# METADATA
# scope: package
# title: Block Tests Quality (Bash)
# description: Blocks Bash edits to tests/quality (except baselines.json)
# custom:
#   routing:
#     required_events: ["PreToolUse"]
#     required_tools: ["Bash"]
package cupcake.policies.opencode.block_tests_quality_bash
import rego.v1

pattern := `(rm|mv|cp|sed|awk|chmod|chown|touch|mkdir|rmdir|truncate|tee|>|>>)\s.*tests/quality/`

deny contains decision if {
    input.hook_event_name == "PreToolUse"
    input.tool_name == "Bash"

    command := input.tool_input.command
    regex.match(pattern, command)
    not contains(lower(command), "tests/quality/baselines.json")

    decision := {
        "rule_id": "TEST-QUALITY-001",
        "reason": "Direct edits to tests/quality are prohibited (except baselines.json).",
        "severity": "HIGH"
    }
}