feat(guard): add deterministic policy engine

[michiosw]

Summary

This adds the deterministic policy package for the Local Guard LLM Judge launch.

Before this, Guard's deterministic safety checks lived inside risk.DecideRisk, next to normalization, Markov/noop scoring, legacy ask behavior, and the runtime decision shape. That made the launch path hard to reason about.

Now the deterministic layer is isolated in internal/guard/policy:

result := engine.Evaluate(riskEvent, config)

It evaluates a normalized risk.RiskEvent against a curated Kontext rule pack and an active profile: relaxed, balanced, or strict. It returns only allow or deny, plus reviewer/debug metadata like rule ID, category, profile, policy version, reason code, and matched signals.

Why

This gives ENG-325 a clean seam for the launch flow:

hook event
-> risk normalization
-> deterministic policy
-> if deny: stop
-> if allow: local LLM judge
-> final allow/deny

This PR does not wire the package into the running Guard path yet. That stays with ENG-325.

What changed

• Added internal/guard/policy
• Added deterministic profiles: relaxed, balanced, strict
• Added the curated default rule pack
• Ported current deterministic guard cases into named policy rules
• Added structured policy.Result diagnostics
• Added config/default validation helpers
• Added tests for profile behavior and deny metadata
• Added risk.IsPersistentResourceClass so policy can reuse risk taxonomy

Verification

• go test ./internal/guard/policy ./internal/guard/risk ./internal/guard/app/server

[michiosw]

• feat(guard): add policy profile dashboard #137
• feat(guard): add policy config store #135
• feat(guard): add deterministic policy engine #131 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0e72b298e5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[greptile-apps]

Greptile Summary

This PR introduces a deterministic policy engine (internal/guard/policy) that evaluates risk.RiskEvents against an ordered rule pack and returns an allow or deny Result before any probabilistic scoring stage. It also exposes the previously private isPersistentResource helper as a public function in the risk package.

• Engine & rule pack: Engine.Evaluate iterates rules in priority order, returns on the first match, and falls back to allow. Five default rules cover credential access, destructive persistent-resource operations, production mutations, direct infra API calls with credentials, and unknown high-risk commands.
• Profile-gated categories: ProfileRelaxed enables only the two most critical categories; ProfileBalanced and ProfileStrict progressively unlock more, with ProfileStrict adding unknown-command and provider-API-call blocking.
• Types & config: Config.Validate() enforces known profiles and rule pack IDs; DefaultConfig() sets ProfileBalanced and NonBypassableRules: true.

Confidence Score: 3/5

Safe to merge with the production-mutation predicate fixed; without that fix a directly constructed RiskEvent with an empty OperationClass in a production environment will be incorrectly denied.

The production_mutation rule's When predicate excludes "unknown" and "read" but not the empty string, so any RiskEvent built without an OperationClass and with Environment="production" silently triggers a deny. This is a real false-positive path even if the current normalizer always sets the field; callers constructing RiskEvents directly (including future tests or integrations) will hit it.

internal/guard/policy/pack_default.go — the production_mutation When predicate; internal/guard/policy/types.go — Validate allocation.

Important Files Changed

Filename	Overview
internal/guard/policy/pack_default.go	Defines the default five-rule pack. The production_mutation rule fires on empty OperationClass (zero value "") because the predicate only excludes "unknown" and "read", creating a false-positive path for directly constructed RiskEvents.
internal/guard/policy/engine.go	New deterministic policy engine: evaluates rules in order, returns first match or allow. Value-receiver design means the DefaultRulePack() fallback is re-allocated on every call for a zero-value engine.
internal/guard/policy/types.go	Defines all types, constants, Config, and Result. Validate() unnecessarily allocates DefaultRulePack() (with closures) just to compare the ID string; extracting the ID as a constant would fix this.
internal/guard/policy/profiles.go	Maps profiles to enabled rule categories. Relaxed profile intentionally only enables the two most critical categories; balanced/strict progressively add more. Clean logic.
internal/guard/policy/rule.go	Simple Rule and RulePack struct definitions. No issues.
internal/guard/policy/engine_test.go	Comprehensive table-driven tests covering all profiles and categories. Missing a test case for the empty-OperationClass production mutation edge case.
internal/guard/risk/taxonomy.go	Thin public wrapper exposing the private isPersistentResource helper to the policy package. Clean single-function file.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[RiskEvent] --> B[Engine.Evaluate]
    B --> C{pack.ID empty?}
    C -- yes --> D[use DefaultRulePack]
    C -- no --> E[use provided pack]
    D --> F[iterate rules]
    E --> F
    F --> G{categoryEnabled for profile?}
    G -- no --> H[skip rule]
    H --> F
    G -- yes --> I{rule.When event ?}
    I -- no --> H
    I -- yes --> J[Result: Deny - fill RuleID, Category, ReasonCode, NonBypassable, MatchedSignals]
    F -- exhausted --> K[Result: Allow - no rule matched]

Loading

_{Reviews (1): Last reviewed commit: "feat(guard): add deterministic policy en..." | Re-trigger Greptile}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 067c32dbb1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 39da86c5cd

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[hasandemirkiran]

No blocking comments from me. Two small non-blocking comments from the AI reviewer:

1. Production mutation diagnostics may never include matched_signals.
   pack_default.go declares MatchedSignals: []string{"production", "mutation"}, but engine.go only returns signals already present on risk.RiskEvent.Signals, and the normalizer sets Environment / OperationClass without emitting production or mutation signals. Real production mutation denies will likely have empty matched_signals. I’d either emit those signals during normalization or derive them from structured fields.
2. Config.RulePack looks like config surface that does not currently do anything meaningful.
   withDefaults() sets empty RulePack to guard-default, making the later if cfg.RulePack == "" branch in Evaluate unreachable, and Validate() rejects every non-default pack even though NewEngine(pack) accepts arbitrary packs. I’d either remove RulePack from Config until there is pack selection, or make validation/evaluation validate against the engine’s pack ID.

[hasandemirkiran]

Merge activity

• May 18, 9:10 AM UTC: A user started a stack merge that includes this pull request via Graphite.
• May 18, 9:10 AM UTC: Graphite rebased this pull request as part of a merge.
• May 18, 9:13 AM UTC: @hasandemirkiran merged this pull request with Graphite.

[chatgpt-codex-connector]

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.