite_score}")
+            print(f"reasoning: {v.reasoning}")
+        except PolicyDenyError as e:
+            print(f"DENIED [{e.reason_code}]: {e.message}")
+        except RiskAcceptanceRequiredError as e:
+            print(f"RISK ACCEPT REQUIRED: {e.message}")
+            if e.docs_url:
+                print(f"see: {e.docs_url}")
+
+asyncio.run(main())
+```
+
+## Error hierarchy
+
+All errors descend from `CleanLibraryError`. Subclasses:
+
+| Exception | HTTP | Triggered by |
+|---|---|---|
+| `PolicyDenyError` | 403 / 451 | `POLICY_DENY_VERDICT` / `POLICY_DENY_RULE_EXPLICIT` |
+| `IntegrityFailureError` | 403 | `INTEGRITY_FAILURE` |
+| `RateLimitExceededError` | 429 | tier-throttled; carries `retry_after_seconds` |
+| `RiskAcceptanceRequiredError` | 403 | `RISK_ACCEPTANCE_REQUIRED` |
+| `AuthenticationError` | 401 / 403 | `KEY_INVALID` / `KEY_EXPIRED` / `KEY_SCOPE_INSUFFICIENT` |
+| `InsufficientDataError` | 403 | `INSUFFICIENT_DATA_FAIL_CLOSED` |
+| `PackageNotFoundError` | 404 | not in catalog + ingest declined |
+| `ServerError` | 5xx | retryable on 502/503/504 |
+| `TransportError` | — | network / TLS / timeout / DNS |
+| `ParseError` | — | response body shape mismatch |
+
+## Development
+
+```bash
+pip install -e ".[dev]"
+pytest
+ruff check .
+```
+
+## Cross-references
+
+- [App workstream substrate spec](https://bitbucket.org/triamsec/cleanlib/src/main/workstream-specs/05-app/sdk-substrate-rev1.md) — canonical surface design
+- [Rust cleanlib-client](https://bitbucket.org/triamsec/cleanlib/src/main/cleanlib-client/) — reference implementation
+- [App customer endpoint contract](https://bitbucket.org/triamsec/cleanlib/src/main/workstream-specs/05-app/app-scope-outline-rev4.md) §9 — HTTP surface contract
+
+## License
+
+Proprietary — CleanStart.

cleanlib_sdk-0.4.1/README.md

@@ -0,0 +1,77 @@
+# cleanlib-sdk-py
+
+CleanLibrary Python SDK — `asyncio` + `httpx`; mirrors the Rust `cleanlib-client` HTTP surface.
+
+**Status**: `v0.1.0-substrate` (cycle-4 §D.1). Substrate-only — `fetch_verdict` ships; remaining verbs (`scan` / `audit_recent` / `policy_preview` / `fetch_bytes`) iterate cycle-5+.
+
+## Install (cycle-5+; not yet on PyPI)
+
+```bash
+pip install cleanlib-sdk
+```
+
+For cycle-4 substrate, install from this repo:
+
+```bash
+pip install git+https://bitbucket.org/triamsec/cleanlib-sdk-py.git
+```
+
+## Usage
+
+```python
+import asyncio
+from cleanlib_sdk import Client, PolicyDenyError, RiskAcceptanceRequiredError
+
+async def main() -> None:
+    async with Client(
+        endpoint="https://cleanapp.clnstrt.dev",
+        api_key="clk_std_...",   # opaque CleanLibrary access key
+    ) as c:
+        try:
+            v = await c.fetch_verdict("npm", "lodash", "4.17.21")
+            print(f"{v.decision} composite_score={v.composite_score}")
+            print(f"reasoning: {v.reasoning}")
+        except PolicyDenyError as e:
+            print(f"DENIED [{e.reason_code}]: {e.message}")
+        except RiskAcceptanceRequiredError as e:
+            print(f"RISK ACCEPT REQUIRED: {e.message}")
+            if e.docs_url:
+                print(f"see: {e.docs_url}")
+
+asyncio.run(main())
+```
+
+## Error hierarchy
+
+All errors descend from `CleanLibraryError`. Subclasses:
+
+| Exception | HTTP | Triggered by |
+|---|---|---|
+| `PolicyDenyError` | 403 / 451 | `POLICY_DENY_VERDICT` / `POLICY_DENY_RULE_EXPLICIT` |
+| `IntegrityFailureError` | 403 | `INTEGRITY_FAILURE` |
+| `RateLimitExceededError` | 429 | tier-throttled; carries `retry_after_seconds` |
+| `RiskAcceptanceRequiredError` | 403 | `RISK_ACCEPTANCE_REQUIRED` |
+| `AuthenticationError` | 401 / 403 | `KEY_INVALID` / `KEY_EXPIRED` / `KEY_SCOPE_INSUFFICIENT` |
+| `InsufficientDataError` | 403 | `INSUFFICIENT_DATA_FAIL_CLOSED` |
+| `PackageNotFoundError` | 404 | not in catalog + ingest declined |
+| `ServerError` | 5xx | retryable on 502/503/504 |
+| `TransportError` | — | network / TLS / timeout / DNS |
+| `ParseError` | — | response body shape mismatch |
+
+## Development
+
+```bash
+pip install -e ".[dev]"
+pytest
+ruff check .
+```
+
+## Cross-references
+
+- [App workstream substrate spec](https://bitbucket.org/triamsec/cleanlib/src/main/workstream-specs/05-app/sdk-substrate-rev1.md) — canonical surface design
+- [Rust cleanlib-client](https://bitbucket.org/triamsec/cleanlib/src/main/cleanlib-client/) — reference implementation
+- [App customer endpoint contract](https://bitbucket.org/triamsec/cleanlib/src/main/workstream-specs/05-app/app-scope-outline-rev4.md) §9 — HTTP surface contract
+
+## License
+
+Proprietary — CleanStart.

cleanlib_sdk-0.4.1/bitbucket-pipelines.yml

@@ -0,0 +1,55 @@
+# CleanLibrary Python SDK CI — per workspace §C.5 + §C.6 + pen #16 forward fix.
+#
+# Mirrors the cleanlib repo's commit-prefix discipline + rebase-required
+# detector. Uses a separate CLEANLIB-N counter per sdk-substrate-rev1.md §8.
+
+image: python:3.12-slim
+
+pipelines:
+  default:
+    - step:
+        name: Validate commit message prefix
+        script:
+          # Each commit on the PR branch (since divergence from main) must start with
+          # a CLEANLIB-N prefix per workspace §6.9 discipline. --no-merges per pen #16
+          # avoids false-positives on BB-synthesized merge commits.
+          - |
+            apt-get update -qq && apt-get install -y -qq git >/dev/null
+            BASE_REF=${BITBUCKET_PR_DESTINATION_BRANCH:-main}
+            git fetch origin "$BASE_REF" || true
+            git log --no-merges "origin/$BASE_REF..HEAD" --pretty=format:"%H %s" | while read -r line; do
+              MSG=${line#* }
+              case "$MSG" in
+                CLEANLIB-*) ;;
+                *) echo "❌ commit missing CLEANLIB-N prefix: $line"; exit 1;;
+              esac
+            done
+            echo "✅ commit prefixes OK"
+
+    - step:
+        name: Rebase-required detector
+        script:
+          # Mirrors cleanlib repo §C.6: if merge-base is not on main's HEAD, ask for rebase.
+          - |
+            apt-get update -qq && apt-get install -y -qq git >/dev/null
+            BASE_REF=${BITBUCKET_PR_DESTINATION_BRANCH:-main}
+            git fetch origin "$BASE_REF"
+            MB=$(git merge-base "origin/$BASE_REF" HEAD)
+            HEAD_REMOTE=$(git rev-parse "origin/$BASE_REF")
+            if [ "$MB" != "$HEAD_REMOTE" ]; then
+              echo "❌ Branch is behind origin/$BASE_REF; rebase before merging."
+              echo "  merge-base: $MB"
+              echo "  origin/$BASE_REF: $HEAD_REMOTE"
+              exit 1
+            fi
+            echo "✅ branch current with origin/$BASE_REF"
+
+    - step:
+        name: Lint + test
+        caches:
+          - pip
+        script:
+          - pip install --quiet --upgrade pip
+          - pip install --quiet -e ".[dev]"
+          - ruff check .
+          - pytest -q

cleanlib_sdk-0.4.1/cleanlib_sdk/__init__.py

@@ -0,0 +1,118 @@
+"""CleanLibrary Python SDK — mirrors @cleanstart/cleanlib-sdk v0.4.x.
+
+Cycle-7 v0.4.1:
+- New per-domain HTTP client split (sister-shape with sdk-js v0.4.1)
+  - `HttpRemediationClient` — sparse 7-block /remediation responses
+  - (HttpVerdictClient + HttpEnrichClient land in v0.4.2 ripple)
+- `cleanlib_sdk.reason_codes.ReasonCode` — 15-entry canonical registry (Enum)
+- `cleanlib_sdk.schema` — `VerdictEnvelopeV1` JSON Schema mirror (Python dict literal)
+- `cleanlib_sdk.derive_status.derive_status(envelope)` — algorithm per App
+  dispatch §4 binding contract (substance precedence + freshness override)
+- `cleanlib_sdk.Client` flat-method class → `DeprecationWarning` on __init__
+  (per F5 ratification; scheduled removal v1.0.0)
+
+Schema-locked against `@cleanstart/cleanlib-sdk@0.4.1` tarball sha-1
+`b5f00c160907a6ea1f490f14a9bda6f6de34b8b6`. Cross-SDK contract test verifies
+identical (status, reason_code) on every fixture in
+`cleanlib-contract-fixtures` v1.0.0.
+
+Earlier cycle context:
+- Cycle-5 v0.3.0 added typed `Verdict.attestation`
+- Cycle-6 v0.4.0 added 5-verb cascade + 9 rich-data Optional fields
+"""
+
+from cleanlib_sdk.client import Client
+from cleanlib_sdk.derive_status import StatusResult, derive_status
+from cleanlib_sdk.errors import (
+    AuthenticationError,
+    CleanLibraryError,
+    InsufficientDataError,
+    IntegrityFailureError,
+    PackageNotFoundError,
+    ParseError,
+    PolicyDenyError,
+    RateLimitExceededError,
+    RiskAcceptanceRequiredError,
+    ServerError,
+    TransportError,
+)
+from cleanlib_sdk.http import (
+    DEFAULT_REMEDIATION_BASE_URL,
+    REMEDIATION_CACHE_TTL_SECS,
+    HttpRemediationClient,
+    RemediationBlock,
+    RemediationOrAbsent,
+    RemediationResponse,
+)
+from cleanlib_sdk.reason_codes import ALL_REASON_CODES, ReasonCode
+from cleanlib_sdk.schema import (
+    AVAILABILITY_ENUM,
+    SCHEMA_ID,
+    STATUS_ENUM,
+    VERDICT_ENVELOPE_V1_SCHEMA,
+)
+from cleanlib_sdk.types import (
+    Attestation,
+    AuditWindow,
+    AuditWindowResponse,
+    PackageRef,
+    PackageRisk,
+    PolicyPreviewResponse,
+    PolicyPreviewResult,
+    RecommendedVersion,
+    RiskAcceptResponse,
+    ScanResponse,
+    ScanResult,
+    SignedAttestation,
+    Verdict,
+)
+
+__version__ = "0.4.1"
+
+__all__ = [
+    # v0.4.1 per-domain HTTP clients (primary API)
+    "HttpRemediationClient",
+    "DEFAULT_REMEDIATION_BASE_URL",
+    "REMEDIATION_CACHE_TTL_SECS",
+    "RemediationBlock",
+    "RemediationResponse",
+    "RemediationOrAbsent",
+    # v0.4.1 contract enforcement
+    "ReasonCode",
+    "ALL_REASON_CODES",
+    "VERDICT_ENVELOPE_V1_SCHEMA",
+    "SCHEMA_ID",
+    "STATUS_ENUM",
+    "AVAILABILITY_ENUM",
+    "derive_status",
+    "StatusResult",
+    # cycle-6 v0.4.0 types
+    "Verdict",
+    "Attestation",
+    "SignedAttestation",
+    "RecommendedVersion",
+    "PackageRisk",
+    "PackageRef",
+    "ScanResult",
+    "ScanResponse",
+    "AuditWindow",
+    "AuditWindowResponse",
+    "PolicyPreviewResult",
+    "PolicyPreviewResponse",
+    "RiskAcceptResponse",
+    # Deprecated v0.4.1 (v1.0.0 removal); kept for source-compat with v0.4.0 callers
+    "Client",
+    # Errors
+    "CleanLibraryError",
+    "PolicyDenyError",
+    "IntegrityFailureError",
+    "RateLimitExceededError",
+    "RiskAcceptanceRequiredError",
+    "AuthenticationError",
+    "InsufficientDataError",
+    "PackageNotFoundError",
+    "ServerError",
+    "TransportError",
+    "ParseError",
+    "__version__",
+]

cleanlib_sdk-0.4.1/cleanlib_sdk/client.py

@@ -0,0 +1,236 @@
+"""Async Client — DEPRECATED as of v0.4.1; scheduled removal v1.0.0.
+
+The flat-method `Client` class is superseded by the per-domain client split
+in `cleanlib_sdk.http`:
+
+- `HttpRemediationClient` (v0.4.1; sparse 7-block /remediation responses)
+- `HttpVerdictClient` (v0.4.2 ripple; mirror sdk-js)
+- `HttpEnrichClient` (v0.4.2 ripple; mirror sdk-js)
+
+Existing callers continue to work — instantiating `Client` emits a
+`DeprecationWarning` per F5 ratification (sister-shape with sdk-js v0.4.1
+`CleanlibClient` `@deprecated` shim).
+"""
+
+from __future__ import annotations
+
+import warnings
+from types import TracebackType
+from typing import Optional, Type
+from urllib.parse import quote
+
+import httpx
+
+from cleanlib_sdk.transport import (
+    DEFAULT_TIMEOUT_SECS,
+    auth_headers,
+    map_http_error,
+    validate_endpoint,
+)
+from cleanlib_sdk.types import (
+    AuditWindow,
+    AuditWindowResponse,
+    PackageRef,
+    PolicyPreviewResponse,
+    RiskAcceptResponse,
+    ScanResponse,
+    Verdict,
+)
+
+
+class Client:
+    """DEPRECATED — Async HTTP client for the CleanLibrary App customer endpoints.
+
+    .. deprecated:: 0.4.1
+        Use the per-domain clients in :mod:`cleanlib_sdk.http` instead.
+        Scheduled removal in v1.0.0. Per F5 cycle-7 ratification.
+
+    Example (still works; emits ``DeprecationWarning``)::
+
+        import asyncio
+        from cleanlib_sdk import Client
+
+        async def main():
+            async with Client(
+                endpoint="https://cleanapp.clnstrt.dev",
+                api_key="clk_std_test_001",
+            ) as c:
+                v = await c.fetch_verdict("npm", "lodash", "4.17.21")
+                print(v.decision, v.composite_score)
+
+        asyncio.run(main())
+    """
+
+    def __init__(
+        self,
+        endpoint: str,
+        api_key: Optional[str] = None,
+        api_version: str = "v1",
+        timeout_secs: float = DEFAULT_TIMEOUT_SECS,
+    ) -> None:
+        warnings.warn(
+            "cleanlib_sdk.Client is deprecated as of v0.4.1; use the per-domain "
+            "clients in cleanlib_sdk.http (HttpRemediationClient + HttpVerdictClient "
+            "+ HttpEnrichClient). Scheduled removal v1.0.0.",
+            DeprecationWarning,
+            stacklevel=2,
+        )
+        self.base_url = validate_endpoint(endpoint)
+        self.api_key = api_key
+        self.api_version = api_version
+        self._http = httpx.AsyncClient(
+            headers=auth_headers(api_key),
+            timeout=timeout_secs,
+        )
+
+    async def __aenter__(self) -> "Client":
+        return self
+
+    async def __aexit__(
+        self,
+        exc_type: Optional[Type[BaseException]],
+        exc: Optional[BaseException],
+        tb: Optional[TracebackType],
+    ) -> None:
+        await self._http.aclose()
+
+    async def aclose(self) -> None:
+        await self._http.aclose()
+
+    async def fetch_verdict(self, ecosystem: str, package: str, version: str) -> Verdict:
+        """GET /v1/customer/verdicts/{ecosystem}/{package}/{version}.
+
+        Returns the parsed Verdict on 2xx. Raises a typed CleanLibraryError
+        subclass on non-2xx per the App Rev 4 §9.2 reason-code dispatch.
+        """
+        path = (
+            f"{self.base_url}/{self.api_version}/customer/verdicts/"
+            f"{quote(ecosystem, safe='')}/"
+            f"{quote(package, safe='')}/"
+            f"{quote(version, safe='')}"
+        )
+        resp = await self._http.get(path)
+        if resp.is_error:
+            raise map_http_error(resp)
+        data = resp.json()
+        # Inject request-context fields the App doesn't echo back
+        # (App's customer-verdict endpoint returns canonical cleanlib_core::
+        # Verdict shape without ecosystem/package/version path-param echoes)
+        data.setdefault("ecosystem", ecosystem)
+        data.setdefault("package", package)
+        data.setdefault("version", version)
+        # Derive decision from verdict_label + severity per cycle-4 §D.7
+        # demo policy mapping
+        if data.get("decision") is None:
+            data["decision"] = _derive_decision(
+                data.get("verdict") or data.get("source"),
+                data.get("severity"),
+            )
+        return Verdict.model_validate(data)
+
+    async def scan(self, packages: list[PackageRef]) -> ScanResponse:
+        """POST /v1/scan — resolve verdicts for a batch of packages (PR #99).
+
+        Partial-success: a per-package failure surfaces as `error` on its
+        result entry rather than raising. Mirrors cleanlib-sdk-js `scan`.
+        """
+        body = {"packages": [p.model_dump(by_alias=True) for p in packages]}
+        resp = await self._http.post(f"{self.base_url}/{self.api_version}/scan", json=body)
+        if resp.is_error:
+            raise map_http_error(resp)
+        return ScanResponse.model_validate(resp.json())
+
+    async def audit(self, window: Optional[AuditWindow] = None) -> AuditWindowResponse:
+        """GET /v1/audit?since=&until= — audit-window query (PR #99).
+
+        `backend_status` is an honest signal: "not_wired" + empty records means
+        the endpoint is reachable but the audit store is not yet attached
+        App-side. Mirrors cleanlib-sdk-js `audit`.
+        """
+        params: dict[str, str] = {}
+        if window is not None:
+            if window.since is not None:
+                params["since"] = window.since
+            if window.until is not None:
+                params["until"] = window.until
+        resp = await self._http.get(
+            f"{self.base_url}/{self.api_version}/audit", params=params or None
+        )
+        if resp.is_error:
+            raise map_http_error(resp)
+        return AuditWindowResponse.model_validate(resp.json())
+
+    async def policy_preview(
+        self, policy_yaml: str, packages: list[PackageRef]
+    ) -> PolicyPreviewResponse:
+        """POST /v1/policy/preview — preview a candidate policy YAML against a
+        batch of packages WITHOUT persisting it (PR #99). Raises ParseError/
+        HttpError-equivalent on 400 when the YAML fails to parse. Mirrors
+        cleanlib-sdk-js `policyPreview`.
+        """
+        body = {
+            "policy_yaml": policy_yaml,
+            "packages": [p.model_dump(by_alias=True) for p in packages],
+        }
+        resp = await self._http.post(
+            f"{self.base_url}/{self.api_version}/policy/preview", json=body
+        )
+        if resp.is_error:
+            raise map_http_error(resp)
+        return PolicyPreviewResponse.model_validate(resp.json())
+
+    async def risk_accept(self, verdict_id: str, justification: str) -> RiskAcceptResponse:
+        """POST /v1/risk-accept — record a risk-acceptance for a verdict (PR #99).
+
+        `persistence` is "ephemeral" until a CDP accept-write lands. Raises on
+        400 when verdict_id or justification is empty. Mirrors cleanlib-sdk-js
+        `riskAccept`.
+        """
+        body = {"verdict_id": verdict_id, "justification": justification}
+        resp = await self._http.post(
+            f"{self.base_url}/{self.api_version}/risk-accept", json=body
+        )
+        if resp.is_error:
+            raise map_http_error(resp)
+        return RiskAcceptResponse.model_validate(resp.json())
+
+    async def fetch_bytes(self, ecosystem: str, package: str, version: str) -> bytes:
+        """GET /v1/fetch/{ecosystem}/{package}/{version} — raw catalog bytes
+        (PR #99). Returns the application/octet-stream body. Does NOT run the
+        policy evaluator or sign an attestation. Mirrors cleanlib-sdk-js
+        `fetchBytes`.
+        """
+        path = (
+            f"{self.base_url}/{self.api_version}/fetch/"
+            f"{quote(ecosystem, safe='')}/"
+            f"{quote(package, safe='')}/"
+            f"{quote(version, safe='')}"
+        )
+        resp = await self._http.get(path)
+        if resp.is_error:
+            raise map_http_error(resp)
+        return resp.content
+
+
+def _derive_decision(verdict_label: Optional[str], severity: Optional[str]) -> str:
+    """Map App canonical Verdict's verdict_label + severity to decision string.
+
+    Mapping rules per cycle-4 §D.7 static demo policy + cycle-5 fixtures:
+    - VECTOR_VERDICT + High/Critical severity → DENY
+    - VECTOR_VERDICT + lower severity → WARN
+    - DM_THRESHOLD_BLOCK → DENY
+    - INSUFFICIENT_DATA → WARN
+    - ALLOWED_NO_FINDINGS → ALLOW
+    - default → ALLOW
+    """
+    label = (verdict_label or "").upper()
+    sev = (severity or "").upper()
+    if label == "VECTOR_VERDICT":
+        return "DENY" if sev in ("HIGH", "CRITICAL") else "WARN"
+    if label == "DM_THRESHOLD_BLOCK":
+        return "DENY"
+    if label == "INSUFFICIENT_DATA":
+        return "WARN"
+    if label == "ALLOWED_NO_FINDINGS":
+        return "ALLOW"
+    return "ALLOW"