{"id":"policy-enforcement-complete-access-control","text":"FTL2's policy engine provides complete pre-execution access control: enforcement runs before every module call with first-match-deny semantics, rules match on module/environment/host/parameter fields for granular control, and shell/command/raw modules are treated as policy-equivalent to prevent bypass through alternative command execution paths.","truth_value":"IN","source":"","source_url":"","source_hash":"","justifications":[],"dependents":[],"metadata":{},"explanation":{"steps":[{"node":"policy-enforcement-complete-access-control","truth_value":"IN","reason":"premise"}]}}