Restructure Policy into per-repository restrictions and overrides

proto/hex_pb_policy.proto

@@ -1,5 +1,7 @@
 syntax = "proto2";
 
+import "hex_pb_package.proto";
+
 message Policy {
   // Name of repository
   required string repository = 1;
@@ -17,26 +19,69 @@ message Policy {
   // treat unknown values as PRIVATE per the fail-closed rule.
   required Visibility visibility = 4;
 
-  // Categorical advisory rule. If set, deny any release whose maximum
-  // advisory severity is at least this value. Values map to AdvisorySeverity
-  // in package.proto (SEVERITY_NONE..SEVERITY_CRITICAL = 0..4).
-  // Unset = rule disabled.
-  optional uint32 advisory_min_severity = 5;
-
-  // Categorical retirement rule. If non-empty, deny any release retired with
-  // a reason in this set. Values map to RetirementReason in package.proto
-  // (RETIRED_OTHER..RETIRED_RENAMED = 0..4). Empty = rule disabled.
-  repeated uint32 retirement_reasons = 6 [packed=true];
-
-  // Optional minimum release age for every package version governed by this
-  // policy. Same duration grammar as the Hex cooldown config ("7d", "2w",
-  // "1mo", "0"). Unset or "0" means no policy cooldown. If multiple active
-  // policies declare cooldowns, the effective cooldown is the strictest one.
-  optional string cooldown = 7;
+  // One entry per repository the policy constrains (in practice "hexpm" and
+  // the org's own repository). A candidate release is matched to the entry
+  // whose repository equals the release's repository; a release from a
+  // repository with no matching entry is unconstrained by this policy.
+  repeated RepositoryPolicy repositories = 5;
 }
 
 enum Visibility {
   // PRIVATE is the safe default; unknown enum values must be treated as PRIVATE.
   VISIBILITY_PRIVATE = 0;
   VISIBILITY_PUBLIC = 1;
 }
+
+message RepositoryPolicy {
+  // Repository this entry applies to (e.g. "hexpm" or the org's repository).
+  required string repository = 1;
+
+  // Baseline limits applied to every release in this repository. Unset = no
+  // restriction. Restrictions never apply to releases permitted by an ALLOW
+  // override (those bypass all limits).
+  optional Restriction restriction = 2;
+
+  // Per-package final say, evaluated against each release in this repository.
+  // An ALLOW override permits the release immediately and bypasses
+  // `restriction`; a DENY override blocks it. When multiple overrides match a
+  // release, the one with the most specific requirement wins.
+  repeated Override overrides = 3;
+}
+
+message Restriction {
+  // Advisory limit. If set, deny any release whose maximum advisory severity
+  // is at least this value. Unset = no advisory limit.
+  optional AdvisorySeverity advisory_min_severity = 1;
+
+  // Retirement limit. If non-empty, deny any release retired with a reason in
+  // this set. Empty = no retirement limit.
+  repeated RetirementReason retirement_reasons = 2 [packed=true];
+
+  // Minimum release age. Same duration grammar as the Hex cooldown config
+  // ("7d", "2w", "1mo", "0"). Unset or "0" = no minimum age. If multiple
+  // active policies declare cooldowns, the effective cooldown is the strictest.
+  optional string cooldown = 3;
+}
+
+message PackageRef {
+  // Package name.
+  required string package = 1;
+
+  // Optional version requirement (e.g. "~> 1.7"). Unset = the whole package.
+  optional string requirement = 2;
+}
+
+message Override {
+  // Whether this override permits or blocks the matching release.
+  required OverrideAction action = 1;
+
+  // The package (and optional requirement) the override applies to.
+  required PackageRef ref = 2;
+}
+
+enum OverrideAction {
+  // Permit the release and bypass `restriction`.
+  OVERRIDE_ACTION_ALLOW = 0;
+  // Block the release.
+  OVERRIDE_ACTION_DENY = 1;
+}