fix(policies): add NOT_IN operator to enum, evaluator, bridge, schema, and CLI

[DhineshPonnarasan]

Summary

not_in was accepted by the policy linter and shared validator but broke silently at runtime due to two bugs:

1. PolicyOperator enum missing NOT_IN — PolicyDocument.from_yaml() raised ValidationError for any policy using operator: not_in.
2. Bridge corruption — _OPERATOR_MAP_TO_POLICY mapped "not_in" → PolicyOperator.NE (scalar !=), silently rewriting allowlist-exclusion rules into scalar inequality checks.

This PR is an additive-only fix at all five operator coupling points. No existing operator semantics are changed.

Root Cause

# This policy would raise ValidationError before this fix
rules:
  - name: deny-unapproved-tool
    condition:
      field: tool_name
      operator: not_in        # ← no corresponding enum member
      value: [read_file, search]
    action: deny

Changes

File	Change
schema.py	Add NOT_IN = "not_in" to PolicyOperator enum
evaluator.py	Add NOT_IN branch in _match_condition() with list-exclusion semantics
shared.py	Fix bridge map "not_in" → PolicyOperator.NOT_IN (was NE); add reverse mapping
cli.py	Add not_in branch in _evaluate_condition(); remove stale List import
policy_schema.json	Add "not_in" to PolicyOperator.enum

Files unchanged (pre-existing behavior preserved)

• bridge.py — document_to_governance() data loss for non-auto-generated rule names is pre-existing architectural debt, not introduced here
• lint_policy.py — KNOWN_OPERATORS already contained "not_in" before this PR

Tests Added

12 new regression tests across 3 files:

Test	File	Purpose
test_not_in_operator_loads_from_yaml	test_policy_language.py	YAML deserialization no longer raises
test_not_in_inside_allowlist_does_not_match	test_policy_language.py	In-list → condition not satisfied
test_not_in_outside_allowlist_matches	test_policy_language.py	Out-of-list → condition satisfied
test_not_in_differs_from_ne	test_policy_language.py	Key: proves NOT_IN ≠ NE (the original bridge bug)
test_not_in_missing_field_no_match	test_policy_language.py	Missing field → no match (consistent with all operators)
test_not_in_malformed_target_fails_closed	test_policy_language.py	Non-iterable target → fail-closed
test_not_in_empty_allowlist_matches_everything	test_policy_language.py	value=[] → deny fires for every present value (intentional Python membership semantics)
test_not_in_end_to_end_from_yaml	test_policy_language.py	Full YAML → load → evaluate roundtrip
test_not_in_mapping_to_policy_operator	test_shared_policy.py	Bridge: "not_in" → PolicyOperator.NOT_IN
test_not_in_mapping_from_policy_operator	test_shared_policy.py	Bridge: PolicyOperator.NOT_IN → "not_in"
test_not_in_roundtrip_bridge	test_shared_policy.py	SharedPolicySchema → PolicyDocument → back
test_not_in_scenario_semantics	test_policy_cli.py	CLI test subcommand: 2/2 scenarios pass

Pre-existing Issues (not introduced, not fixed in this PR)

• re.match (anchored) in cli.py vs re.search (anywhere) in evaluator.py for MATCHES — semantic drift in the CLI dev tool only
• bridge.py reverse map: GTE → "gt" and LTE → "lt" data loss
• Three parallel condition evaluator implementations (architectural debt)

Test Results

78 targeted tests passing, 223 broader policy tests passing, lint clean (ruff)

Prior Art

Standard Python membership semantics (in / not in). No external prior art. This operator was already documented in the policy schema JSON and accepted by the linter — the implementation simply completes the missing runtime and deserialization wiring.

---

Fixes #2372.

@imran-siddique — would appreciate a review when you get a chance. The change is additive-only (no existing operator semantics touched), and all 78 targeted tests plus the broader 223-test policy suite are green. Happy to address any feedback.

[github-actions]

🤖 AI Agent: breaking-change-detector — API Compatibility

API Compatibility

No breaking changes detected.

[github-actions]

🤖 AI Agent: security-scanner — View details

No security issues found.

[github-actions]

🤖 AI Agent: docs-sync-checker — Docs Sync

Docs Sync

• PolicyOperator.NOT_IN in schema.py -- missing docstring
• README.md -- update required to reflect the addition of the NOT_IN operator
• CHANGELOG.md -- missing entry for the addition of the NOT_IN operator and its behavioral implications

Please address these documentation issues.

[github-actions]

🤖 AI Agent: code-reviewer — View details

TL;DR: 0 blockers, 1 warning. Solid fix with minor follow-up needed.

#	Sev	Issue	Where
1	Warn	Pre-existing semantic drift in MATCHES	cli.py, evaluator.py

Action items: None.

Warnings (fine as follow-up PRs)
Address semantic drift between re.match in cli.py and re.search in evaluator.py for MATCHES operator.

[github-actions]

🤖 AI Agent: test-generator — View details

Test coverage looks good. No gaps identified.

[github-actions]

🟡 Contributor Check: MEDIUM

Check	Result
Profile	MEDIUM
Credential	NONE
Overall	MEDIUM

Automated check by AGT Contributor Check.

[github-actions]

PR Review Summary

Check	Status	Details
🔍 Code Review	⚠️ Warning	See details
🛡️ Security Scan	✅ Passed	No issues found
🔄 Breaking Changes	✅ Passed	No issues found
📝 Docs Sync	✅ Completed	Analysis complete
🧪 Test Coverage	✅ Completed	Analysis complete

Verdict: ⚠️ Ready for human review