Problem
Five effects defined in contracts.go:25-31:
EffectAllow, EffectAllowWithAudit, EffectApprovalRequired, EffectDeny, EffectExclusion
Exclusion is treated identically to Deny everywhere:
bundle.go:602 — same abort_task obligation generationengine.go:2179 — same DenyCount++ in session factsbundle.go:636 — same effectRank scorebundle.go:710 — same group in compatibleObligations
As a distinct effect type, Exclusion carries no additional semantics. It does not block subsequent rule matching, does not trigger different audit behavior, does not have a different reason code pattern.
Expected
Exclusion should have distinct semantics from Deny — e.g., permanent block (blacklist) vs temporary rejection, different audit severity, or exclusion from deny_count tracking. If no meaningful distinction exists, consolidate into a single Deny effect.
Key code
contracts.go:30 — EffectExclusion constantbundle.go:602 — ensureEffectObligations groups Exclusion with Denyengine.go:2179 — updateSessionFacts groups Exclusion with Denybundle.go:636 — effectRank treats them equally
Problem
Five effects defined in contracts.go:25-31:
Exclusionis treated identically toDenyeverywhere:bundle.go:602— sameabort_taskobligation generationengine.go:2179— sameDenyCount++in session factsbundle.go:636— same effectRank scorebundle.go:710— same group incompatibleObligationsAs a distinct effect type, Exclusion carries no additional semantics. It does not block subsequent rule matching, does not trigger different audit behavior, does not have a different reason code pattern.
Expected
Exclusion should have distinct semantics from Deny — e.g., permanent block (blacklist) vs temporary rejection, different audit severity, or exclusion from deny_count tracking. If no meaningful distinction exists, consolidate into a single Deny effect.
Key code
contracts.go:30— EffectExclusion constantbundle.go:602— ensureEffectObligations groups Exclusion with Denyengine.go:2179— updateSessionFacts groups Exclusion with Denybundle.go:636— effectRank treats them equally