Enforce Contract Policy At Runtime

Quick Start

1. Generate runtime manifest. Build per-surface runtime policy from the canonical contract before running runtime checks.
2. Validate proposed runtime changes. Pass proposed styles through runtime validation before applying them.
3. Block strict violations. Return 422 when strict color/raw policy or other strict rules fail.
4. Allow warning-level events with visibility. Capture warnings (for example token namespace mismatch) without blocking traffic.
5. Keep icon policy enforcement at earlier lifecycle points. Icon-source policy is not enforced at Runtime (edge) in this increment; rely on Generation time + CI/CD time checks.
6. Include contract provenance in violation payloads. Return contractId, version, and surfaceId for each runtime decision.

Runtime Verification Commands

# 1) Build runtime manifest from canonical contract
pnpm run generate:runtime-manifest

# 2) Propose a runtime style change (expected strict violation)
curl -i -H "x-proposed-bg: rgba(15, 23, 42, 0.45)" \
  "http://localhost:3000/adaptive/test?section=hero"

# 3) Example allow path
curl -i -H "x-proposed-bg: var(--background)" \
  "http://localhost:3000/adaptive/test?section=hero"

• Runtime should block strict-policy findings only.
• Warn findings remain visible for remediation and policy hygiene.
• Runtime checks complement Generation time + CI/CD time checks, not replace them.
• Icon-source policy (`icon.source-disallowed`) is currently visible in integration/CI validation paths, not Runtime (edge).

Status Rules