A single policy rule.

Rules come in two flavours. Allow rules either allow a package or abstain (they never deny), so that a later rule still gets the chance to allow. Deny rules either deny a package or abstain. Selection is by precedence, not list order — see evalRules and PrecededRule.

A Rule paired with the integer precedence at which it competes (higher wins). evalRules selects the highest-precedence non-abstaining rule; at equal precedence a deny beats an allow, and any remaining tie is broken by rule identity rather than list order (see evalRules).

Precedence is a field, not an Ord Rule instance: equal precedence between two rules is legal (it is the deny-over-allow tiebreak), so a total derived Ord would be non-antisymmetric — unlawful and misleading. This mirrors Version, whose ordering likewise goes through a function rather than a derived instance.

The default precedence for a rule type — used when a policy omits an explicit precedence for a rule.

Every deny type defaults strictly above every allow type, so "any deny overrides any allow" holds out of the box. The three rule types occupy two bands: the allow band (AllowIfPublishedBefore < defaultAllowScopePrecedence), then the deny band (defaultDenyInstallTimeExecutionPrecedence) strictly above both. An operator may still elevate a specific allow above a specific deny by giving it a higher explicit precedence — the per-type defaults set only the out-of-the-box ordering.

Pair a rule with its type's defaultPrecedence.

Default precedence of AllowIfPublishedBefore: the lowest band, a passive quarantine that yields to an explicit allow-list and to every deny.

Default precedence of AllowScope: above the passive age quarantine — an explicit allow-list of a trusted internal scope is a stronger statement than the time gate — but still below every deny.

Default precedence of DenyInstallTimeExecution: the deny band, strictly above every allow default, so a matching deny overrides any allow out of the box.

Ambient information a rule may need that is not part of the package itself (the wall-clock "now" for age calculations).

The verdict of a single rule against a single package version.

The overall decision for a package version against a whole rule set.

The first three arms are the pure tier's; the effectful tier (Ecluse.Rules.Effectful) adds the last three. An effectful approval/denial carries the deciding rule's name (Text) rather than a pure Rule, because an effectful rule is not a member of the pure Rule enumeration — its identity is just the name it logs under.

Whether an unavailability is expected to resolve on its own.

This is the single distinction the serve status mapping turns on: a transient cause (WillResolve) is worth retrying (a 503); a permanent or internal one (WontResolve) is not, so it must not be dressed up as a retryable 503 (it is a 500). The effectful tier sets it from the nature of the failure: an upstream outage, rate limit, timeout, or open breaker is transient; an internal or parse fault is not.

A Retry-After delay, in whole seconds. A 'newtype' so a raw count of seconds is never confused with some other integer when it reaches the response header.