@highflame/policy 1.1.3 → 1.2.0

package/dist/engine.test.js

@@ -0,0 +1,190 @@
+/**
+ * Engine unit tests
+ *
+ * Tests the PolicyEngine evaluate() function.
+ * These tests are consistent across Go, TypeScript, and Python SDKs.
+ */
+import { describe, it, expect, beforeEach } from 'vitest';
+import { PolicyEngine, EntityType, ActionType, InputValidationError, DEFAULT_LIMITS, } from './index.js';
+describe('PolicyEngine', () => {
+    let engine;
+    const permitAllPolicy = `
+    permit(principal, action, resource);
+  `;
+    const denyAllPolicy = `
+    forbid(principal, action, resource);
+  `;
+    // Simple context-based policy without action constraint for testing context evaluation
+    const contextBasedPolicy = `
+    @id("allow-production")
+    permit(
+      principal,
+      action,
+      resource
+    )
+    when { context.environment == "production" };
+
+    @id("deny-all")
+    forbid(principal, action, resource);
+  `;
+    beforeEach(() => {
+        engine = new PolicyEngine();
+    });
+    describe('basic evaluation', () => {
+        it('should allow when permit policy matches', () => {
+            engine.loadPolicies(permitAllPolicy);
+            const decision = engine.evaluateSimple(EntityType.Scanner, 'test-scanner', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors');
+            expect(decision.effect).toBe('Allow');
+        });
+        it('should deny when forbid policy matches', () => {
+            engine.loadPolicies(denyAllPolicy);
+            const decision = engine.evaluateSimple(EntityType.Scanner, 'test-scanner', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors');
+            expect(decision.effect).toBe('Deny');
+        });
+        it('should deny when no policies match (default deny)', () => {
+            engine.loadPolicies(''); // No policies
+            const decision = engine.evaluateSimple(EntityType.Scanner, 'test-scanner', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors');
+            expect(decision.effect).toBe('Deny');
+        });
+    });
+    describe('context-based evaluation', () => {
+        beforeEach(() => {
+            engine.loadPolicies(contextBasedPolicy);
+        });
+        it('should allow when context matches permit condition', () => {
+            // Use simple permit policy to test context evaluation in isolation
+            const simplePermitPolicy = `
+        permit(principal, action, resource)
+        when { context.environment == "production" };
+      `;
+            const testEngine = new PolicyEngine();
+            testEngine.loadPolicies(simplePermitPolicy);
+            const decision = testEngine.evaluateSimple(EntityType.Scanner, 'palisade', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors', { environment: 'production' });
+            expect(decision.effect).toBe('Allow');
+        });
+        it('should deny when context does not match permit condition', () => {
+            const decision = engine.evaluateSimple(EntityType.Scanner, 'palisade', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors', { environment: 'development' });
+            expect(decision.effect).toBe('Deny');
+        });
+        it('should deny when context is missing required field', () => {
+            const decision = engine.evaluateSimple(EntityType.Scanner, 'palisade', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors', {} // Missing environment
+            );
+            expect(decision.effect).toBe('Deny');
+        });
+    });
+    describe('input validation', () => {
+        beforeEach(() => {
+            engine.loadPolicies(permitAllPolicy);
+        });
+        it('should accept valid context', () => {
+            const decision = engine.evaluateSimple(EntityType.Scanner, 'test', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors', {
+                environment: 'production',
+                severity: 'HIGH',
+                count: 42,
+                enabled: true,
+            });
+            expect(decision.effect).toBe('Allow');
+        });
+        it('should reject context with too many keys', () => {
+            const engine = new PolicyEngine({ limits: { maxContextKeys: 5 } });
+            engine.loadPolicies(permitAllPolicy);
+            const bigContext = {};
+            for (let i = 0; i < 10; i++) {
+                bigContext[`key${i}`] = 'value';
+            }
+            expect(() => {
+                engine.evaluateSimple(EntityType.Scanner, 'test', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors', bigContext);
+            }).toThrow(InputValidationError);
+        });
+        it('should reject context with too long strings', () => {
+            const engine = new PolicyEngine({ limits: { maxStringLength: 100 } });
+            engine.loadPolicies(permitAllPolicy);
+            const longString = 'x'.repeat(200);
+            expect(() => {
+                engine.evaluateSimple(EntityType.Scanner, 'test', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors', { value: longString });
+            }).toThrow(InputValidationError);
+        });
+        it('should reject deeply nested context', () => {
+            const engine = new PolicyEngine({ limits: { maxNestingDepth: 3 } });
+            engine.loadPolicies(permitAllPolicy);
+            const deepContext = {
+                level1: {
+                    level2: {
+                        level3: {
+                            level4: {
+                                level5: 'too deep',
+                            },
+                        },
+                    },
+                },
+            };
+            expect(() => {
+                engine.evaluateSimple(EntityType.Scanner, 'test', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors', deepContext);
+            }).toThrow(InputValidationError);
+        });
+        it('should allow skipping validation', () => {
+            const engine = new PolicyEngine({
+                skipValidation: true,
+                limits: { maxContextKeys: 1 },
+            });
+            engine.loadPolicies(permitAllPolicy);
+            // This would normally fail validation
+            const decision = engine.evaluateSimple(EntityType.Scanner, 'test', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors', { key1: 'value1', key2: 'value2', key3: 'value3' });
+            expect(decision.effect).toBe('Allow');
+        });
+    });
+    describe('complex context types', () => {
+        beforeEach(() => {
+            engine.loadPolicies(permitAllPolicy);
+        });
+        it('should handle array context values', () => {
+            const decision = engine.evaluateSimple(EntityType.Scanner, 'test', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors', { threats: ['malware', 'backdoor', 'injection'] });
+            expect(decision.effect).toBe('Allow');
+        });
+        it('should handle nested object context', () => {
+            const decision = engine.evaluateSimple(EntityType.Scanner, 'test', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors', {
+                metadata: {
+                    format: 'safetensors',
+                    size: 1024,
+                },
+            });
+            expect(decision.effect).toBe('Allow');
+        });
+        it('should handle empty context', () => {
+            // Cedar doesn't have null values - this tests that empty context works
+            const decision = engine.evaluateSimple(EntityType.Scanner, 'test', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors', {});
+            expect(decision.effect).toBe('Allow');
+        });
+        it('should handle boolean context values', () => {
+            const decision = engine.evaluateSimple(EntityType.Scanner, 'test', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors', { is_signed: true, is_malicious: false });
+            expect(decision.effect).toBe('Allow');
+        });
+        it('should handle integer context values', () => {
+            // Cedar uses Long type for numbers (integers only, no floats)
+            const decision = engine.evaluateSimple(EntityType.Scanner, 'test', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors', { severity_score: 7, count: 100 });
+            expect(decision.effect).toBe('Allow');
+        });
+    });
+    describe('error handling', () => {
+        it('should handle invalid policy syntax gracefully', () => {
+            const invalidPolicy = `permit(principal, action, resource`; // Missing closing paren
+            expect(() => {
+                engine.loadPolicies(invalidPolicy);
+                engine.evaluateSimple(EntityType.Scanner, 'test', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors');
+            }).not.toThrow();
+            // Should return deny with reason
+            engine.loadPolicies(invalidPolicy);
+            const decision = engine.evaluateSimple(EntityType.Scanner, 'test', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors');
+            expect(decision.effect).toBe('Deny');
+        });
+    });
+    describe('DEFAULT_LIMITS', () => {
+        it('should have consistent default values', () => {
+            expect(DEFAULT_LIMITS.maxContextKeys).toBe(100);
+            expect(DEFAULT_LIMITS.maxStringLength).toBe(1_000_000);
+            expect(DEFAULT_LIMITS.maxNestingDepth).toBe(10);
+            expect(DEFAULT_LIMITS.maxContextSizeBytes).toBe(10_000_000);
+        });
+    });
+});
+//# sourceMappingURL=engine.test.js.map

package/dist/engine.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.test.js","sourceRoot":"","sources":["../src/engine.test.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAC1D,OAAO,EACL,YAAY,EAEZ,UAAU,EACV,UAAU,EAEV,oBAAoB,EACpB,cAAc,GACf,MAAM,YAAY,CAAC;AAEpB,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;IAC5B,IAAI,MAAoB,CAAC;IAEzB,MAAM,eAAe,GAAG;;GAEvB,CAAC;IAEF,MAAM,aAAa,GAAG;;GAErB,CAAC;IAEF,uFAAuF;IACvF,MAAM,kBAAkB,GAAG;;;;;;;;;;;GAW1B,CAAC;IAEF,UAAU,CAAC,GAAG,EAAE;QACd,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;IAC9B,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;QAChC,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;YACjD,MAAM,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC;YAErC,MAAM,QAAQ,GAAG,MAAM,CAAC,cAAc,CACpC,UAAU,CAAC,OAAO,EAClB,cAAc,EACd,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,CACrB,CAAC;YAEF,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;YAChD,MAAM,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC;YAEnC,MAAM,QAAQ,GAAG,MAAM,CAAC,cAAc,CACpC,UAAU,CAAC,OAAO,EAClB,cAAc,EACd,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,CACrB,CAAC;YAEF,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,mDAAmD,EAAE,GAAG,EAAE;YAC3D,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc;YAEvC,MAAM,QAAQ,GAAG,MAAM,CAAC,cAAc,CACpC,UAAU,CAAC,OAAO,EAClB,cAAc,EACd,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,CACrB,CAAC;YAEF,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,0BAA0B,EAAE,GAAG,EAAE;QACxC,UAAU,CAAC,GAAG,EAAE;YACd,MAAM,CAAC,YAAY,CAAC,kBAAkB,CAAC,CAAC;QAC1C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;YAC5D,mEAAmE;YACnE,MAAM,kBAAkB,GAAG;;;OAG1B,CAAC;YACF,MAAM,UAAU,GAAG,IAAI,YAAY,EAAE,CAAC;YACtC,UAAU,CAAC,YAAY,CAAC,kBAAkB,CAAC,CAAC;YAE5C,MAAM,QAAQ,GAAG,UAAU,CAAC,cAAc,CACxC,UAAU,CAAC,OAAO,EAClB,UAAU,EACV,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,EACpB,EAAE,WAAW,EAAE,YAAY,EAAE,CAC9B,CAAC;YAEF,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0DAA0D,EAAE,GAAG,EAAE;YAClE,MAAM,QAAQ,GAAG,MAAM,CAAC,cAAc,CACpC,UAAU,CAAC,OAAO,EAClB,UAAU,EACV,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,EACpB,EAAE,WAAW,EAAE,aAAa,EAAE,CAC/B,CAAC;YAEF,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;YAC5D,MAAM,QAAQ,GAAG,MAAM,CAAC,cAAc,CACpC,UAAU,CAAC,OAAO,EAClB,UAAU,EACV,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,EACpB,EAAE,CAAC,sBAAsB;aAC1B,CAAC;YAEF,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;QAChC,UAAU,CAAC,GAAG,EAAE;YACd,MAAM,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;YACrC,MAAM,QAAQ,GAAG,MAAM,CAAC,cAAc,CACpC,UAAU,CAAC,OAAO,EAClB,MAAM,EACN,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,EACpB;gBACE,WAAW,EAAE,YAAY;gBACzB,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,EAAE;gBACT,OAAO,EAAE,IAAI;aACd,CACF,CAAC;YAEF,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;YAClD,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,EAAE,MAAM,EAAE,EAAE,cAAc,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;YACnE,MAAM,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC;YAErC,MAAM,UAAU,GAA4B,EAAE,CAAC;YAC/C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC5B,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC;YAClC,CAAC;YAED,MAAM,CAAC,GAAG,EAAE;gBACV,MAAM,CAAC,cAAc,CACnB,UAAU,CAAC,OAAO,EAClB,MAAM,EACN,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,EACpB,UAAU,CACX,CAAC;YACJ,CAAC,CAAC,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6CAA6C,EAAE,GAAG,EAAE;YACrD,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,EAAE,MAAM,EAAE,EAAE,eAAe,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;YACtE,MAAM,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC;YAErC,MAAM,UAAU,GAAG,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAEnC,MAAM,CAAC,GAAG,EAAE;gBACV,MAAM,CAAC,cAAc,CACnB,UAAU,CAAC,OAAO,EAClB,MAAM,EACN,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,EACpB,EAAE,KAAK,EAAE,UAAU,EAAE,CACtB,CAAC;YACJ,CAAC,CAAC,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;YAC7C,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,EAAE,MAAM,EAAE,EAAE,eAAe,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;YACpE,MAAM,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC;YAErC,MAAM,WAAW,GAAG;gBAClB,MAAM,EAAE;oBACN,MAAM,EAAE;wBACN,MAAM,EAAE;4BACN,MAAM,EAAE;gCACN,MAAM,EAAE,UAAU;6BACnB;yBACF;qBACF;iBACF;aACF,CAAC;YAEF,MAAM,CAAC,GAAG,EAAE;gBACV,MAAM,CAAC,cAAc,CACnB,UAAU,CAAC,OAAO,EAClB,MAAM,EACN,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,EACpB,WAAW,CACZ,CAAC;YACJ,CAAC,CAAC,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;YAC1C,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC;gBAC9B,cAAc,EAAE,IAAI;gBACpB,MAAM,EAAE,EAAE,cAAc,EAAE,CAAC,EAAE;aAC9B,CAAC,CAAC;YACH,MAAM,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC;YAErC,sCAAsC;YACtC,MAAM,QAAQ,GAAG,MAAM,CAAC,cAAc,CACpC,UAAU,CAAC,OAAO,EAClB,MAAM,EACN,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,EACpB,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,EAAE,CACnD,CAAC;YAEF,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;QACrC,UAAU,CAAC,GAAG,EAAE;YACd,MAAM,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;YAC5C,MAAM,QAAQ,GAAG,MAAM,CAAC,cAAc,CACpC,UAAU,CAAC,OAAO,EAClB,MAAM,EACN,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,EACpB,EAAE,OAAO,EAAE,CAAC,SAAS,EAAE,UAAU,EAAE,WAAW,CAAC,EAAE,CAClD,CAAC;YAEF,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;YAC7C,MAAM,QAAQ,GAAG,MAAM,CAAC,cAAc,CACpC,UAAU,CAAC,OAAO,EAClB,MAAM,EACN,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,EACpB;gBACE,QAAQ,EAAE;oBACR,MAAM,EAAE,aAAa;oBACrB,IAAI,EAAE,IAAI;iBACX;aACF,CACF,CAAC;YAEF,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;YACrC,uEAAuE;YACvE,MAAM,QAAQ,GAAG,MAAM,CAAC,cAAc,CACpC,UAAU,CAAC,OAAO,EAClB,MAAM,EACN,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,EACpB,EAAE,CACH,CAAC;YAEF,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;YAC9C,MAAM,QAAQ,GAAG,MAAM,CAAC,cAAc,CACpC,UAAU,CAAC,OAAO,EAClB,MAAM,EACN,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,EACpB,EAAE,SAAS,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,CACzC,CAAC;YAEF,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;YAC9C,8DAA8D;YAC9D,MAAM,QAAQ,GAAG,MAAM,CAAC,cAAc,CACpC,UAAU,CAAC,OAAO,EAClB,MAAM,EACN,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,EACpB,EAAE,cAAc,EAAE,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,CAClC,CAAC;YAEF,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;QAC9B,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;YACxD,MAAM,aAAa,GAAG,oCAAoC,CAAC,CAAC,wBAAwB;YAEpF,MAAM,CAAC,GAAG,EAAE;gBACV,MAAM,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC;gBACnC,MAAM,CAAC,cAAc,CACnB,UAAU,CAAC,OAAO,EAClB,MAAM,EACN,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,CACrB,CAAC;YACJ,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;YAEjB,iCAAiC;YACjC,MAAM,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC;YACnC,MAAM,QAAQ,GAAG,MAAM,CAAC,cAAc,CACpC,UAAU,CAAC,OAAO,EAClB,MAAM,EACN,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,CACrB,CAAC;YAEF,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;QAC9B,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;YAC/C,MAAM,CAAC,cAAc,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAChD,MAAM,CAAC,cAAc,CAAC,eAAe,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACvD,MAAM,CAAC,cAAc,CAAC,eAAe,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAChD,MAAM,CAAC,cAAc,CAAC,mBAAmB,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC9D,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/entities.gen.d.ts

@@ -4,8 +4,12 @@
 export declare const EntityType: {
     readonly Agent: "Agent";
     readonly Artifact: "Artifact";
+    readonly ExternalAPI: "ExternalAPI";
     readonly FilePath: "FilePath";
+    readonly GitBranch: "GitBranch";
     readonly HttpEndpoint: "HttpEndpoint";
+    readonly Memory: "Memory";
+    readonly Model: "Model";
     readonly Package: "Package";
     readonly Repository: "Repository";
     readonly Resource: "Resource";

package/dist/entities.gen.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"entities.gen.d.ts","sourceRoot":"","sources":["../src/entities.gen.ts"],"names":[],"mappings":"AAGA;;GAEG;AACH,eAAO,MAAM,UAAU;;;;;;;;;;;;;;CAcb,CAAC;AAEX,MAAM,MAAM,UAAU,GAAG,CAAC,OAAO,UAAU,CAAC,CAAC,MAAM,OAAO,UAAU,CAAC,CAAC;AAEtE;;GAEG;AACH,MAAM,WAAW,SAAS;IACtB,IAAI,EAAE,UAAU,GAAG,MAAM,CAAC;IAC1B,EAAE,EAAE,MAAM,CAAC;CACd;AAED;;GAEG;AACH,MAAM,WAAW,MAAM;IACnB,GAAG,EAAE,SAAS,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,OAAO,CAAC,EAAE,SAAS,EAAE,CAAC;CACzB;AAED;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,UAAU,GAAG,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,SAAS,CAE7E;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,IAAI,EAAE,UAAU,GAAG,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAMxG"}
+{"version":3,"file":"entities.gen.d.ts","sourceRoot":"","sources":["../src/entities.gen.ts"],"names":[],"mappings":"AAGA;;GAEG;AACH,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;;CAkBb,CAAC;AAEX,MAAM,MAAM,UAAU,GAAG,CAAC,OAAO,UAAU,CAAC,CAAC,MAAM,OAAO,UAAU,CAAC,CAAC;AAEtE;;GAEG;AACH,MAAM,WAAW,SAAS;IACtB,IAAI,EAAE,UAAU,GAAG,MAAM,CAAC;IAC1B,EAAE,EAAE,MAAM,CAAC;CACd;AAED;;GAEG;AACH,MAAM,WAAW,MAAM;IACnB,GAAG,EAAE,SAAS,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,OAAO,CAAC,EAAE,SAAS,EAAE,CAAC;CACzB;AAED;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,UAAU,GAAG,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,SAAS,CAE7E;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,IAAI,EAAE,UAAU,GAAG,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAMxG"}

package/dist/entities.gen.js

@@ -6,8 +6,12 @@
 export const EntityType = {
     Agent: 'Agent',
     Artifact: 'Artifact',
+    ExternalAPI: 'ExternalAPI',
     FilePath: 'FilePath',
+    GitBranch: 'GitBranch',
     HttpEndpoint: 'HttpEndpoint',
+    Memory: 'Memory',
+    Model: 'Model',
     Package: 'Package',
     Repository: 'Repository',
     Resource: 'Resource',

package/dist/entities.gen.js.map

@@ -1 +1 @@
-{"version":3,"file":"entities.gen.js","sourceRoot":"","sources":["../src/entities.gen.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,uCAAuC;AAEvC;;GAEG;AACH,MAAM,CAAC,MAAM,UAAU,GAAG;IACtB,KAAK,EAAE,OAAO;IACd,QAAQ,EAAE,UAAU;IACpB,QAAQ,EAAE,UAAU;IACpB,YAAY,EAAE,cAAc;IAC5B,OAAO,EAAE,SAAS;IAClB,UAAU,EAAE,YAAY;IACxB,QAAQ,EAAE,UAAU;IACpB,YAAY,EAAE,cAAc;IAC5B,OAAO,EAAE,SAAS;IAClB,MAAM,EAAE,QAAQ;IAChB,OAAO,EAAE,SAAS;IAClB,IAAI,EAAE,MAAM;IACZ,IAAI,EAAE,MAAM;CACN,CAAC;AAqBX;;;;GAIG;AACH,MAAM,UAAU,YAAY,CAAC,IAAyB,EAAE,EAAU;IAC9D,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;AACxB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,SAAS,CAAC,IAAyB,EAAE,EAAU,EAAE,KAA+B;IAC5F,OAAO;QACH,GAAG,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;QACjB,KAAK,EAAE,KAAK,IAAI,EAAE;QAClB,OAAO,EAAE,EAAE;KACd,CAAC;AACN,CAAC"}
+{"version":3,"file":"entities.gen.js","sourceRoot":"","sources":["../src/entities.gen.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,uCAAuC;AAEvC;;GAEG;AACH,MAAM,CAAC,MAAM,UAAU,GAAG;IACtB,KAAK,EAAE,OAAO;IACd,QAAQ,EAAE,UAAU;IACpB,WAAW,EAAE,aAAa;IAC1B,QAAQ,EAAE,UAAU;IACpB,SAAS,EAAE,WAAW;IACtB,YAAY,EAAE,cAAc;IAC5B,MAAM,EAAE,QAAQ;IAChB,KAAK,EAAE,OAAO;IACd,OAAO,EAAE,SAAS;IAClB,UAAU,EAAE,YAAY;IACxB,QAAQ,EAAE,UAAU;IACpB,YAAY,EAAE,cAAc;IAC5B,OAAO,EAAE,SAAS;IAClB,MAAM,EAAE,QAAQ;IAChB,OAAO,EAAE,SAAS;IAClB,IAAI,EAAE,MAAM;IACZ,IAAI,EAAE,MAAM;CACN,CAAC;AAqBX;;;;GAIG;AACH,MAAM,UAAU,YAAY,CAAC,IAAyB,EAAE,EAAU;IAC9D,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;AACxB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,SAAS,CAAC,IAAyB,EAAE,EAAU,EAAE,KAA+B;IAC5F,OAAO;QACH,GAAG,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;QACjB,KAAK,EAAE,KAAK,IAAI,EAAE;QAClB,OAAO,EAAE,EAAE;KACd,CAAC;AACN,CAAC"}

package/dist/parser.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Cedar Policy Parser
+ *
+ * Converts Cedar policy text to structured PolicyRule format using the
+ * official Cedar engine (cedar-wasm) for parsing.
+ *
+ * Architecture:
+ * 1. Cedar text → Cedar JSON (via cedar-wasm policyToJson)
+ * 2. Cedar JSON → PolicyRule (simple JSON mapping)
+ */
+import type { PolicyRule } from "./builder.js";
+/**
+ * Result of parsing Cedar policies
+ */
+export interface ParseResult {
+    /** Policies successfully converted to PolicyRule format */
+    rules: PolicyRule[];
+    /** Policies that couldn't be fully represented as PolicyRule (raw Cedar text) */
+    unstructured: string[];
+    /** Any parsing errors encountered */
+    errors: string[];
+}
+/**
+ * Parse Cedar policy text and convert to PolicyRule format.
+ *
+ * Uses the official cedar-wasm engine for parsing, ensuring correctness.
+ * Policies with features that can't be represented as PolicyRule (e.g.,
+ * unless clauses, complex expressions) are returned in the unstructured array.
+ *
+ * @param cedarText - Cedar policy text to parse
+ * @returns ParseResult with structured rules, unstructured policies, and errors
+ */
+export declare function parseCedarToRules(cedarText: string): ParseResult;
+//# sourceMappingURL=parser.d.ts.map

package/dist/parser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"parser.d.ts","sourceRoot":"","sources":["../src/parser.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,KAAK,EAAE,UAAU,EAAkE,MAAM,cAAc,CAAC;AAE/G;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,2DAA2D;IAC3D,KAAK,EAAE,UAAU,EAAE,CAAC;IACpB,iFAAiF;IACjF,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,qCAAqC;IACrC,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAmDD;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,WAAW,CA2DhE"}

package/dist/parser.js

@@ -0,0 +1,348 @@
+/**
+ * Cedar Policy Parser
+ *
+ * Converts Cedar policy text to structured PolicyRule format using the
+ * official Cedar engine (cedar-wasm) for parsing.
+ *
+ * Architecture:
+ * 1. Cedar text → Cedar JSON (via cedar-wasm policyToJson)
+ * 2. Cedar JSON → PolicyRule (simple JSON mapping)
+ */
+import * as cedar from "@cedar-policy/cedar-wasm/nodejs";
+/**
+ * Normalize entity reference to simple { type, id } format
+ */
+function normalizeEntityRef(ref) {
+    if ("__entity" in ref) {
+        return ref.__entity;
+    }
+    return ref;
+}
+/**
+ * Parse Cedar policy text and convert to PolicyRule format.
+ *
+ * Uses the official cedar-wasm engine for parsing, ensuring correctness.
+ * Policies with features that can't be represented as PolicyRule (e.g.,
+ * unless clauses, complex expressions) are returned in the unstructured array.
+ *
+ * @param cedarText - Cedar policy text to parse
+ * @returns ParseResult with structured rules, unstructured policies, and errors
+ */
+export function parseCedarToRules(cedarText) {
+    const result = {
+        rules: [],
+        unstructured: [],
+        errors: [],
+    };
+    try {
+        // Split the policy set into individual policies and templates
+        const partsResult = cedar.policySetTextToParts(cedarText);
+        if (partsResult.type === "failure") {
+            for (const error of partsResult.errors) {
+                result.errors.push(error.message);
+            }
+            return result;
+        }
+        // Process each policy
+        let index = 0;
+        for (const policyText of partsResult.policies) {
+            // Convert individual policy to JSON using cedar-wasm
+            const jsonResult = cedar.policyToJson(policyText);
+            if (jsonResult.type === "failure") {
+                for (const error of jsonResult.errors) {
+                    result.errors.push(`Policy ${index}: ${error.message}`);
+                }
+                index++;
+                continue;
+            }
+            const policy = jsonResult.json;
+            const policyId = policy.annotations?.id || `policy${index}`;
+            const conversion = cedarJsonToRule(policy, policyId, index, policyText);
+            if (conversion.error) {
+                result.errors.push(`Policy ${policyId}: ${conversion.error}`);
+            }
+            if (conversion.rule) {
+                result.rules.push(conversion.rule);
+            }
+            else if (conversion.raw) {
+                result.unstructured.push(conversion.raw);
+            }
+            index++;
+        }
+        // Templates can't be represented as PolicyRule
+        for (const templateText of partsResult.policy_templates) {
+            result.unstructured.push(templateText);
+        }
+    }
+    catch (e) {
+        result.errors.push(`Parse error: ${e instanceof Error ? e.message : String(e)}`);
+    }
+    return result;
+}
+/**
+ * Convert Cedar JSON policy to PolicyRule.
+ * This is pure JSON mapping - no parsing logic.
+ */
+function cedarJsonToRule(policy, policyId, index, originalText) {
+    // Check if this policy can be represented as PolicyRule
+    if (!canRepresentAsRule(policy)) {
+        // Return original text if available, otherwise convert back from JSON
+        const raw = originalText || getRawCedar(policyId, policy);
+        return { raw };
+    }
+    const rule = {
+        id: policy.annotations?.id || policyId,
+        name: policy.annotations?.name || policy.annotations?.id || policyId,
+        effect: policy.effect,
+        principal: mapScopeToEntity(policy.principal),
+        action: mapActionScope(policy.action),
+        resource: mapScopeToEntity(policy.resource),
+        conditions: [],
+        enabled: true,
+        order: index,
+    };
+    // Map description from annotations
+    if (policy.annotations?.description) {
+        rule.description = policy.annotations.description;
+    }
+    // Map conditions
+    const { conditions, rawCondition } = mapConditions(policy.conditions);
+    rule.conditions = conditions;
+    if (rawCondition) {
+        rule.rawCondition = rawCondition;
+    }
+    return { rule };
+}
+/**
+ * Check if a Cedar policy can be represented as PolicyRule
+ */
+function canRepresentAsRule(policy) {
+    // Unless clauses can't be represented
+    for (const cond of policy.conditions) {
+        if (cond.kind === "unless") {
+            return false;
+        }
+    }
+    // Template slots can't be represented
+    if (hasSlot(policy.principal) || hasSlot(policy.resource)) {
+        return false;
+    }
+    // Multiple entity "in" constraints are complex
+    const action = policy.action;
+    if (action.op === "in" && "entities" in action && action.entities.length > 1) {
+        // Multiple actions are OK, we handle those
+    }
+    return true;
+}
+/**
+ * Check if a scope constraint uses a slot (template)
+ */
+function hasSlot(scope) {
+    if (scope.op === "All" || scope.op === "is") {
+        return false;
+    }
+    return "slot" in scope;
+}
+/**
+ * Get raw Cedar text for a policy that can't be represented as PolicyRule
+ */
+function getRawCedar(policyId, policy) {
+    try {
+        // policyToText accepts Policy which is string | PolicyJson
+        const textResult = cedar.policyToText(policy);
+        if (textResult.type === "success") {
+            return textResult.text;
+        }
+    }
+    catch {
+        // Ignore conversion errors
+    }
+    return `// Complex policy: ${policyId}`;
+}
+/**
+ * Map Cedar scope constraint to PolicyEntity
+ */
+function mapScopeToEntity(scope) {
+    if (scope.op === "All") {
+        return null;
+    }
+    if (scope.op === "==") {
+        if ("entity" in scope) {
+            const entity = normalizeEntityRef(scope.entity);
+            return { type: entity.type, id: entity.id };
+        }
+        // Slot - can't represent
+        return null;
+    }
+    if (scope.op === "is") {
+        // Type constraint
+        return { type: scope.entity_type };
+    }
+    if (scope.op === "in") {
+        if ("entity" in scope) {
+            const entity = normalizeEntityRef(scope.entity);
+            return { type: entity.type, id: entity.id };
+        }
+        // Slot - can't represent
+        return null;
+    }
+    return null;
+}
+/**
+ * Map action scope to action string(s)
+ */
+function mapActionScope(scope) {
+    if (scope.op === "All") {
+        return "*";
+    }
+    if (scope.op === "==") {
+        const entity = normalizeEntityRef(scope.entity);
+        return entity.id;
+    }
+    if (scope.op === "in") {
+        if ("entities" in scope) {
+            const actions = scope.entities.map(e => normalizeEntityRef(e).id);
+            return actions.length === 1 ? actions[0] : actions;
+        }
+        if ("entity" in scope) {
+            const entity = normalizeEntityRef(scope.entity);
+            return entity.id;
+        }
+    }
+    return "";
+}
+/**
+ * Map Cedar conditions to PolicyCondition array
+ */
+function mapConditions(conditions) {
+    const result = [];
+    const rawParts = [];
+    for (const cond of conditions) {
+        if (cond.kind !== "when") {
+            continue;
+        }
+        const parsed = mapConditionBody(cond.body);
+        if (parsed.condition) {
+            result.push(parsed.condition);
+        }
+        else if (parsed.raw) {
+            rawParts.push(parsed.raw);
+        }
+    }
+    return {
+        conditions: result,
+        rawCondition: rawParts.length > 0 ? rawParts.join(" && ") : undefined,
+    };
+}
+/**
+ * Map a Cedar expression body to PolicyCondition
+ *
+ * Cedar JSON expressions use nested objects with operator keys.
+ * Comparison format: { "==": { left: { ".": { left: { Var: "context" }, attr: "field" } }, right: { Value: "x" } } }
+ */
+function mapConditionBody(body) {
+    const expr = body;
+    // Check comparison operators
+    for (const op of ["==", "!=", "<", "<=", ">", ">="]) {
+        const comparison = expr[op];
+        if (comparison) {
+            const condition = mapComparison(op, comparison);
+            if (condition)
+                return { condition };
+        }
+    }
+    // Check contains
+    if (expr.contains) {
+        const condition = mapContains(expr.contains);
+        if (condition)
+            return { condition };
+    }
+    // Check like
+    if (expr.like) {
+        const condition = mapLike(expr.like);
+        if (condition)
+            return { condition };
+    }
+    // Can't map - return as raw JSON
+    return { raw: JSON.stringify(body) };
+}
+function mapComparison(op, args) {
+    const field = extractContextField(args.left);
+    if (!field)
+        return null;
+    const value = extractLiteralValue(args.right);
+    if (value === undefined)
+        return null;
+    const operator = mapOperator(op);
+    if (!operator)
+        return null;
+    return { field, operator, value };
+}
+function mapContains(args) {
+    const field = extractContextField(args.left);
+    if (!field)
+        return null;
+    const value = extractLiteralValue(args.right);
+    if (value === undefined)
+        return null;
+    return { field, operator: "contains", value };
+}
+function mapLike(args) {
+    const field = extractContextField(args.left);
+    if (!field)
+        return null;
+    // Convert pattern to string (e.g., ["Wildcard", { Literal: "foo" }, "Wildcard"] -> "*foo*")
+    const patternStr = args.pattern.map(p => {
+        if (p === "Wildcard")
+            return "*";
+        if (typeof p === "object" && "Literal" in p)
+            return p.Literal;
+        return "";
+    }).join("");
+    return { field, operator: "like", value: patternStr };
+}
+/**
+ * Extract field name from context.field access pattern
+ * Pattern: { ".": { left: { Var: "context" }, attr: "field_name" } }
+ */
+function extractContextField(expr) {
+    const dotAccess = expr["."];
+    if (!dotAccess)
+        return null;
+    // Check if accessing context variable
+    const leftExpr = dotAccess.left;
+    if (leftExpr.Var !== "context")
+        return null;
+    return dotAccess.attr;
+}
+/**
+ * Extract literal value from Cedar JSON
+ * Pattern: { Value: <literal> }
+ */
+function extractLiteralValue(expr) {
+    if (!("Value" in expr))
+        return undefined;
+    const value = expr.Value;
+    if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
+        return value;
+    }
+    if (Array.isArray(value) && value.every(v => typeof v === "string")) {
+        return value;
+    }
+    return undefined;
+}
+/**
+ * Map Cedar operator to ConditionOperator
+ */
+function mapOperator(cedarOp) {
+    const mapping = {
+        "==": "eq",
+        "!=": "neq",
+        "<": "lt",
+        "<=": "lte",
+        ">": "gt",
+        ">=": "gte",
+    };
+    return mapping[cedarOp] || null;
+}
+//# sourceMappingURL=parser.js.map

package/dist/parser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"parser.js","sourceRoot":"","sources":["../src/parser.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,KAAK,MAAM,iCAAiC,CAAC;AAsDzD;;GAEG;AACH,SAAS,kBAAkB,CAAC,GAAmB;IAC7C,IAAI,UAAU,IAAI,GAAG,EAAE,CAAC;QACtB,OAAO,GAAG,CAAC,QAAQ,CAAC;IACtB,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,iBAAiB,CAAC,SAAiB;IACjD,MAAM,MAAM,GAAgB;QAC1B,KAAK,EAAE,EAAE;QACT,YAAY,EAAE,EAAE;QAChB,MAAM,EAAE,EAAE;KACX,CAAC;IAEF,IAAI,CAAC;QACH,8DAA8D;QAC9D,MAAM,WAAW,GAAG,KAAK,CAAC,oBAAoB,CAAC,SAAS,CAAC,CAAC;QAE1D,IAAI,WAAW,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YACnC,KAAK,MAAM,KAAK,IAAI,WAAW,CAAC,MAAM,EAAE,CAAC;gBACvC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACpC,CAAC;YACD,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,sBAAsB;QACtB,IAAI,KAAK,GAAG,CAAC,CAAC;QACd,KAAK,MAAM,UAAU,IAAI,WAAW,CAAC,QAAQ,EAAE,CAAC;YAC9C,qDAAqD;YACrD,MAAM,UAAU,GAAG,KAAK,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC;YAElD,IAAI,UAAU,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBAClC,KAAK,MAAM,KAAK,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC;oBACtC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,KAAK,KAAK,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;gBAC1D,CAAC;gBACD,KAAK,EAAE,CAAC;gBACR,SAAS;YACX,CAAC;YAED,MAAM,MAAM,GAAG,UAAU,CAAC,IAAuB,CAAC;YAClD,MAAM,QAAQ,GAAG,MAAM,CAAC,WAAW,EAAE,EAAE,IAAI,SAAS,KAAK,EAAE,CAAC;YAC5D,MAAM,UAAU,GAAG,eAAe,CAAC,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,CAAC,CAAC;YAExE,IAAI,UAAU,CAAC,KAAK,EAAE,CAAC;gBACrB,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,QAAQ,KAAK,UAAU,CAAC,KAAK,EAAE,CAAC,CAAC;YAChE,CAAC;YAED,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC;gBACpB,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;YACrC,CAAC;iBAAM,IAAI,UAAU,CAAC,GAAG,EAAE,CAAC;gBAC1B,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;YAC3C,CAAC;YAED,KAAK,EAAE,CAAC;QACV,CAAC;QAED,+CAA+C;QAC/C,KAAK,MAAM,YAAY,IAAI,WAAW,CAAC,gBAAgB,EAAE,CAAC;YACxD,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACzC,CAAC;IAEH,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IACnF,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,SAAS,eAAe,CACtB,MAAuB,EACvB,QAAgB,EAChB,KAAa,EACb,YAAqB;IAGrB,wDAAwD;IACxD,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,EAAE,CAAC;QAChC,sEAAsE;QACtE,MAAM,GAAG,GAAG,YAAY,IAAI,WAAW,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC1D,OAAO,EAAE,GAAG,EAAE,CAAC;IACjB,CAAC;IAED,MAAM,IAAI,GAAe;QACvB,EAAE,EAAE,MAAM,CAAC,WAAW,EAAE,EAAE,IAAI,QAAQ;QACtC,IAAI,EAAE,MAAM,CAAC,WAAW,EAAE,IAAI,IAAI,MAAM,CAAC,WAAW,EAAE,EAAE,IAAI,QAAQ;QACpE,MAAM,EAAE,MAAM,CAAC,MAAsB;QACrC,SAAS,EAAE,gBAAgB,CAAC,MAAM,CAAC,SAAS,CAAC;QAC7C,MAAM,EAAE,cAAc,CAAC,MAAM,CAAC,MAAM,CAAC;QACrC,QAAQ,EAAE,gBAAgB,CAAC,MAAM,CAAC,QAAQ,CAAC;QAC3C,UAAU,EAAE,EAAE;QACd,OAAO,EAAE,IAAI;QACb,KAAK,EAAE,KAAK;KACb,CAAC;IAEF,mCAAmC;IACnC,IAAI,MAAM,CAAC,WAAW,EAAE,WAAW,EAAE,CAAC;QACpC,IAAI,CAAC,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC,WAAW,CAAC;IACpD,CAAC;IAED,iBAAiB;IACjB,MAAM,EAAE,UAAU,EAAE,YAAY,EAAE,GAAG,aAAa,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IACtE,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC7B,IAAI,YAAY,EAAE,CAAC;QACjB,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;IACnC,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,MAAuB;IACjD,sCAAsC;IACtC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;QACrC,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC3B,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,sCAAsC;IACtC,IAAI,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1D,OAAO,KAAK,CAAC;IACf,CAAC;IAED,+CAA+C;IAC/C,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;IAC7B,IAAI,MAAM,CAAC,EAAE,KAAK,IAAI,IAAI,UAAU,IAAI,MAAM,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7E,2CAA2C;IAC7C,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,SAAS,OAAO,CAAC,KAA2B;IAC1C,IAAI,KAAK,CAAC,EAAE,KAAK,KAAK,IAAI,KAAK,CAAC,EAAE,KAAK,IAAI,EAAE,CAAC;QAC5C,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,MAAM,IAAI,KAAK,CAAC;AACzB,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,QAAgB,EAAE,MAAuB;IAC5D,IAAI,CAAC;QACH,2DAA2D;QAC3D,MAAM,UAAU,GAAG,KAAK,CAAC,YAAY,CAAC,MAA0B,CAAC,CAAC;QAClE,IAAI,UAAU,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAClC,OAAO,UAAU,CAAC,IAAI,CAAC;QACzB,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,2BAA2B;IAC7B,CAAC;IACD,OAAO,sBAAsB,QAAQ,EAAE,CAAC;AAC1C,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CAAC,KAA2B;IACnD,IAAI,KAAK,CAAC,EAAE,KAAK,KAAK,EAAE,CAAC;QACvB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,KAAK,CAAC,EAAE,KAAK,IAAI,EAAE,CAAC;QACtB,IAAI,QAAQ,IAAI,KAAK,EAAE,CAAC;YACtB,MAAM,MAAM,GAAG,kBAAkB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;YAChD,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,EAAE,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC;QAC9C,CAAC;QACD,yBAAyB;QACzB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,KAAK,CAAC,EAAE,KAAK,IAAI,EAAE,CAAC;QACtB,kBAAkB;QAClB,OAAO,EAAE,IAAI,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC;IACrC,CAAC;IAED,IAAI,KAAK,CAAC,EAAE,KAAK,IAAI,EAAE,CAAC;QACtB,IAAI,QAAQ,IAAI,KAAK,EAAE,CAAC;YACtB,MAAM,MAAM,GAAG,kBAAkB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;YAChD,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,EAAE,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC;QAC9C,CAAC;QACD,yBAAyB;QACzB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,KAA4B;IAClD,IAAI,KAAK,CAAC,EAAE,KAAK,KAAK,EAAE,CAAC;QACvB,OAAO,GAAG,CAAC;IACb,CAAC;IAED,IAAI,KAAK,CAAC,EAAE,KAAK,IAAI,EAAE,CAAC;QACtB,MAAM,MAAM,GAAG,kBAAkB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAChD,OAAO,MAAM,CAAC,EAAE,CAAC;IACnB,CAAC;IAED,IAAI,KAAK,CAAC,EAAE,KAAK,IAAI,EAAE,CAAC;QACtB,IAAI,UAAU,IAAI,KAAK,EAAE,CAAC;YACxB,MAAM,OAAO,GAAG,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YAClE,OAAO,OAAO,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;QACrD,CAAC;QACD,IAAI,QAAQ,IAAI,KAAK,EAAE,CAAC;YACtB,MAAM,MAAM,GAAG,kBAAkB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;YAChD,OAAO,MAAM,CAAC,EAAE,CAAC;QACnB,CAAC;IACH,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,UAA4B;IAIjD,MAAM,MAAM,GAAsB,EAAE,CAAC;IACrC,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;QAC9B,IAAI,IAAI,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YACzB,SAAS;QACX,CAAC;QAED,MAAM,MAAM,GAAG,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3C,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;YACrB,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAChC,CAAC;aAAM,IAAI,MAAM,CAAC,GAAG,EAAE,CAAC;YACtB,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC;IAED,OAAO;QACL,UAAU,EAAE,MAAM;QAClB,YAAY,EAAE,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS;KACtE,CAAC;AACJ,CAAC;AAmBD;;;;;GAKG;AACH,SAAS,gBAAgB,CAAC,IAA6B;IAIrD,MAAM,IAAI,GAAG,IAAiB,CAAC;IAE/B,6BAA6B;IAC7B,KAAK,MAAM,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,CAAU,EAAE,CAAC;QAC7D,MAAM,UAAU,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC;QAC5B,IAAI,UAAU,EAAE,CAAC;YACf,MAAM,SAAS,GAAG,aAAa,CAAC,EAAE,EAAE,UAAU,CAAC,CAAC;YAChD,IAAI,SAAS;gBAAE,OAAO,EAAE,SAAS,EAAE,CAAC;QACtC,CAAC;IACH,CAAC;IAED,iBAAiB;IACjB,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;QAClB,MAAM,SAAS,GAAG,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC7C,IAAI,SAAS;YAAE,OAAO,EAAE,SAAS,EAAE,CAAC;IACtC,CAAC;IAED,aAAa;IACb,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACd,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrC,IAAI,SAAS;YAAE,OAAO,EAAE,SAAS,EAAE,CAAC;IACtC,CAAC;IAED,iCAAiC;IACjC,OAAO,EAAE,GAAG,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC;AACvC,CAAC;AAED,SAAS,aAAa,CAAC,EAAU,EAAE,IAA2C;IAC5E,MAAM,KAAK,GAAG,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7C,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IAExB,MAAM,KAAK,GAAG,mBAAmB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC9C,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IAErC,MAAM,QAAQ,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IACjC,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAE3B,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;AACpC,CAAC;AAED,SAAS,WAAW,CAAC,IAA2C;IAC9D,MAAM,KAAK,GAAG,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7C,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IAExB,MAAM,KAAK,GAAG,mBAAmB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC9C,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IAErC,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC;AAChD,CAAC;AAED,SAAS,OAAO,CAAC,IAA2E;IAC1F,MAAM,KAAK,GAAG,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7C,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IAExB,4FAA4F;IAC5F,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;QACtC,IAAI,CAAC,KAAK,UAAU;YAAE,OAAO,GAAG,CAAC;QACjC,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,SAAS,IAAI,CAAC;YAAE,OAAO,CAAC,CAAC,OAAO,CAAC;QAC9D,OAAO,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEZ,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;AACxD,CAAC;AAED;;;GAGG;AACH,SAAS,mBAAmB,CAAC,IAAe;IAC1C,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;IAC5B,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAE5B,sCAAsC;IACtC,MAAM,QAAQ,GAAG,SAAS,CAAC,IAAI,CAAC;IAChC,IAAI,QAAQ,CAAC,GAAG,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IAE5C,OAAO,SAAS,CAAC,IAAI,CAAC;AACxB,CAAC;AAED;;;GAGG;AACH,SAAS,mBAAmB,CAAC,IAAe;IAC1C,IAAI,CAAC,CAAC,OAAO,IAAI,IAAI,CAAC;QAAE,OAAO,SAAS,CAAC;IAEzC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;IACzB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,OAAO,KAAK,KAAK,SAAS,EAAE,CAAC;QACzF,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,EAAE,CAAC;QACpE,OAAO,KAAiB,CAAC;IAC3B,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,OAAe;IAClC,MAAM,OAAO,GAAsC;QACjD,IAAI,EAAE,IAAI;QACV,IAAI,EAAE,KAAK;QACX,GAAG,EAAE,IAAI;QACT,IAAI,EAAE,KAAK;QACX,GAAG,EAAE,IAAI;QACT,IAAI,EAAE,KAAK;KACZ,CAAC;IACF,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC;AAClC,CAAC"}

package/dist/parser.test.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Parser unit tests
+ *
+ * Tests the Cedar text → PolicyRule conversion using the official Cedar engine.
+ * These tests demonstrate how a client like highflame-authz would use the parser.
+ */
+export {};
+//# sourceMappingURL=parser.test.d.ts.map

package/dist/parser.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"parser.test.d.ts","sourceRoot":"","sources":["../src/parser.test.ts"],"names":[],"mappings":"AAAA;;;;;GAKG"}