Part of #361. Add the declarative authoring surface: a dedicated *.audit.gwdk file kind holding composable policy {} blocks (and test {} blocks, consumed in Phase 4). The composable engine already exists in internal/auditspec (PR #360) — this issue adds the grammar and IR that feed it.
Scope
internal/gwdkast/audit.go: AuditFile, Policy, PolicyRule, PolicyApply, AuditTest AST nodes + spans.internal/parser/audit.go: ParseAuditFile using the shared internal/syntax tokenizer; declaration-boundary recovery. New keywords (policy, test, extends, apply, match, require, deny, expect, as, max_body, no_secrets_in_bundle).internal/gwdkir: AuditSpec lowered onto Program.internal/lang ClassifySource recognizes *.audit.gwdk; discovered as their own input set, not compiled into pages.- Wire declared policies into
gowdk audit (extend/override the baseline).
Model (decided)
Named policies, extends (composition), apply to "<glob>" / match "<selector>" to apply one policy to many targets. Selectors: route globs (/admin/**) and kind selectors (act:*, api:*, fragment:*). Separate-file model; no inline page attachment in M8.
Acceptance criteria
Related: #361.
Part of #361. Add the declarative authoring surface: a dedicated
*.audit.gwdkfile kind holding composablepolicy {}blocks (andtest {}blocks, consumed in Phase 4). The composable engine already exists ininternal/auditspec(PR #360) — this issue adds the grammar and IR that feed it.Scope
internal/gwdkast/audit.go:AuditFile,Policy,PolicyRule,PolicyApply,AuditTestAST nodes + spans.internal/parser/audit.go:ParseAuditFileusing the sharedinternal/syntaxtokenizer; declaration-boundary recovery. New keywords (policy,test,extends,apply,match,require,deny,expect,as,max_body,no_secrets_in_bundle).internal/gwdkir:AuditSpeclowered ontoProgram.internal/langClassifySourcerecognizes*.audit.gwdk; discovered as their own input set, not compiled into pages.gowdk audit(extend/override the baseline).Model (decided)
Named policies,
extends(composition),apply to "<glob>"/match "<selector>"to apply one policy to many targets. Selectors: route globs (/admin/**) and kind selectors (act:*,api:*,fragment:*). Separate-file model; no inline page attachment in M8.Acceptance criteria
*.audit.gwdk.policy_*resolution findings (cycle, unknown extends, duplicate, unmatched selector) emitted.docs/language/audit.mddocuments the syntax.Related: #361.