Refactor Policy Enforcer Configuration

- Updated the Policy Enforcer configuration across multiple YAML files to use a unified `policyDir` instead of individual policy sources.
- Changed the step name from `enforcePolicy` to `policyEnforcer` for consistency.
- Enhanced the documentation to clarify the use of `policyUrls`, `policyDir`, and `policyFile` for policy sources.
- Adjusted related code and tests to accommodate the new configuration structure.
- Added documentation for using YAML folded scalar (>-) to keep long comma-separated policyUrls values readable across multiple lines.

pkg/plugin/implementation/policyenforcer/README.md

@@ -17,27 +17,63 @@ All config keys are passed via `map[string]string` in the adapter YAML config.
 
 | Key | Required | Default | Description |
 |-----|----------|---------|-------------|
-| `policyDir` | One of `policyDir`, `policyFile`, or `policyUrls` required | — | Local directory containing `.rego` files |
+| `policyUrls` | At least one of `policyUrls`, `policyDir`, or `policyFile` required | — | Comma-separated list of URLs, local file paths, or directory paths to `.rego` files |
+| `policyDir` | | `./policies` | Local directory containing `.rego` files |
 | `policyFile` | | — | Single local `.rego` file path |
-| `policyUrls` | | — | Comma-separated list of URLs or local paths to `.rego` files |
 | `query` | No | `data.policy.violations` | Rego query returning violation strings |
-| `actions` | No | `confirm` | Comma-separated beckn actions to enforce |
+| `actions` | No | *(empty — all actions)* | Comma-separated beckn actions to enforce. When omitted, all actions are evaluated and the Rego policy itself decides which to gate. |
 | `enabled` | No | `true` | Enable/disable the plugin |
 | `debugLogging` | No | `false` | Enable verbose logging |
 | *any other key* | No | — | Forwarded to Rego as `data.config.<key>` |
 
-### Policy URLs
+### Policy Sources
 
-`policyUrls` accepts both remote URLs and local file paths, separated by commas:
+`policyUrls` is the primary configuration key. It accepts a comma-separated list of:
+- **Remote URLs**: `https://policies.example.com/compliance.rego`
+- **Local file paths**: `/etc/policies/local.rego`
+- **Directory paths**: `/etc/policies/` (all `.rego` files loaded, `_test.rego` excluded)
 
 ```yaml
 config:
-  policyUrls: "https://policies.example.com/compliance.rego,/etc/policies/local.rego,https://policies.example.com/safety.rego"
+  policyUrls: "https://policies.example.com/compliance.rego,/etc/policies/,/local/safety.rego"
+```
+
+When specifying many URLs, use the YAML folded scalar (`>-`) to keep the config readable:
+
+```yaml
+config:
+  policyUrls: >-
+    https://policies.example.com/compliance.rego,
+    https://policies.example.com/safety.rego,
+    https://policies.example.com/rate-limit.rego,
+    /local/policies/,
+    https://policies.example.com/auth.rego
+```
+
+The `>-` folds newlines into spaces, so the value is parsed as a single comma-separated string.
+
+### Minimal Config
+
+By default, the plugin loads `.rego` files from `./policies` and uses the query `data.policy.violations`. A zero-config setup works if your policies are in the default directory:
+
+```yaml
+policyEnforcer:
+  id: policyenforcer
+  config: {}
+```
+
+Or specify a custom policy location:
+
+```yaml
+policyEnforcer:
+  id: policyenforcer
+  config:
+    policyUrls: "./policies/compliance.rego"
 ```
 
 ### Air-Gapped Deployments
 
-For environments without internet access, replace any URL with a local file path or volume mount:
+For environments without internet access, use local file paths or volume mounts:
 
 ```yaml
 config:
@@ -48,14 +84,15 @@ config:
 
 ```yaml
 plugins:
-  steps:
-    - id: policyenforcer
-      config:
-        policyUrls: "https://policies.example.com/compliance.rego,/local/policies/safety.rego"
-        actions: "confirm,init"
-        query: "data.policy.violations"
-        minDeliveryLeadHours: "4"
-        debugLogging: "true"
+  policyEnforcer:
+    id: policyenforcer
+    config:
+      policyUrls: "https://policies.example.com/compliance.rego,/local/policies/"
+      minDeliveryLeadHours: "4"
+      debugLogging: "true"
+steps:
+  - policyEnforcer
+  - addRoute
 ```
 
 ## Relationship with Schema Validator

pkg/plugin/implementation/policyenforcer/config.go

@@ -2,6 +2,7 @@ package policyenforcer
 
 import (
 	"fmt"
+	"os"
 	"strings"
 )
 
@@ -20,11 +21,12 @@ type Config struct {
 	PolicyUrls []string
 
 	// Query is the Rego query that returns a set of violation strings.
-	// Default: "data.policy.violations"
+	// Default: "data.policy.violations".
 	Query string
 
 	// Actions is the list of beckn actions to enforce policies on.
-	// Default: ["confirm"]
+	// When empty or nil, all actions are considered and the Rego policy
+	// is responsible for deciding which actions to gate.
 	Actions []string
 
 	// Enabled controls whether the plugin is active.
@@ -53,7 +55,6 @@ var knownKeys = map[string]bool{
 func DefaultConfig() *Config {
 	return &Config{
 		Query:         "data.policy.violations",
-		Actions:       []string{"confirm"},
 		Enabled:       true,
 		DebugLogging:  false,
 		RuntimeConfig: make(map[string]string),
@@ -71,7 +72,7 @@ func ParseConfig(cfg map[string]string) (*Config, error) {
 		config.PolicyFile = file
 	}
 
-	// Legacy: comma-separated policyUrls
+	// Comma-separated policyUrls (supports URLs, local files, and directory paths)
 	if urls, ok := cfg["policyUrls"]; ok && urls != "" {
 		for _, u := range strings.Split(urls, ",") {
 			u = strings.TrimSpace(u)
@@ -82,7 +83,12 @@ func ParseConfig(cfg map[string]string) (*Config, error) {
 	}
 
 	if config.PolicyDir == "" && config.PolicyFile == "" && len(config.PolicyUrls) == 0 {
-		return nil, fmt.Errorf("at least one policy source is required (policyDir, policyFile, or policyUrls)")
+		// Fall back to the default ./policies directory if it exists on disk.
+		if info, err := os.Stat("./policies"); err == nil && info.IsDir() {
+			config.PolicyDir = "./policies"
+		} else {
+			return nil, fmt.Errorf("at least one policy source is required (policyDir, policyFile, or policyUrls)")
+		}
 	}
 
 	if query, ok := cfg["query"]; ok && query != "" {
@@ -119,7 +125,12 @@ func ParseConfig(cfg map[string]string) (*Config, error) {
 }
 
 // IsActionEnabled checks if the given action is in the configured actions list.
+// When the actions list is empty/nil, all actions are enabled and action-gating
+// is delegated entirely to the Rego policy.
 func (c *Config) IsActionEnabled(action string) bool {
+	if len(c.Actions) == 0 {
+		return true
+	}
 	for _, a := range c.Actions {
 		if a == action {
 			return true

pkg/plugin/implementation/policyenforcer/enforcer_test.go

@@ -47,10 +47,10 @@ func TestParseConfig_Defaults(t *testing.T) {
 		t.Fatalf("unexpected error: %v", err)
 	}
 	if cfg.Query != "data.policy.violations" {
-		t.Errorf("expected default query, got %q", cfg.Query)
+		t.Errorf("expected default query 'data.policy.violations', got %q", cfg.Query)
 	}
-	if len(cfg.Actions) != 1 || cfg.Actions[0] != "confirm" {
-		t.Errorf("expected default actions [confirm], got %v", cfg.Actions)
+	if len(cfg.Actions) != 0 {
+		t.Errorf("expected empty default actions (all enabled), got %v", cfg.Actions)
 	}
 	if !cfg.Enabled {
 		t.Error("expected enabled=true by default")
@@ -381,6 +381,7 @@ violations contains "blocked" if { input.context.action == "confirm"; input.bloc
 
 	enforcer, err := New(map[string]string{
 		"policyDir": dir,
+		"query":     "data.policy.violations",
 		"actions":   "confirm",
 	})
 	if err != nil {
@@ -404,6 +405,7 @@ violations contains "blocked" if { input.context.action == "confirm" }
 
 	enforcer, err := New(map[string]string{
 		"policyDir": dir,
+		"query":     "data.policy.violations",
 		"actions":   "confirm",
 	})
 	if err != nil {
@@ -432,6 +434,7 @@ violations contains "blocked" if { true }
 
 	enforcer, err := New(map[string]string{
 		"policyDir": dir,
+		"query":     "data.policy.violations",
 		"actions":   "confirm",
 	})
 	if err != nil {
@@ -456,6 +459,7 @@ violations contains "blocked" if { true }
 
 	enforcer, err := New(map[string]string{
 		"policyDir": dir,
+		"query":     "data.policy.violations",
 		"enabled":   "false",
 	})
 	if err != nil {
@@ -484,6 +488,7 @@ violations contains "blocked" if { input.context.action == "confirm" }
 
 	enforcer, err := New(map[string]string{
 		"policyUrls": srv.URL + "/block_confirm.rego",
+		"query":      "data.policy.violations",
 		"actions":    "confirm",
 	})
 	if err != nil {

pkg/plugin/implementation/policyenforcer/evaluator.go

@@ -78,7 +78,7 @@ func NewEvaluator(policyDir, policyFile string, policyUrls []string, query strin
 		modules[filepath.Base(policyFile)] = string(data)
 	}
 
-	// Load from URLs and local file paths (policyUrls)
+	// Load from URLs, local file paths, and directory paths (policyUrls)
 	for _, rawSource := range policyUrls {
 		if isURL(rawSource) {
 			name, content, err := fetchPolicy(rawSource)
@@ -86,6 +86,23 @@ func NewEvaluator(policyDir, policyFile string, policyUrls []string, query strin
 				return nil, fmt.Errorf("failed to fetch policy from %s: %w", rawSource, err)
 			}
 			modules[name] = content
+		} else if info, err := os.Stat(rawSource); err == nil && info.IsDir() {
+			// Treat as directory — load all .rego files inside
+			entries, err := os.ReadDir(rawSource)
+			if err != nil {
+				return nil, fmt.Errorf("failed to read policy directory %s: %w", rawSource, err)
+			}
+			for _, entry := range entries {
+				if entry.IsDir() || !strings.HasSuffix(entry.Name(), ".rego") || strings.HasSuffix(entry.Name(), "_test.rego") {
+					continue
+				}
+				fpath := filepath.Join(rawSource, entry.Name())
+				data, err := os.ReadFile(fpath)
+				if err != nil {
+					return nil, fmt.Errorf("failed to read policy file %s: %w", fpath, err)
+				}
+				modules[entry.Name()] = string(data)
+			}
 		} else {
 			// Treat as local file path
 			data, err := os.ReadFile(rawSource)