Policy test reference

2 min readReferenceUpdated 2026-05-19

What you'll find here

craik policy test — the machine-readable policy regression gate for v0.1.0. The output shape, each result field, the shipped checks, and the failure behavior.

Exit 1 on any failure.

If any check fails, status becomes failed, the failed result includes the violated condition, and the CLI exits with status code 1.

Output shape

{
  "schema": "craik.policy_test_report",
  "version": "0.1.0",
  "status": "passed",
  "summary": {
    "passed": 6,
    "failed": 0,
    "total": 6
  },
  "results": []
}

Per-result fields

Field

Values

Notes

name

stable

Stable check name.

status

passed / failed

Per-check result.

message

prose

Human-readable result or failure.

details

object

Check-specific evidence.

Shipped checks

Check	Purpose
immutable_path_requires_override_and_grant	Immutable paths cannot be written with ordinary docs grants.
memory_writes_become_proposals	Memory updates follow the proposal path; direct local writes are denied.
trusted_local_fail_open_receipts	Trusted-local fail-open is explicit and receipt-backed.
automation_fails_closed	Automation does not widen authority or prompt for approvals.
provider_runner_enforces_shell_grants	The provider-backed runner blocks fixture side effects without a shell grant and completes with the scoped grant.
redaction_receipts_logs_handoffs_case_files	Policy-relevant payload shapes redact secret-like material.

What's next

ReferencePolicy profilesThe profiles each check exercises.GuideRunning policy testsHow operators invoke the gate.ADR0004 · Policy envelope shapeThe envelope contract these checks verify.