From 7e4f7cbc4789accc6cf0b5ea2738e64b9ec2601e Mon Sep 17 00:00:00 2001
From: Brad Anderson <brad@sankatygroup.com>
Date: Thu, 16 Apr 2026 23:54:34 -0400
Subject: [PATCH 1/2] [EnforceAuth] Update policy: POS Authorization

---
 stage/store-ops/pos/authorization.rego | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/stage/store-ops/pos/authorization.rego b/stage/store-ops/pos/authorization.rego
index 1c9a869..bb6b08d 100644
--- a/stage/store-ops/pos/authorization.rego
+++ b/stage/store-ops/pos/authorization.rego
@@ -1,5 +1,5 @@
 # METADATA
-# title: POS Transaction Authorization
+# title: POS Authorization
 # description: Controls who can perform point-of-sale operations including sales, returns, voids, and manager overrides
 # related_resources:
 #   - ref: https://wiki.acmecorp.internal/retail-ops/pos-security

From 771d9e7aa400d839dc8ef1a68912dcaf3f9df597 Mon Sep 17 00:00:00 2001
From: Brad Anderson <brad@enforceauth.com>
Date: Fri, 17 Apr 2026 00:02:28 -0400
Subject: [PATCH 2/2] fix(ci): lint environment roots so regal resolves
 cross-directory imports

The rego-lint action was passing individual subdirectories (e.g.
stage/store-ops/pos) to regal, which prevented it from resolving
imports like data.shared.authentication from sibling directories.
Lint the environment root (dev/stage/prod) instead, matching the
project.roots config in .regal/config.yaml.
---
 .github/actions/rego-lint/action.yml | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/.github/actions/rego-lint/action.yml b/.github/actions/rego-lint/action.yml
index d9252be..e419040 100644
--- a/.github/actions/rego-lint/action.yml
+++ b/.github/actions/rego-lint/action.yml
@@ -29,11 +29,13 @@ runs:
         if [ -z "$FILES" ]; then
           echo "has_files=false" >> "$GITHUB_OUTPUT"
         else
-          DIRS=$(printf '%s\n' "$FILES" | while IFS= read -r f; do dirname "$f"; done | sort -u)
+          # Resolve to environment roots (dev/stage/prod) so regal can resolve
+          # cross-directory imports like data.shared.authentication
+          ROOTS=$(printf '%s\n' "$FILES" | cut -d/ -f1 | sort -u)
           echo "has_files=true" >> "$GITHUB_OUTPUT"
           {
-            echo "dirs<<EOF"
-            echo "$DIRS"
+            echo "roots<<EOF"
+            echo "$ROOTS"
             echo "EOF"
           } >> "$GITHUB_OUTPUT"
         fi
@@ -42,7 +44,7 @@ runs:
       if: steps.changed.outputs.has_files == 'true'
       shell: bash
       env:
-        CHANGED_DIRS: ${{ steps.changed.outputs.dirs }}
+        CHANGED_ROOTS: ${{ steps.changed.outputs.roots }}
       run: |
-        mapfile -t dirs <<< "$CHANGED_DIRS"
-        regal lint "${dirs[@]}"
+        mapfile -t roots <<< "$CHANGED_ROOTS"
+        regal lint "${roots[@]}"