[EnforceAuth] Update policy: POS Authorization

.github/actions/rego-lint/action.yml

@@ -29,12 +29,20 @@ runs:
         if [ -z "$FILES" ]; then
           echo "has_files=false" >> "$GITHUB_OUTPUT"
         else
-          DIRS=$(printf '%s\n' "$FILES" | while IFS= read -r f; do dirname "$f"; done | sort -u | tr '\n' ' ')
+          DIRS=$(printf '%s\n' "$FILES" | while IFS= read -r f; do dirname "$f"; done | sort -u)
           echo "has_files=true" >> "$GITHUB_OUTPUT"
-          echo "dirs=$DIRS" >> "$GITHUB_OUTPUT"
+          {
+            echo "dirs<<EOF"
+            echo "$DIRS"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
         fi
 
     - name: Lint changed Rego files
       if: steps.changed.outputs.has_files == 'true'
       shell: bash
-      run: regal lint "${{ steps.changed.outputs.dirs }}"
+      env:
+        CHANGED_DIRS: ${{ steps.changed.outputs.dirs }}
+      run: |
+        mapfile -t dirs <<< "$CHANGED_DIRS"
+        regal lint "${dirs[@]}"

.regal/config.yaml

@@ -0,0 +1,18 @@
+project:
+  roots:
+    - dev
+    - prod
+    - stage
+
+rules:
+  idiomatic:
+    directory-package-mismatch:
+      level: ignore
+    no-defined-entrypoint:
+      level: ignore
+  imports:
+    unresolved-reference:
+      level: ignore
+  performance:
+    defer-assignment:
+      level: ignore

dev/shared/authentication.rego

@@ -39,8 +39,7 @@ user_active(user_claims) if {
 
 # Helper to get authenticated user claims
 authenticated_claims := user_claims if {
-	token := extract_token
-	valid_token(token)
-	user_claims := claims(token)
+	valid_token(extract_token)
+	user_claims := claims(extract_token)
 	user_active(user_claims)
 }

dev/store-ops/pos/authorization.rego

@@ -1,5 +1,5 @@
 # METADATA
-# title: POS Transaction Authorization
+# title: POS Authorization
 # description: Controls who can perform point-of-sale operations including sales, returns, voids, and manager overrides
 # related_resources:
 #   - ref: https://wiki.acmecorp.internal/retail-ops/pos-security
@@ -102,6 +102,8 @@ _at_assigned_store(user_claims) if {
 _return_limit_for_role := {"cashier": 50, "shift_lead": 200, "store_manager": 999999, "district_manager": 999999}
 
 _within_return_limit(user_claims) if {
+	is_number(input.request.body.amount)
+	input.request.body.amount >= 0
 	limit := _return_limit_for_role[user_claims.role]
 	input.request.body.amount <= limit
 }
@@ -112,6 +114,8 @@ _within_return_limit(user_claims) if {
 _discount_limit_for_role := {"shift_lead": 15, "store_manager": 25, "district_manager": 50}
 
 _within_discount_limit(user_claims) if {
+	is_number(input.request.body.discount_percent)
+	input.request.body.discount_percent >= 0
 	limit := _discount_limit_for_role[user_claims.role]
 	input.request.body.discount_percent <= limit
 }