[fix] STAR-5 (BOX-04): converge Policy across script modules, surface, and Check

[vt128]

Release blockers P0-1 + P0-2 (independent review 2026-06-20)

The A4 load gate was not the single source of truth it claims to be. Two bypasses, both fixed here (test-first — each repro confirmed failing before the fix).

P0-1 — Policy{} default-deny bypassed by AddModuleScript

prepareEnv wrote each AddModuleScript module into the virtual FS and appended it to modNames without the policy gate, so a zero Policy{} still let a script load() a host-injected script module.
Fix: each script module is gated by s.policyAllows(fp) (its registered .star name); a denied module is not materialized at all.

P0-2 — DescribeSurface / Check did not converge with Policy

Both enumerated modules without the gate, so they reported (surface) / accepted (static check) a larger set than a real Run would load.
Fix: DescribeSurface's add() and Check's predeclaredNames now filter by s.policyAllows, so the reported surface and the predeclared set match the runnable set.

Non-policy boxes are unaffected — policyAllows returns true when no policy is set.

Tests

• TestPolicyGatesScriptModule — zero policy denies; explicit .star-name allow loads; nested path gated by its full key.
• TestPolicySurfaceCheckConverge — filtered DescribeSurface lists only math (no file/re); Check flags a withheld name (file) as undefined and passes a permitted one (math.pi).

prepareEnv/DescribeSurface/predeclaredNames at 100%; overall 99.3%. gofmt/vet clean, -race -count=2 and Docker golang:1.19 floor green.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 20 complexity · 0 duplication

Metric	Results
Complexity	20
Duplication	0

View in Codacy

🟢 Coverage 100.00% diff coverage · +0.01% coverage variation

Metric	Results
Coverage variation	✅ +0.01% coverage variation (-1.00%)
Diff coverage	✅ 100.00% diff coverage

View coverage diff in Codacy

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (fc75a79)	1147	1138	99.22%
Head commit (5ed0300)	1155 (+8)	1146 (+8)	99.22% (+0.01%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#24)	18	18	100.00%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.95%. Comparing base (fc75a79) to head (5ed0300).

Additional details and impacted files

@@           Coverage Diff           @@
##           master      #24   +/-   ##
=======================================
  Coverage   98.95%   98.95%           
=======================================
  Files          12       12           
  Lines         859      864    +5     
=======================================
+ Hits          850      855    +5     
  Misses          5        5           
  Partials        4        4           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.