# ProhibitedPatternAnalyzer (Static Purity Analysis)

## Module
Policy

## Status
IMPLEMENTED

## Description
Static purity analysis detecting prohibited patterns (ambient IO, clock access, etc.) in evaluation code.

## Implementation Details
- **ProhibitedPatternAnalyzer**: `src/Policy/StellaOps.Policy.Engine/DeterminismGuard/ProhibitedPatternAnalyzer.cs`
  - Regex-based detection of non-deterministic patterns in source code
  - Prohibited pattern categories:
    - Wall-clock access: `DateTime.Now`, `DateTime.UtcNow`, `DateTimeOffset.Now`, `DateTimeOffset.UtcNow`
    - Random number generation: `Random`, `RandomNumberGenerator`
    - Network access: `HttpClient`, `WebRequest`, `TcpClient`, `UdpClient`
    - Filesystem access: `File.`, `Directory.`, `Path.GetTempPath`
  - Line-by-line scanning with comment line skipping (lines starting with `//` or `///`)
  - Returns list of `ProhibitedPatternMatch` with line number, pattern name, matched text
- **DeterminismGuardService**: `src/Policy/StellaOps.Policy.Engine/DeterminismGuard/DeterminismGuardService.cs`
  - `AnalyzeSource(sourceCode)` invokes ProhibitedPatternAnalyzer to find violations
  - `CreateScope()` creates a determinism guard scope for runtime monitoring
  - `ValidateContext<T>()` validates evaluation context for determinism
  - Combines ProhibitedPatternAnalyzer (static) and RuntimeDeterminismMonitor (runtime)
- **RuntimeDeterminismMonitor**: `src/Policy/StellaOps.Policy.Engine/DeterminismGuard/RuntimeDeterminismMonitor.cs` -- runtime monitoring companion
- **GuardedPolicyEvaluator**: `src/Policy/StellaOps.Policy.Engine/Gates/Determinization/DeterminizationGate.cs` -- gate that uses determinism guards in evaluation pipeline

## E2E Test Plan
- [ ] Analyze source code containing `DateTime.Now`; verify prohibited pattern detected with correct line number
- [ ] Analyze source code containing `new Random()`; verify prohibited pattern detected
- [ ] Analyze source code containing `HttpClient`; verify network access pattern detected
- [ ] Analyze source code containing `File.ReadAllText`; verify filesystem pattern detected
- [ ] Analyze source code with prohibited pattern in a comment line (`// DateTime.Now`); verify NOT detected (comment skipped)
- [ ] Analyze clean source code with no prohibited patterns; verify empty results
- [ ] Analyze source code with multiple violations on different lines; verify all detected with correct line numbers
- [ ] Verify DeterminismGuardService.AnalyzeSource returns results from ProhibitedPatternAnalyzer
- [ ] Create determinism guard scope; use TimeProvider instead of DateTime.Now; verify no violations