fix(security): Address review feedback

- Add test for PolicyDecision PartialEq (Issue #3)
- Clarify matches_action location in mod.rs comment (Issue #2)
- Enhance TimeOfDay UTC docs with timezone conversion examples (Issue #4)
- Note: Issue #1 (PolicyDecision PartialEq) was already present in codebase

All 105 tests pass, clippy clean, formatting clean.

Author: Clawdio

crates/nv-security/src/policy/mod.rs

@@ -36,6 +36,6 @@ pub use rate_limit::RateLimiter;
 pub use signing::{sign_policy, verify_policy};
 pub use types::PolicyDecision;
 
-// Note: Internal types (Condition, DefaultPolicy, PolicyConfig, PolicyRule, matches_action)
-// are NOT re-exported, keeping the public API surface minimal.
-// They remain accessible within this module via their submodules (types::*, util::*).
+// Note: Internal types (Condition, DefaultPolicy, PolicyConfig, PolicyRule from types::*)
+// and utility functions (matches_action from util::*) are NOT re-exported, keeping the
+// public API surface minimal. They remain accessible within this module via their submodules.

crates/nv-security/src/policy/tests.rs

@@ -33,6 +33,39 @@ mod integration_tests {
         assert!(matches!(cloned, PolicyDecision::Deny { .. }));
     }
 
+    #[test]
+    fn test_policy_decision_partial_eq() {
+        let allow1 = PolicyDecision::Allow;
+        let allow2 = PolicyDecision::Allow;
+        assert_eq!(allow1, allow2);
+
+        let deny1 = PolicyDecision::Deny {
+            reason: "test".to_string(),
+        };
+        let deny2 = PolicyDecision::Deny {
+            reason: "test".to_string(),
+        };
+        let deny3 = PolicyDecision::Deny {
+            reason: "other".to_string(),
+        };
+        assert_eq!(deny1, deny2);
+        assert_ne!(deny1, deny3);
+
+        let confirm1 = PolicyDecision::Confirm {
+            prompt: "test?".to_string(),
+        };
+        let confirm2 = PolicyDecision::Confirm {
+            prompt: "test?".to_string(),
+        };
+        assert_eq!(confirm1, confirm2);
+
+        let rate1 = PolicyDecision::RateLimit { wait_ms: 100 };
+        let rate2 = PolicyDecision::RateLimit { wait_ms: 100 };
+        let rate3 = PolicyDecision::RateLimit { wait_ms: 200 };
+        assert_eq!(rate1, rate2);
+        assert_ne!(rate1, rate3);
+    }
+
     #[test]
     fn test_conditions_time_of_day() {
         let toml = r#"

crates/nv-security/src/policy/types.rs

@@ -63,7 +63,9 @@ pub enum Condition {
     /// Time of day constraint (24-hour format, evaluated in UTC)
     ///
     /// **Important:** Times are evaluated in UTC, not local time.
-    /// For example, `after: "09:00"` means 09:00 UTC.
+    /// For example, `after: "09:00"` means 09:00 UTC (which is 1:00 AM PST
+    /// or 5:00 AM EDT). If you want to restrict actions to local business
+    /// hours, you must convert your local time to UTC.
     ///
     /// Supports midnight crossing (e.g., `after: "22:00", before: "06:00"`).
     #[serde(rename = "time_of_day")]