@highflame/policy 1.1.3 → 1.2.1

package/dist/engine.test.js

@@ -0,0 +1,190 @@
+/**
+ * Engine unit tests
+ *
+ * Tests the PolicyEngine evaluate() function.
+ * These tests are consistent across Go, TypeScript, and Python SDKs.
+ */
+import { describe, it, expect, beforeEach } from 'vitest';
+import { PolicyEngine, EntityType, ActionType, InputValidationError, DEFAULT_LIMITS, } from './index.js';
+describe('PolicyEngine', () => {
+    let engine;
+    const permitAllPolicy = `
+    permit(principal, action, resource);
+  `;
+    const denyAllPolicy = `
+    forbid(principal, action, resource);
+  `;
+    // Simple context-based policy without action constraint for testing context evaluation
+    const contextBasedPolicy = `
+    @id("allow-production")
+    permit(
+      principal,
+      action,
+      resource
+    )
+    when { context.environment == "production" };
+
+    @id("deny-all")
+    forbid(principal, action, resource);
+  `;
+    beforeEach(() => {
+        engine = new PolicyEngine();
+    });
+    describe('basic evaluation', () => {
+        it('should allow when permit policy matches', () => {
+            engine.loadPolicies(permitAllPolicy);
+            const decision = engine.evaluateSimple(EntityType.Scanner, 'test-scanner', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors');
+            expect(decision.effect).toBe('Allow');
+        });
+        it('should deny when forbid policy matches', () => {
+            engine.loadPolicies(denyAllPolicy);
+            const decision = engine.evaluateSimple(EntityType.Scanner, 'test-scanner', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors');
+            expect(decision.effect).toBe('Deny');
+        });
+        it('should deny when no policies match (default deny)', () => {
+            engine.loadPolicies(''); // No policies
+            const decision = engine.evaluateSimple(EntityType.Scanner, 'test-scanner', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors');
+            expect(decision.effect).toBe('Deny');
+        });
+    });
+    describe('context-based evaluation', () => {
+        beforeEach(() => {
+            engine.loadPolicies(contextBasedPolicy);
+        });
+        it('should allow when context matches permit condition', () => {
+            // Use simple permit policy to test context evaluation in isolation
+            const simplePermitPolicy = `
+        permit(principal, action, resource)
+        when { context.environment == "production" };
+      `;
+            const testEngine = new PolicyEngine();
+            testEngine.loadPolicies(simplePermitPolicy);
+            const decision = testEngine.evaluateSimple(EntityType.Scanner, 'palisade', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors', { environment: 'production' });
+            expect(decision.effect).toBe('Allow');
+        });
+        it('should deny when context does not match permit condition', () => {
+            const decision = engine.evaluateSimple(EntityType.Scanner, 'palisade', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors', { environment: 'development' });
+            expect(decision.effect).toBe('Deny');
+        });
+        it('should deny when context is missing required field', () => {
+            const decision = engine.evaluateSimple(EntityType.Scanner, 'palisade', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors', {} // Missing environment
+            );
+            expect(decision.effect).toBe('Deny');
+        });
+    });
+    describe('input validation', () => {
+        beforeEach(() => {
+            engine.loadPolicies(permitAllPolicy);
+        });
+        it('should accept valid context', () => {
+            const decision = engine.evaluateSimple(EntityType.Scanner, 'test', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors', {
+                environment: 'production',
+                severity: 'HIGH',
+                count: 42,
+                enabled: true,
+            });
+            expect(decision.effect).toBe('Allow');
+        });
+        it('should reject context with too many keys', () => {
+            const engine = new PolicyEngine({ limits: { maxContextKeys: 5 } });
+            engine.loadPolicies(permitAllPolicy);
+            const bigContext = {};
+            for (let i = 0; i < 10; i++) {
+                bigContext[`key${i}`] = 'value';
+            }
+            expect(() => {
+                engine.evaluateSimple(EntityType.Scanner, 'test', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors', bigContext);
+            }).toThrow(InputValidationError);
+        });
+        it('should reject context with too long strings', () => {
+            const engine = new PolicyEngine({ limits: { maxStringLength: 100 } });
+            engine.loadPolicies(permitAllPolicy);
+            const longString = 'x'.repeat(200);
+            expect(() => {
+                engine.evaluateSimple(EntityType.Scanner, 'test', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors', { value: longString });
+            }).toThrow(InputValidationError);
+        });
+        it('should reject deeply nested context', () => {
+            const engine = new PolicyEngine({ limits: { maxNestingDepth: 3 } });
+            engine.loadPolicies(permitAllPolicy);
+            const deepContext = {
+                level1: {
+                    level2: {
+                        level3: {
+                            level4: {
+                                level5: 'too deep',
+                            },
+                        },
+                    },
+                },
+            };
+            expect(() => {
+                engine.evaluateSimple(EntityType.Scanner, 'test', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors', deepContext);
+            }).toThrow(InputValidationError);
+        });
+        it('should allow skipping validation', () => {
+            const engine = new PolicyEngine({
+                skipValidation: true,
+                limits: { maxContextKeys: 1 },
+            });
+            engine.loadPolicies(permitAllPolicy);
+            // This would normally fail validation
+            const decision = engine.evaluateSimple(EntityType.Scanner, 'test', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors', { key1: 'value1', key2: 'value2', key3: 'value3' });
+            expect(decision.effect).toBe('Allow');
+        });
+    });
+    describe('complex context types', () => {
+        beforeEach(() => {
+            engine.loadPolicies(permitAllPolicy);
+        });
+        it('should handle array context values', () => {
+            const decision = engine.evaluateSimple(EntityType.Scanner, 'test', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors', { threats: ['malware', 'backdoor', 'injection'] });
+            expect(decision.effect).toBe('Allow');
+        });
+        it('should handle nested object context', () => {
+            const decision = engine.evaluateSimple(EntityType.Scanner, 'test', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors', {
+                metadata: {
+                    format: 'safetensors',
+                    size: 1024,
+                },
+            });
+            expect(decision.effect).toBe('Allow');
+        });
+        it('should handle empty context', () => {
+            // Cedar doesn't have null values - this tests that empty context works
+            const decision = engine.evaluateSimple(EntityType.Scanner, 'test', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors', {});
+            expect(decision.effect).toBe('Allow');
+        });
+        it('should handle boolean context values', () => {
+            const decision = engine.evaluateSimple(EntityType.Scanner, 'test', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors', { is_signed: true, is_malicious: false });
+            expect(decision.effect).toBe('Allow');
+        });
+        it('should handle integer context values', () => {
+            // Cedar uses Long type for numbers (integers only, no floats)
+            const decision = engine.evaluateSimple(EntityType.Scanner, 'test', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors', { severity_score: 7, count: 100 });
+            expect(decision.effect).toBe('Allow');
+        });
+    });
+    describe('error handling', () => {
+        it('should handle invalid policy syntax gracefully', () => {
+            const invalidPolicy = `permit(principal, action, resource`; // Missing closing paren
+            expect(() => {
+                engine.loadPolicies(invalidPolicy);
+                engine.evaluateSimple(EntityType.Scanner, 'test', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors');
+            }).not.toThrow();
+            // Should return deny with reason
+            engine.loadPolicies(invalidPolicy);
+            const decision = engine.evaluateSimple(EntityType.Scanner, 'test', ActionType.ScanArtifact, EntityType.Artifact, '/model.safetensors');
+            expect(decision.effect).toBe('Deny');
+        });
+    });
+    describe('DEFAULT_LIMITS', () => {
+        it('should have consistent default values', () => {
+            expect(DEFAULT_LIMITS.maxContextKeys).toBe(100);
+            expect(DEFAULT_LIMITS.maxStringLength).toBe(1_000_000);
+            expect(DEFAULT_LIMITS.maxNestingDepth).toBe(10);
+            expect(DEFAULT_LIMITS.maxContextSizeBytes).toBe(10_000_000);
+        });
+    });
+});
+//# sourceMappingURL=engine.test.js.map

package/dist/engine.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.test.js","sourceRoot":"","sources":["../src/engine.test.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAC1D,OAAO,EACL,YAAY,EAEZ,UAAU,EACV,UAAU,EAEV,oBAAoB,EACpB,cAAc,GACf,MAAM,YAAY,CAAC;AAEpB,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;IAC5B,IAAI,MAAoB,CAAC;IAEzB,MAAM,eAAe,GAAG;;GAEvB,CAAC;IAEF,MAAM,aAAa,GAAG;;GAErB,CAAC;IAEF,uFAAuF;IACvF,MAAM,kBAAkB,GAAG;;;;;;;;;;;GAW1B,CAAC;IAEF,UAAU,CAAC,GAAG,EAAE;QACd,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;IAC9B,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;QAChC,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;YACjD,MAAM,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC;YAErC,MAAM,QAAQ,GAAG,MAAM,CAAC,cAAc,CACpC,UAAU,CAAC,OAAO,EAClB,cAAc,EACd,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,CACrB,CAAC;YAEF,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;YAChD,MAAM,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC;YAEnC,MAAM,QAAQ,GAAG,MAAM,CAAC,cAAc,CACpC,UAAU,CAAC,OAAO,EAClB,cAAc,EACd,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,CACrB,CAAC;YAEF,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,mDAAmD,EAAE,GAAG,EAAE;YAC3D,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc;YAEvC,MAAM,QAAQ,GAAG,MAAM,CAAC,cAAc,CACpC,UAAU,CAAC,OAAO,EAClB,cAAc,EACd,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,CACrB,CAAC;YAEF,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,0BAA0B,EAAE,GAAG,EAAE;QACxC,UAAU,CAAC,GAAG,EAAE;YACd,MAAM,CAAC,YAAY,CAAC,kBAAkB,CAAC,CAAC;QAC1C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;YAC5D,mEAAmE;YACnE,MAAM,kBAAkB,GAAG;;;OAG1B,CAAC;YACF,MAAM,UAAU,GAAG,IAAI,YAAY,EAAE,CAAC;YACtC,UAAU,CAAC,YAAY,CAAC,kBAAkB,CAAC,CAAC;YAE5C,MAAM,QAAQ,GAAG,UAAU,CAAC,cAAc,CACxC,UAAU,CAAC,OAAO,EAClB,UAAU,EACV,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,EACpB,EAAE,WAAW,EAAE,YAAY,EAAE,CAC9B,CAAC;YAEF,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0DAA0D,EAAE,GAAG,EAAE;YAClE,MAAM,QAAQ,GAAG,MAAM,CAAC,cAAc,CACpC,UAAU,CAAC,OAAO,EAClB,UAAU,EACV,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,EACpB,EAAE,WAAW,EAAE,aAAa,EAAE,CAC/B,CAAC;YAEF,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;YAC5D,MAAM,QAAQ,GAAG,MAAM,CAAC,cAAc,CACpC,UAAU,CAAC,OAAO,EAClB,UAAU,EACV,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,EACpB,EAAE,CAAC,sBAAsB;aAC1B,CAAC;YAEF,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;QAChC,UAAU,CAAC,GAAG,EAAE;YACd,MAAM,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;YACrC,MAAM,QAAQ,GAAG,MAAM,CAAC,cAAc,CACpC,UAAU,CAAC,OAAO,EAClB,MAAM,EACN,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,EACpB;gBACE,WAAW,EAAE,YAAY;gBACzB,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,EAAE;gBACT,OAAO,EAAE,IAAI;aACd,CACF,CAAC;YAEF,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;YAClD,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,EAAE,MAAM,EAAE,EAAE,cAAc,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;YACnE,MAAM,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC;YAErC,MAAM,UAAU,GAA4B,EAAE,CAAC;YAC/C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC5B,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC;YAClC,CAAC;YAED,MAAM,CAAC,GAAG,EAAE;gBACV,MAAM,CAAC,cAAc,CACnB,UAAU,CAAC,OAAO,EAClB,MAAM,EACN,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,EACpB,UAAU,CACX,CAAC;YACJ,CAAC,CAAC,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6CAA6C,EAAE,GAAG,EAAE;YACrD,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,EAAE,MAAM,EAAE,EAAE,eAAe,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;YACtE,MAAM,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC;YAErC,MAAM,UAAU,GAAG,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAEnC,MAAM,CAAC,GAAG,EAAE;gBACV,MAAM,CAAC,cAAc,CACnB,UAAU,CAAC,OAAO,EAClB,MAAM,EACN,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,EACpB,EAAE,KAAK,EAAE,UAAU,EAAE,CACtB,CAAC;YACJ,CAAC,CAAC,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;YAC7C,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,EAAE,MAAM,EAAE,EAAE,eAAe,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;YACpE,MAAM,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC;YAErC,MAAM,WAAW,GAAG;gBAClB,MAAM,EAAE;oBACN,MAAM,EAAE;wBACN,MAAM,EAAE;4BACN,MAAM,EAAE;gCACN,MAAM,EAAE,UAAU;6BACnB;yBACF;qBACF;iBACF;aACF,CAAC;YAEF,MAAM,CAAC,GAAG,EAAE;gBACV,MAAM,CAAC,cAAc,CACnB,UAAU,CAAC,OAAO,EAClB,MAAM,EACN,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,EACpB,WAAW,CACZ,CAAC;YACJ,CAAC,CAAC,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;YAC1C,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC;gBAC9B,cAAc,EAAE,IAAI;gBACpB,MAAM,EAAE,EAAE,cAAc,EAAE,CAAC,EAAE;aAC9B,CAAC,CAAC;YACH,MAAM,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC;YAErC,sCAAsC;YACtC,MAAM,QAAQ,GAAG,MAAM,CAAC,cAAc,CACpC,UAAU,CAAC,OAAO,EAClB,MAAM,EACN,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,EACpB,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,EAAE,CACnD,CAAC;YAEF,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;QACrC,UAAU,CAAC,GAAG,EAAE;YACd,MAAM,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;YAC5C,MAAM,QAAQ,GAAG,MAAM,CAAC,cAAc,CACpC,UAAU,CAAC,OAAO,EAClB,MAAM,EACN,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,EACpB,EAAE,OAAO,EAAE,CAAC,SAAS,EAAE,UAAU,EAAE,WAAW,CAAC,EAAE,CAClD,CAAC;YAEF,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;YAC7C,MAAM,QAAQ,GAAG,MAAM,CAAC,cAAc,CACpC,UAAU,CAAC,OAAO,EAClB,MAAM,EACN,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,EACpB;gBACE,QAAQ,EAAE;oBACR,MAAM,EAAE,aAAa;oBACrB,IAAI,EAAE,IAAI;iBACX;aACF,CACF,CAAC;YAEF,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;YACrC,uEAAuE;YACvE,MAAM,QAAQ,GAAG,MAAM,CAAC,cAAc,CACpC,UAAU,CAAC,OAAO,EAClB,MAAM,EACN,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,EACpB,EAAE,CACH,CAAC;YAEF,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;YAC9C,MAAM,QAAQ,GAAG,MAAM,CAAC,cAAc,CACpC,UAAU,CAAC,OAAO,EAClB,MAAM,EACN,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,EACpB,EAAE,SAAS,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,CACzC,CAAC;YAEF,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;YAC9C,8DAA8D;YAC9D,MAAM,QAAQ,GAAG,MAAM,CAAC,cAAc,CACpC,UAAU,CAAC,OAAO,EAClB,MAAM,EACN,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,EACpB,EAAE,cAAc,EAAE,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,CAClC,CAAC;YAEF,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;QAC9B,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;YACxD,MAAM,aAAa,GAAG,oCAAoC,CAAC,CAAC,wBAAwB;YAEpF,MAAM,CAAC,GAAG,EAAE;gBACV,MAAM,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC;gBACnC,MAAM,CAAC,cAAc,CACnB,UAAU,CAAC,OAAO,EAClB,MAAM,EACN,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,CACrB,CAAC;YACJ,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;YAEjB,iCAAiC;YACjC,MAAM,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC;YACnC,MAAM,QAAQ,GAAG,MAAM,CAAC,cAAc,CACpC,UAAU,CAAC,OAAO,EAClB,MAAM,EACN,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,QAAQ,EACnB,oBAAoB,CACrB,CAAC;YAEF,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;QAC9B,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;YAC/C,MAAM,CAAC,cAAc,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAChD,MAAM,CAAC,cAAc,CAAC,eAAe,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACvD,MAAM,CAAC,cAAc,CAAC,eAAe,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAChD,MAAM,CAAC,cAAc,CAAC,mBAAmB,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC9D,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/entities.gen.d.ts

@@ -4,8 +4,12 @@
 export declare const EntityType: {
     readonly Agent: "Agent";
     readonly Artifact: "Artifact";
+    readonly ExternalAPI: "ExternalAPI";
     readonly FilePath: "FilePath";
+    readonly GitBranch: "GitBranch";
     readonly HttpEndpoint: "HttpEndpoint";
+    readonly Memory: "Memory";
+    readonly Model: "Model";
     readonly Package: "Package";
     readonly Repository: "Repository";
     readonly Resource: "Resource";

package/dist/entities.gen.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"entities.gen.d.ts","sourceRoot":"","sources":["../src/entities.gen.ts"],"names":[],"mappings":"AAGA;;GAEG;AACH,eAAO,MAAM,UAAU;;;;;;;;;;;;;;CAcb,CAAC;AAEX,MAAM,MAAM,UAAU,GAAG,CAAC,OAAO,UAAU,CAAC,CAAC,MAAM,OAAO,UAAU,CAAC,CAAC;AAEtE;;GAEG;AACH,MAAM,WAAW,SAAS;IACtB,IAAI,EAAE,UAAU,GAAG,MAAM,CAAC;IAC1B,EAAE,EAAE,MAAM,CAAC;CACd;AAED;;GAEG;AACH,MAAM,WAAW,MAAM;IACnB,GAAG,EAAE,SAAS,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,OAAO,CAAC,EAAE,SAAS,EAAE,CAAC;CACzB;AAED;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,UAAU,GAAG,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,SAAS,CAE7E;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,IAAI,EAAE,UAAU,GAAG,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAMxG"}
+{"version":3,"file":"entities.gen.d.ts","sourceRoot":"","sources":["../src/entities.gen.ts"],"names":[],"mappings":"AAGA;;GAEG;AACH,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;;CAkBb,CAAC;AAEX,MAAM,MAAM,UAAU,GAAG,CAAC,OAAO,UAAU,CAAC,CAAC,MAAM,OAAO,UAAU,CAAC,CAAC;AAEtE;;GAEG;AACH,MAAM,WAAW,SAAS;IACtB,IAAI,EAAE,UAAU,GAAG,MAAM,CAAC;IAC1B,EAAE,EAAE,MAAM,CAAC;CACd;AAED;;GAEG;AACH,MAAM,WAAW,MAAM;IACnB,GAAG,EAAE,SAAS,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,OAAO,CAAC,EAAE,SAAS,EAAE,CAAC;CACzB;AAED;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,UAAU,GAAG,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,SAAS,CAE7E;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,IAAI,EAAE,UAAU,GAAG,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAMxG"}

package/dist/entities.gen.js

@@ -6,8 +6,12 @@
 export const EntityType = {
     Agent: 'Agent',
     Artifact: 'Artifact',
+    ExternalAPI: 'ExternalAPI',
     FilePath: 'FilePath',
+    GitBranch: 'GitBranch',
     HttpEndpoint: 'HttpEndpoint',
+    Memory: 'Memory',
+    Model: 'Model',
     Package: 'Package',
     Repository: 'Repository',
     Resource: 'Resource',

package/dist/entities.gen.js.map

@@ -1 +1 @@
-{"version":3,"file":"entities.gen.js","sourceRoot":"","sources":["../src/entities.gen.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,uCAAuC;AAEvC;;GAEG;AACH,MAAM,CAAC,MAAM,UAAU,GAAG;IACtB,KAAK,EAAE,OAAO;IACd,QAAQ,EAAE,UAAU;IACpB,QAAQ,EAAE,UAAU;IACpB,YAAY,EAAE,cAAc;IAC5B,OAAO,EAAE,SAAS;IAClB,UAAU,EAAE,YAAY;IACxB,QAAQ,EAAE,UAAU;IACpB,YAAY,EAAE,cAAc;IAC5B,OAAO,EAAE,SAAS;IAClB,MAAM,EAAE,QAAQ;IAChB,OAAO,EAAE,SAAS;IAClB,IAAI,EAAE,MAAM;IACZ,IAAI,EAAE,MAAM;CACN,CAAC;AAqBX;;;;GAIG;AACH,MAAM,UAAU,YAAY,CAAC,IAAyB,EAAE,EAAU;IAC9D,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;AACxB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,SAAS,CAAC,IAAyB,EAAE,EAAU,EAAE,KAA+B;IAC5F,OAAO;QACH,GAAG,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;QACjB,KAAK,EAAE,KAAK,IAAI,EAAE;QAClB,OAAO,EAAE,EAAE;KACd,CAAC;AACN,CAAC"}
+{"version":3,"file":"entities.gen.js","sourceRoot":"","sources":["../src/entities.gen.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,uCAAuC;AAEvC;;GAEG;AACH,MAAM,CAAC,MAAM,UAAU,GAAG;IACtB,KAAK,EAAE,OAAO;IACd,QAAQ,EAAE,UAAU;IACpB,WAAW,EAAE,aAAa;IAC1B,QAAQ,EAAE,UAAU;IACpB,SAAS,EAAE,WAAW;IACtB,YAAY,EAAE,cAAc;IAC5B,MAAM,EAAE,QAAQ;IAChB,KAAK,EAAE,OAAO;IACd,OAAO,EAAE,SAAS;IAClB,UAAU,EAAE,YAAY;IACxB,QAAQ,EAAE,UAAU;IACpB,YAAY,EAAE,cAAc;IAC5B,OAAO,EAAE,SAAS;IAClB,MAAM,EAAE,QAAQ;IAChB,OAAO,EAAE,SAAS;IAClB,IAAI,EAAE,MAAM;IACZ,IAAI,EAAE,MAAM;CACN,CAAC;AAqBX;;;;GAIG;AACH,MAAM,UAAU,YAAY,CAAC,IAAyB,EAAE,EAAU;IAC9D,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;AACxB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,SAAS,CAAC,IAAyB,EAAE,EAAU,EAAE,KAA+B;IAC5F,OAAO;QACH,GAAG,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;QACjB,KAAK,EAAE,KAAK,IAAI,EAAE;QAClB,OAAO,EAAE,EAAE;KACd,CAAC;AACN,CAAC"}

package/dist/errors.d.ts

@@ -0,0 +1,102 @@
+/**
+ * Parser error types and codes for highflame-policy.
+ *
+ * This module provides standardized error codes that are consistent
+ * across all language implementations (Rust, Go, TypeScript, Python).
+ */
+/**
+ * Error codes for parser errors.
+ *
+ * These codes are stable and consistent across all language implementations.
+ * Format: HFP-<CATEGORY>-<NUMBER>
+ * - HFP = HighFlame Policy
+ * - CATEGORY = SCOPE | ACTION | COND | PARSE
+ * - NUMBER = 3-digit incremental
+ */
+export declare const ErrorCodes: {
+    /** Scope constraint is missing an entity (for == operator) */
+    readonly SCOPE_MISSING_ENTITY: "HFP-SCOPE-001";
+    /** Scope constraint is missing an entity type (for is operator) */
+    readonly SCOPE_MISSING_ENTITY_TYPE: "HFP-SCOPE-002";
+    /** Scope constraint is missing entity list (for in operator) */
+    readonly SCOPE_MISSING_ENTITY_LIST: "HFP-SCOPE-003";
+    /** Slot constraints are not supported in PolicyRule */
+    readonly SCOPE_SLOT_NOT_SUPPORTED: "HFP-SCOPE-004";
+    /** Unsupported scope operator */
+    readonly SCOPE_UNSUPPORTED_OP: "HFP-SCOPE-005";
+    /** Action constraint is missing an entity (for == operator) */
+    readonly ACTION_MISSING_ENTITY: "HFP-ACTION-001";
+    /** Action constraint is missing entities (for in operator) */
+    readonly ACTION_MISSING_ENTITIES: "HFP-ACTION-002";
+    /** Unsupported action operator */
+    readonly ACTION_UNSUPPORTED_OP: "HFP-ACTION-003";
+    /** Action scope is null/nil */
+    readonly ACTION_SCOPE_NIL: "HFP-ACTION-004";
+    /** Unless clauses are not supported in PolicyRule */
+    readonly COND_UNLESS_NOT_SUPPORTED: "HFP-COND-001";
+    /** Complex condition cannot be parsed */
+    readonly COND_COMPLEX_EXPRESSION: "HFP-COND-002";
+    /** Invalid Cedar syntax */
+    readonly PARSE_INVALID_SYNTAX: "HFP-PARSE-001";
+    /** Failed to convert policy to JSON */
+    readonly PARSE_JSON_CONVERSION: "HFP-PARSE-002";
+    /** Failed to parse Cedar JSON structure */
+    readonly PARSE_JSON_STRUCTURE: "HFP-PARSE-003";
+    /** Unknown policy effect (not permit or forbid) */
+    readonly PARSE_UNKNOWN_EFFECT: "HFP-PARSE-004";
+    /** Duplicate policy ID found */
+    readonly PARSE_DUPLICATE_ID: "HFP-PARSE-005";
+};
+export type ErrorCode = (typeof ErrorCodes)[keyof typeof ErrorCodes];
+/**
+ * Context information for parser errors.
+ */
+export interface ErrorContext {
+    /** The operator that caused the error (e.g., "==", "in", "is") */
+    operator?: string;
+    /** The field that caused the error (e.g., "principal", "action", "resource") */
+    field?: string;
+    /** The policy ID if available */
+    policyId?: string;
+}
+/**
+ * A structured parser error with code, message, and optional context.
+ */
+export declare class ParserError extends Error {
+    /** Machine-readable error code (e.g., "HFP-SCOPE-001") */
+    readonly code: ErrorCode;
+    /** Optional context for debugging */
+    readonly context?: ErrorContext;
+    constructor(code: ErrorCode, message: string, context?: ErrorContext);
+    /**
+     * Returns a string representation including the error code.
+     */
+    toString(): string;
+    /**
+     * Serializes the error to a plain object for JSON serialization.
+     */
+    toJSON(): {
+        code: string;
+        message: string;
+        context?: ErrorContext;
+    };
+    /** Scope constraint is missing an entity */
+    static scopeMissingEntity(operator: string, field: string): ParserError;
+    /** Scope constraint is missing an entity type */
+    static scopeMissingEntityType(field: string): ParserError;
+    /** Scope constraint is missing entity list */
+    static scopeMissingEntityList(field: string): ParserError;
+    /** Slot constraints are not supported */
+    static scopeSlotNotSupported(operator: string, field: string): ParserError;
+    /** Unsupported scope operator */
+    static scopeUnsupportedOp(operator: string, field: string): ParserError;
+    /** Action constraint is missing an entity */
+    static actionMissingEntity(operator: string): ParserError;
+    /** Action constraint is missing entities */
+    static actionMissingEntities(): ParserError;
+    /** Unsupported action operator */
+    static actionUnsupportedOp(operator: string): ParserError;
+    /** Action scope is nil */
+    static actionScopeNil(): ParserError;
+}
+//# sourceMappingURL=errors.d.ts.map

package/dist/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;;;;;;GAQG;AACH,eAAO,MAAM,UAAU;IAErB,8DAA8D;;IAE9D,mEAAmE;;IAEnE,gEAAgE;;IAEhE,uDAAuD;;IAEvD,iCAAiC;;IAIjC,+DAA+D;;IAE/D,8DAA8D;;IAE9D,kCAAkC;;IAElC,+BAA+B;;IAI/B,qDAAqD;;IAErD,yCAAyC;;IAIzC,2BAA2B;;IAE3B,uCAAuC;;IAEvC,2CAA2C;;IAE3C,mDAAmD;;IAEnD,gCAAgC;;CAExB,CAAC;AAEX,MAAM,MAAM,SAAS,GAAG,CAAC,OAAO,UAAU,CAAC,CAAC,MAAM,OAAO,UAAU,CAAC,CAAC;AAErE;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,kEAAkE;IAClE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,gFAAgF;IAChF,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,iCAAiC;IACjC,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,qBAAa,WAAY,SAAQ,KAAK;IACpC,0DAA0D;IAC1D,SAAgB,IAAI,EAAE,SAAS,CAAC;IAChC,qCAAqC;IACrC,SAAgB,OAAO,CAAC,EAAE,YAAY,CAAC;gBAE3B,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,YAAY;IAapE;;OAEG;IACM,QAAQ,IAAI,MAAM;IAI3B;;OAEG;IACH,MAAM,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,YAAY,CAAA;KAAE;IAUnE,4CAA4C;IAC5C,MAAM,CAAC,kBAAkB,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,WAAW;IAQvE,iDAAiD;IACjD,MAAM,CAAC,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,WAAW;IAQzD,8CAA8C;IAC9C,MAAM,CAAC,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,WAAW;IAQzD,yCAAyC;IACzC,MAAM,CAAC,qBAAqB,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,WAAW;IAQ1E,iCAAiC;IACjC,MAAM,CAAC,kBAAkB,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,WAAW;IAQvE,6CAA6C;IAC7C,MAAM,CAAC,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,WAAW;IAQzD,4CAA4C;IAC5C,MAAM,CAAC,qBAAqB,IAAI,WAAW;IAQ3C,kCAAkC;IAClC,MAAM,CAAC,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,WAAW;IAQzD,0BAA0B;IAC1B,MAAM,CAAC,cAAc,IAAI,WAAW;CAOrC"}

package/dist/errors.js

@@ -0,0 +1,127 @@
+/**
+ * Parser error types and codes for highflame-policy.
+ *
+ * This module provides standardized error codes that are consistent
+ * across all language implementations (Rust, Go, TypeScript, Python).
+ */
+/**
+ * Error codes for parser errors.
+ *
+ * These codes are stable and consistent across all language implementations.
+ * Format: HFP-<CATEGORY>-<NUMBER>
+ * - HFP = HighFlame Policy
+ * - CATEGORY = SCOPE | ACTION | COND | PARSE
+ * - NUMBER = 3-digit incremental
+ */
+export const ErrorCodes = {
+    // Scope constraint errors (HFP-SCOPE-xxx)
+    /** Scope constraint is missing an entity (for == operator) */
+    SCOPE_MISSING_ENTITY: "HFP-SCOPE-001",
+    /** Scope constraint is missing an entity type (for is operator) */
+    SCOPE_MISSING_ENTITY_TYPE: "HFP-SCOPE-002",
+    /** Scope constraint is missing entity list (for in operator) */
+    SCOPE_MISSING_ENTITY_LIST: "HFP-SCOPE-003",
+    /** Slot constraints are not supported in PolicyRule */
+    SCOPE_SLOT_NOT_SUPPORTED: "HFP-SCOPE-004",
+    /** Unsupported scope operator */
+    SCOPE_UNSUPPORTED_OP: "HFP-SCOPE-005",
+    // Action constraint errors (HFP-ACTION-xxx)
+    /** Action constraint is missing an entity (for == operator) */
+    ACTION_MISSING_ENTITY: "HFP-ACTION-001",
+    /** Action constraint is missing entities (for in operator) */
+    ACTION_MISSING_ENTITIES: "HFP-ACTION-002",
+    /** Unsupported action operator */
+    ACTION_UNSUPPORTED_OP: "HFP-ACTION-003",
+    /** Action scope is null/nil */
+    ACTION_SCOPE_NIL: "HFP-ACTION-004",
+    // Condition errors (HFP-COND-xxx)
+    /** Unless clauses are not supported in PolicyRule */
+    COND_UNLESS_NOT_SUPPORTED: "HFP-COND-001",
+    /** Complex condition cannot be parsed */
+    COND_COMPLEX_EXPRESSION: "HFP-COND-002",
+    // Parse errors (HFP-PARSE-xxx)
+    /** Invalid Cedar syntax */
+    PARSE_INVALID_SYNTAX: "HFP-PARSE-001",
+    /** Failed to convert policy to JSON */
+    PARSE_JSON_CONVERSION: "HFP-PARSE-002",
+    /** Failed to parse Cedar JSON structure */
+    PARSE_JSON_STRUCTURE: "HFP-PARSE-003",
+    /** Unknown policy effect (not permit or forbid) */
+    PARSE_UNKNOWN_EFFECT: "HFP-PARSE-004",
+    /** Duplicate policy ID found */
+    PARSE_DUPLICATE_ID: "HFP-PARSE-005",
+};
+/**
+ * A structured parser error with code, message, and optional context.
+ */
+export class ParserError extends Error {
+    /** Machine-readable error code (e.g., "HFP-SCOPE-001") */
+    code;
+    /** Optional context for debugging */
+    context;
+    constructor(code, message, context) {
+        super(message);
+        this.name = "ParserError";
+        this.code = code;
+        this.context = context;
+        // Maintains proper stack trace for where our error was thrown (only available on V8)
+        const ErrorWithCapture = Error;
+        if (ErrorWithCapture.captureStackTrace) {
+            ErrorWithCapture.captureStackTrace(this, ParserError);
+        }
+    }
+    /**
+     * Returns a string representation including the error code.
+     */
+    toString() {
+        return `[${this.code}] ${this.message}`;
+    }
+    /**
+     * Serializes the error to a plain object for JSON serialization.
+     */
+    toJSON() {
+        return {
+            code: this.code,
+            message: this.message,
+            ...(this.context && { context: this.context }),
+        };
+    }
+    // Convenience static factory methods for common errors
+    /** Scope constraint is missing an entity */
+    static scopeMissingEntity(operator, field) {
+        return new ParserError(ErrorCodes.SCOPE_MISSING_ENTITY, `'${operator}' constraint is missing an entity`, { operator, field });
+    }
+    /** Scope constraint is missing an entity type */
+    static scopeMissingEntityType(field) {
+        return new ParserError(ErrorCodes.SCOPE_MISSING_ENTITY_TYPE, "'is' constraint is missing an entity_type", { operator: "is", field });
+    }
+    /** Scope constraint is missing entity list */
+    static scopeMissingEntityList(field) {
+        return new ParserError(ErrorCodes.SCOPE_MISSING_ENTITY_LIST, "'in' constraint is missing an entity", { operator: "in", field });
+    }
+    /** Slot constraints are not supported */
+    static scopeSlotNotSupported(operator, field) {
+        return new ParserError(ErrorCodes.SCOPE_SLOT_NOT_SUPPORTED, `'${operator}' constraint with slot cannot be represented`, { operator, field });
+    }
+    /** Unsupported scope operator */
+    static scopeUnsupportedOp(operator, field) {
+        return new ParserError(ErrorCodes.SCOPE_UNSUPPORTED_OP, `Unsupported scope operator: ${operator}`, { operator, field });
+    }
+    /** Action constraint is missing an entity */
+    static actionMissingEntity(operator) {
+        return new ParserError(ErrorCodes.ACTION_MISSING_ENTITY, `Action '${operator}' constraint is missing an entity`, { operator, field: "action" });
+    }
+    /** Action constraint is missing entities */
+    static actionMissingEntities() {
+        return new ParserError(ErrorCodes.ACTION_MISSING_ENTITIES, "Action 'in' constraint is missing entities", { operator: "in", field: "action" });
+    }
+    /** Unsupported action operator */
+    static actionUnsupportedOp(operator) {
+        return new ParserError(ErrorCodes.ACTION_UNSUPPORTED_OP, `Unsupported action operator: ${operator}`, { operator, field: "action" });
+    }
+    /** Action scope is nil */
+    static actionScopeNil() {
+        return new ParserError(ErrorCodes.ACTION_SCOPE_NIL, "Action scope is nil", { field: "action" });
+    }
+}
+//# sourceMappingURL=errors.js.map

package/dist/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,UAAU,GAAG;IACxB,0CAA0C;IAC1C,8DAA8D;IAC9D,oBAAoB,EAAE,eAAe;IACrC,mEAAmE;IACnE,yBAAyB,EAAE,eAAe;IAC1C,gEAAgE;IAChE,yBAAyB,EAAE,eAAe;IAC1C,uDAAuD;IACvD,wBAAwB,EAAE,eAAe;IACzC,iCAAiC;IACjC,oBAAoB,EAAE,eAAe;IAErC,4CAA4C;IAC5C,+DAA+D;IAC/D,qBAAqB,EAAE,gBAAgB;IACvC,8DAA8D;IAC9D,uBAAuB,EAAE,gBAAgB;IACzC,kCAAkC;IAClC,qBAAqB,EAAE,gBAAgB;IACvC,+BAA+B;IAC/B,gBAAgB,EAAE,gBAAgB;IAElC,kCAAkC;IAClC,qDAAqD;IACrD,yBAAyB,EAAE,cAAc;IACzC,yCAAyC;IACzC,uBAAuB,EAAE,cAAc;IAEvC,+BAA+B;IAC/B,2BAA2B;IAC3B,oBAAoB,EAAE,eAAe;IACrC,uCAAuC;IACvC,qBAAqB,EAAE,eAAe;IACtC,2CAA2C;IAC3C,oBAAoB,EAAE,eAAe;IACrC,mDAAmD;IACnD,oBAAoB,EAAE,eAAe;IACrC,gCAAgC;IAChC,kBAAkB,EAAE,eAAe;CAC3B,CAAC;AAgBX;;GAEG;AACH,MAAM,OAAO,WAAY,SAAQ,KAAK;IACpC,0DAA0D;IAC1C,IAAI,CAAY;IAChC,qCAAqC;IACrB,OAAO,CAAgB;IAEvC,YAAY,IAAe,EAAE,OAAe,EAAE,OAAsB;QAClE,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,aAAa,CAAC;QAC1B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QAEvB,qFAAqF;QACrF,MAAM,gBAAgB,GAAG,KAA2F,CAAC;QACrH,IAAI,gBAAgB,CAAC,iBAAiB,EAAE,CAAC;YACvC,gBAAgB,CAAC,iBAAiB,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IAED;;OAEG;IACM,QAAQ;QACf,OAAO,IAAI,IAAI,CAAC,IAAI,KAAK,IAAI,CAAC,OAAO,EAAE,CAAC;IAC1C,CAAC;IAED;;OAEG;IACH,MAAM;QACJ,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,GAAG,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC;SAC/C,CAAC;IACJ,CAAC;IAED,uDAAuD;IAEvD,4CAA4C;IAC5C,MAAM,CAAC,kBAAkB,CAAC,QAAgB,EAAE,KAAa;QACvD,OAAO,IAAI,WAAW,CACpB,UAAU,CAAC,oBAAoB,EAC/B,IAAI,QAAQ,mCAAmC,EAC/C,EAAE,QAAQ,EAAE,KAAK,EAAE,CACpB,CAAC;IACJ,CAAC;IAED,iDAAiD;IACjD,MAAM,CAAC,sBAAsB,CAAC,KAAa;QACzC,OAAO,IAAI,WAAW,CACpB,UAAU,CAAC,yBAAyB,EACpC,2CAA2C,EAC3C,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE,CAC1B,CAAC;IACJ,CAAC;IAED,8CAA8C;IAC9C,MAAM,CAAC,sBAAsB,CAAC,KAAa;QACzC,OAAO,IAAI,WAAW,CACpB,UAAU,CAAC,yBAAyB,EACpC,sCAAsC,EACtC,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE,CAC1B,CAAC;IACJ,CAAC;IAED,yCAAyC;IACzC,MAAM,CAAC,qBAAqB,CAAC,QAAgB,EAAE,KAAa;QAC1D,OAAO,IAAI,WAAW,CACpB,UAAU,CAAC,wBAAwB,EACnC,IAAI,QAAQ,8CAA8C,EAC1D,EAAE,QAAQ,EAAE,KAAK,EAAE,CACpB,CAAC;IACJ,CAAC;IAED,iCAAiC;IACjC,MAAM,CAAC,kBAAkB,CAAC,QAAgB,EAAE,KAAa;QACvD,OAAO,IAAI,WAAW,CACpB,UAAU,CAAC,oBAAoB,EAC/B,+BAA+B,QAAQ,EAAE,EACzC,EAAE,QAAQ,EAAE,KAAK,EAAE,CACpB,CAAC;IACJ,CAAC;IAED,6CAA6C;IAC7C,MAAM,CAAC,mBAAmB,CAAC,QAAgB;QACzC,OAAO,IAAI,WAAW,CACpB,UAAU,CAAC,qBAAqB,EAChC,WAAW,QAAQ,mCAAmC,EACtD,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,CAC9B,CAAC;IACJ,CAAC;IAED,4CAA4C;IAC5C,MAAM,CAAC,qBAAqB;QAC1B,OAAO,IAAI,WAAW,CACpB,UAAU,CAAC,uBAAuB,EAClC,4CAA4C,EAC5C,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,CACpC,CAAC;IACJ,CAAC;IAED,kCAAkC;IAClC,MAAM,CAAC,mBAAmB,CAAC,QAAgB;QACzC,OAAO,IAAI,WAAW,CACpB,UAAU,CAAC,qBAAqB,EAChC,gCAAgC,QAAQ,EAAE,EAC1C,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,CAC9B,CAAC;IACJ,CAAC;IAED,0BAA0B;IAC1B,MAAM,CAAC,cAAc;QACnB,OAAO,IAAI,WAAW,CACpB,UAAU,CAAC,gBAAgB,EAC3B,qBAAqB,EACrB,EAAE,KAAK,EAAE,QAAQ,EAAE,CACpB,CAAC;IACJ,CAAC;CACF"}

package/dist/index.d.ts

@@ -4,4 +4,6 @@ export * from './context.gen.js';
 export * from './schema.gen.js';
 export * from './engine.js';
 export * from './builder.js';
+export * from './parser.js';
+export * from './errors.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAMA,cAAc,mBAAmB,CAAC;AAClC,cAAc,kBAAkB,CAAC;AACjC,cAAc,kBAAkB,CAAC;AACjC,cAAc,iBAAiB,CAAC;AAGhC,cAAc,aAAa,CAAC;AAC5B,cAAc,cAAc,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAMA,cAAc,mBAAmB,CAAC;AAClC,cAAc,kBAAkB,CAAC;AACjC,cAAc,kBAAkB,CAAC;AACjC,cAAc,iBAAiB,CAAC;AAGhC,cAAc,aAAa,CAAC;AAC5B,cAAc,cAAc,CAAC;AAC7B,cAAc,aAAa,CAAC;AAC5B,cAAc,aAAa,CAAC"}

package/dist/index.js

@@ -10,4 +10,6 @@ export * from './schema.gen.js';
 // Non-generated modules (require Node.js)
 export * from './engine.js';
 export * from './builder.js';
+export * from './parser.js';
+export * from './errors.js';
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,uCAAuC;AACvC,EAAE;AACF,sEAAsE;AACtE,oEAAoE;AAEpE,cAAc,mBAAmB,CAAC;AAClC,cAAc,kBAAkB,CAAC;AACjC,cAAc,kBAAkB,CAAC;AACjC,cAAc,iBAAiB,CAAC;AAEhC,0CAA0C;AAC1C,cAAc,aAAa,CAAC;AAC5B,cAAc,cAAc,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,uCAAuC;AACvC,EAAE;AACF,sEAAsE;AACtE,oEAAoE;AAEpE,cAAc,mBAAmB,CAAC;AAClC,cAAc,kBAAkB,CAAC;AACjC,cAAc,kBAAkB,CAAC;AACjC,cAAc,iBAAiB,CAAC;AAEhC,0CAA0C;AAC1C,cAAc,aAAa,CAAC;AAC5B,cAAc,cAAc,CAAC;AAC7B,cAAc,aAAa,CAAC;AAC5B,cAAc,aAAa,CAAC"}

package/dist/parser.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Cedar Policy Parser
+ *
+ * Converts Cedar policy text to structured PolicyRule format using the
+ * official Cedar engine (cedar-wasm) for parsing.
+ *
+ * Architecture:
+ * 1. Cedar text → Cedar JSON (via cedar-wasm policyToJson)
+ * 2. Cedar JSON → PolicyRule (simple JSON mapping)
+ */
+import type { PolicyRule } from "./builder.js";
+/**
+ * Result of parsing Cedar policies
+ */
+export interface ParseResult {
+    /** Policies successfully converted to PolicyRule format */
+    rules: PolicyRule[];
+    /** Policies that couldn't be fully represented as PolicyRule (raw Cedar text) */
+    unstructured: string[];
+    /** Any parsing errors encountered */
+    errors: string[];
+}
+/**
+ * Parse Cedar policy text and convert to PolicyRule format.
+ *
+ * Uses the official cedar-wasm engine for parsing, ensuring correctness.
+ * Policies with features that can't be represented as PolicyRule (e.g.,
+ * unless clauses, complex expressions) are returned in the unstructured array.
+ *
+ * @param cedarText - Cedar policy text to parse
+ * @returns ParseResult with structured rules, unstructured policies, and errors
+ */
+export declare function parseCedarToRules(cedarText: string): ParseResult;
+//# sourceMappingURL=parser.d.ts.map

package/dist/parser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"parser.d.ts","sourceRoot":"","sources":["../src/parser.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,KAAK,EAAE,UAAU,EAAkE,MAAM,cAAc,CAAC;AAG/G;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,2DAA2D;IAC3D,KAAK,EAAE,UAAU,EAAE,CAAC;IACpB,iFAAiF;IACjF,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,qCAAqC;IACrC,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAmDD;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,WAAW,CA4EhE"}