Module policy 

Project and global policy (.kintsugi.toml).

A repo may commit an .kintsugi.toml to add allow/deny rules and set the mode; global defaults live under the user’s config dir. Repo settings override global ones. This module is pure: parsing, merging, matching, and applying a policy to a verdict. Loading the files from disk is the daemon’s job.

Security spine: policy may always add caution (a deny rule escalates any command to Hold/Deny). A policy allow may tame the ambiguous band, but it never downgrades a rule-based catastrophic block — that hard floor stands.

Structs

Policy

A parsed policy document.

Rules

The allow/deny rule lists.

Enums

PolicyAction

What a policy says about a specific command.

Constants

DEFAULT_THRESHOLD

Default risk threshold for the ambiguous band when none is configured.

Functions

adjust_for_policy

Apply a policy action to a verdict under a mode.

matches

Match a policy pattern against a command.