@highflame/policy 1.1.3

package/dist/context.gen.d.ts

@@ -0,0 +1,99 @@
+/**
+ * Context attribute keys for Cedar policy evaluation.
+ */
+export declare const ContextKey: {
+    /** Name of tool being called */
+    readonly ToolName: "tool_name";
+    /** Name of resource being accessed */
+    readonly ResourceName: "resource_name";
+    /** Name of prompt */
+    readonly PromptName: "prompt_name";
+    /** Raw prompt text */
+    readonly PromptText: "prompt_text";
+    /** Response size in megabytes */
+    readonly ResponseSizeMb: "response_size_mb";
+    /** Set of detected YARA threat names */
+    readonly YaraThreats: "yara_threats";
+    /** Number of threats detected */
+    readonly ThreatCount: "threat_count";
+    /** Highest severity (0-4) */
+    readonly MaxThreatSeverity: "max_threat_severity";
+    /** User type: external or internal */
+    readonly UserType: "user_type";
+    /** Whether monitoring is active */
+    readonly MonitoringEnabled: "monitoring_enabled";
+    /** File path */
+    readonly Path: "path";
+    /** HTTP hostname */
+    readonly Hostname: "hostname";
+    /** IP address */
+    readonly IpAddress: "ip_address";
+    /** Whether the IP is private/loopback (set by application layer) */
+    readonly IsPrivateIp: "is_private_ip";
+    /** HTTP scheme */
+    readonly Scheme: "scheme";
+    /** Port number */
+    readonly Port: "port";
+    /** Environment: production, development, research */
+    readonly Environment: "environment";
+    /** Format: pickle, safetensors, gguf, onnx */
+    readonly ArtifactFormat: "artifact_format";
+    /** Whether artifact has signature */
+    readonly ArtifactSigned: "artifact_signed";
+    /** Severity: CRITICAL, HIGH, MEDIUM, LOW, INFO */
+    readonly Severity: "severity";
+    /** Type of security finding */
+    readonly FindingType: "finding_type";
+    /** Who signed the artifact */
+    readonly ProvenanceSigner: "provenance_signer";
+    /** RCE path found in pickle */
+    readonly PickleExecPathDetected: "pickle_exec_path_detected";
+    /** Malicious pattern in metadata */
+    readonly MetadataMaliciousPattern: "metadata_malicious_pattern";
+    /** Number of added tokens */
+    readonly TokenizerAddedTokensCount: "tokenizer_added_tokens_count";
+    /** Safetensors integrity failed */
+    readonly SafetensorsIntegrityViolation: "safetensors_integrity_violation";
+    /** Suspicious GGUF metadata */
+    readonly GgufSuspiciousMetadata: "gguf_suspicious_metadata";
+    /** LoRA adapter digest mismatch */
+    readonly AdapterBaseDigestMismatch: "adapter_base_digest_mismatch";
+    /** CoSAI maturity level (0-5) */
+    readonly MetadataCosaiLevelNumeric: "metadata_cosai_level_numeric";
+    /** IDE source: cursor, claudecode, vscode, geminicli */
+    readonly Source: "source";
+    /** Hook event type: beforeShellExecution, PreToolUse, etc. */
+    readonly Event: "event";
+    /** The prompt/request content being evaluated */
+    readonly Content: "content";
+    /** User's email address (or 'anonymous') */
+    readonly UserEmail: "user_email";
+    /** Custom principal ID for policy evaluation */
+    readonly CedarPrincipal: "cedar_principal";
+    /** MCP server name: filesystem, playwright, etc. */
+    readonly ServerName: "server_name";
+    /** Whether the path is within the workspace */
+    readonly IsWithinWorkspace: "is_within_workspace";
+    /** Response content from tool execution */
+    readonly ResponseContent: "response_content";
+    /** Highest severity level: critical, high, medium, low */
+    readonly HighestSeverity: "highest_severity";
+    /** Array of threat types detected */
+    readonly ThreatTypes: "threat_types";
+    /** Array of threat categories found */
+    readonly ThreatCategories: "threat_categories";
+    /** Whether secrets were detected in the content */
+    readonly ContainsSecrets: "contains_secrets";
+    /** Number of concurrent calls */
+    readonly ConcurrentCalls: "concurrent_calls";
+    /** Request rate per minute */
+    readonly RequestsPerMinute: "requests_per_minute";
+    /** User trust level: high, medium, low */
+    readonly UserTrustLevel: "user_trust_level";
+    /** Whether alerting is enabled for this request */
+    readonly AlertEnabled: "alert_enabled";
+    /** Type of security scan being performed */
+    readonly ScanType: "scan_type";
+};
+export type ContextKey = (typeof ContextKey)[keyof typeof ContextKey];
+//# sourceMappingURL=context.gen.d.ts.map

package/dist/context.gen.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"context.gen.d.ts","sourceRoot":"","sources":["../src/context.gen.ts"],"names":[],"mappings":"AAGA;;GAEG;AACH,eAAO,MAAM,UAAU;IAEnB,gCAAgC;;IAEhC,sCAAsC;;IAEtC,qBAAqB;;IAErB,sBAAsB;;IAEtB,iCAAiC;;IAEjC,wCAAwC;;IAExC,iCAAiC;;IAEjC,6BAA6B;;IAE7B,sCAAsC;;IAEtC,mCAAmC;;IAEnC,gBAAgB;;IAEhB,oBAAoB;;IAEpB,iBAAiB;;IAEjB,oEAAoE;;IAEpE,kBAAkB;;IAElB,kBAAkB;;IAIlB,qDAAqD;;IAErD,8CAA8C;;IAE9C,qCAAqC;;IAErC,kDAAkD;;IAElD,+BAA+B;;IAE/B,8BAA8B;;IAE9B,+BAA+B;;IAE/B,oCAAoC;;IAEpC,6BAA6B;;IAE7B,mCAAmC;;IAEnC,+BAA+B;;IAE/B,mCAAmC;;IAEnC,iCAAiC;;IAIjC,wDAAwD;;IAExD,8DAA8D;;IAE9D,iDAAiD;;IAEjD,4CAA4C;;IAE5C,gDAAgD;;IAEhD,oDAAoD;;IAEpD,+CAA+C;;IAE/C,2CAA2C;;IAE3C,0DAA0D;;IAE1D,qCAAqC;;IAErC,uCAAuC;;IAEvC,mDAAmD;;IAEnD,iCAAiC;;IAEjC,8BAA8B;;IAE9B,0CAA0C;;IAE1C,mDAAmD;;IAEnD,4CAA4C;;CAEtC,CAAC;AAEX,MAAM,MAAM,UAAU,GAAG,CAAC,OAAO,UAAU,CAAC,CAAC,MAAM,OAAO,UAAU,CAAC,CAAC"}

package/dist/context.gen.js

@@ -0,0 +1,103 @@
+// Code generated by highflame-policy-codegen. DO NOT EDIT.
+// Source: schema/context.yaml
+/**
+ * Context attribute keys for Cedar policy evaluation.
+ */
+export const ContextKey = {
+    // Guardrails/Core context attributes
+    /** Name of tool being called */
+    ToolName: 'tool_name',
+    /** Name of resource being accessed */
+    ResourceName: 'resource_name',
+    /** Name of prompt */
+    PromptName: 'prompt_name',
+    /** Raw prompt text */
+    PromptText: 'prompt_text',
+    /** Response size in megabytes */
+    ResponseSizeMb: 'response_size_mb',
+    /** Set of detected YARA threat names */
+    YaraThreats: 'yara_threats',
+    /** Number of threats detected */
+    ThreatCount: 'threat_count',
+    /** Highest severity (0-4) */
+    MaxThreatSeverity: 'max_threat_severity',
+    /** User type: external or internal */
+    UserType: 'user_type',
+    /** Whether monitoring is active */
+    MonitoringEnabled: 'monitoring_enabled',
+    /** File path */
+    Path: 'path',
+    /** HTTP hostname */
+    Hostname: 'hostname',
+    /** IP address */
+    IpAddress: 'ip_address',
+    /** Whether the IP is private/loopback (set by application layer) */
+    IsPrivateIp: 'is_private_ip',
+    /** HTTP scheme */
+    Scheme: 'scheme',
+    /** Port number */
+    Port: 'port',
+    // Palisade context attributes
+    /** Environment: production, development, research */
+    Environment: 'environment',
+    /** Format: pickle, safetensors, gguf, onnx */
+    ArtifactFormat: 'artifact_format',
+    /** Whether artifact has signature */
+    ArtifactSigned: 'artifact_signed',
+    /** Severity: CRITICAL, HIGH, MEDIUM, LOW, INFO */
+    Severity: 'severity',
+    /** Type of security finding */
+    FindingType: 'finding_type',
+    /** Who signed the artifact */
+    ProvenanceSigner: 'provenance_signer',
+    /** RCE path found in pickle */
+    PickleExecPathDetected: 'pickle_exec_path_detected',
+    /** Malicious pattern in metadata */
+    MetadataMaliciousPattern: 'metadata_malicious_pattern',
+    /** Number of added tokens */
+    TokenizerAddedTokensCount: 'tokenizer_added_tokens_count',
+    /** Safetensors integrity failed */
+    SafetensorsIntegrityViolation: 'safetensors_integrity_violation',
+    /** Suspicious GGUF metadata */
+    GgufSuspiciousMetadata: 'gguf_suspicious_metadata',
+    /** LoRA adapter digest mismatch */
+    AdapterBaseDigestMismatch: 'adapter_base_digest_mismatch',
+    /** CoSAI maturity level (0-5) */
+    MetadataCosaiLevelNumeric: 'metadata_cosai_level_numeric',
+    // Overwatch context attributes
+    /** IDE source: cursor, claudecode, vscode, geminicli */
+    Source: 'source',
+    /** Hook event type: beforeShellExecution, PreToolUse, etc. */
+    Event: 'event',
+    /** The prompt/request content being evaluated */
+    Content: 'content',
+    /** User's email address (or 'anonymous') */
+    UserEmail: 'user_email',
+    /** Custom principal ID for policy evaluation */
+    CedarPrincipal: 'cedar_principal',
+    /** MCP server name: filesystem, playwright, etc. */
+    ServerName: 'server_name',
+    /** Whether the path is within the workspace */
+    IsWithinWorkspace: 'is_within_workspace',
+    /** Response content from tool execution */
+    ResponseContent: 'response_content',
+    /** Highest severity level: critical, high, medium, low */
+    HighestSeverity: 'highest_severity',
+    /** Array of threat types detected */
+    ThreatTypes: 'threat_types',
+    /** Array of threat categories found */
+    ThreatCategories: 'threat_categories',
+    /** Whether secrets were detected in the content */
+    ContainsSecrets: 'contains_secrets',
+    /** Number of concurrent calls */
+    ConcurrentCalls: 'concurrent_calls',
+    /** Request rate per minute */
+    RequestsPerMinute: 'requests_per_minute',
+    /** User trust level: high, medium, low */
+    UserTrustLevel: 'user_trust_level',
+    /** Whether alerting is enabled for this request */
+    AlertEnabled: 'alert_enabled',
+    /** Type of security scan being performed */
+    ScanType: 'scan_type',
+};
+//# sourceMappingURL=context.gen.js.map

package/dist/context.gen.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"context.gen.js","sourceRoot":"","sources":["../src/context.gen.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,8BAA8B;AAE9B;;GAEG;AACH,MAAM,CAAC,MAAM,UAAU,GAAG;IACtB,qCAAqC;IACrC,gCAAgC;IAChC,QAAQ,EAAE,WAAW;IACrB,sCAAsC;IACtC,YAAY,EAAE,eAAe;IAC7B,qBAAqB;IACrB,UAAU,EAAE,aAAa;IACzB,sBAAsB;IACtB,UAAU,EAAE,aAAa;IACzB,iCAAiC;IACjC,cAAc,EAAE,kBAAkB;IAClC,wCAAwC;IACxC,WAAW,EAAE,cAAc;IAC3B,iCAAiC;IACjC,WAAW,EAAE,cAAc;IAC3B,6BAA6B;IAC7B,iBAAiB,EAAE,qBAAqB;IACxC,sCAAsC;IACtC,QAAQ,EAAE,WAAW;IACrB,mCAAmC;IACnC,iBAAiB,EAAE,oBAAoB;IACvC,gBAAgB;IAChB,IAAI,EAAE,MAAM;IACZ,oBAAoB;IACpB,QAAQ,EAAE,UAAU;IACpB,iBAAiB;IACjB,SAAS,EAAE,YAAY;IACvB,oEAAoE;IACpE,WAAW,EAAE,eAAe;IAC5B,kBAAkB;IAClB,MAAM,EAAE,QAAQ;IAChB,kBAAkB;IAClB,IAAI,EAAE,MAAM;IAEZ,8BAA8B;IAC9B,qDAAqD;IACrD,WAAW,EAAE,aAAa;IAC1B,8CAA8C;IAC9C,cAAc,EAAE,iBAAiB;IACjC,qCAAqC;IACrC,cAAc,EAAE,iBAAiB;IACjC,kDAAkD;IAClD,QAAQ,EAAE,UAAU;IACpB,+BAA+B;IAC/B,WAAW,EAAE,cAAc;IAC3B,8BAA8B;IAC9B,gBAAgB,EAAE,mBAAmB;IACrC,+BAA+B;IAC/B,sBAAsB,EAAE,2BAA2B;IACnD,oCAAoC;IACpC,wBAAwB,EAAE,4BAA4B;IACtD,6BAA6B;IAC7B,yBAAyB,EAAE,8BAA8B;IACzD,mCAAmC;IACnC,6BAA6B,EAAE,iCAAiC;IAChE,+BAA+B;IAC/B,sBAAsB,EAAE,0BAA0B;IAClD,mCAAmC;IACnC,yBAAyB,EAAE,8BAA8B;IACzD,iCAAiC;IACjC,yBAAyB,EAAE,8BAA8B;IAEzD,+BAA+B;IAC/B,wDAAwD;IACxD,MAAM,EAAE,QAAQ;IAChB,8DAA8D;IAC9D,KAAK,EAAE,OAAO;IACd,iDAAiD;IACjD,OAAO,EAAE,SAAS;IAClB,4CAA4C;IAC5C,SAAS,EAAE,YAAY;IACvB,gDAAgD;IAChD,cAAc,EAAE,iBAAiB;IACjC,oDAAoD;IACpD,UAAU,EAAE,aAAa;IACzB,+CAA+C;IAC/C,iBAAiB,EAAE,qBAAqB;IACxC,2CAA2C;IAC3C,eAAe,EAAE,kBAAkB;IACnC,0DAA0D;IAC1D,eAAe,EAAE,kBAAkB;IACnC,qCAAqC;IACrC,WAAW,EAAE,cAAc;IAC3B,uCAAuC;IACvC,gBAAgB,EAAE,mBAAmB;IACrC,mDAAmD;IACnD,eAAe,EAAE,kBAAkB;IACnC,iCAAiC;IACjC,eAAe,EAAE,kBAAkB;IACnC,8BAA8B;IAC9B,iBAAiB,EAAE,qBAAqB;IACxC,0CAA0C;IAC1C,cAAc,EAAE,kBAAkB;IAClC,mDAAmD;IACnD,YAAY,EAAE,eAAe;IAC7B,4CAA4C;IAC5C,QAAQ,EAAE,WAAW;CACf,CAAC"}

package/dist/engine.d.ts

@@ -0,0 +1,92 @@
+/**
+ * Highflame Policy Engine - TypeScript Wrapper
+ * Wraps @cedar-policy/cedar-wasm with Highflame-specific types
+ */
+import { EntityType, EntityUID } from "./entities.gen.js";
+import { ActionType } from "./actions.gen.js";
+export interface Decision {
+    effect: "Allow" | "Deny";
+    determining_policies: string[];
+    reason?: string;
+}
+export interface EvaluateRequest {
+    principal: EntityUID;
+    action: ActionType;
+    resource: EntityUID;
+    context?: Record<string, unknown>;
+}
+/**
+ * PolicyEngine wraps cedar-wasm with Highflame schema types.
+ */
+export declare class PolicyEngine {
+    private policies;
+    private schema;
+    /**
+     * Load policies from a Cedar policy string.
+     */
+    loadPolicies(policies: string): void;
+    /**
+     * Load schema from a Cedar schema string.
+     * If not called, uses the embedded Highflame schema.
+     */
+    loadSchema(schema: string): void;
+    /**
+     * Load the embedded Highflame schema.
+     */
+    loadHighflameSchema(): void;
+    /**
+     * Evaluate a policy request and return a decision.
+     */
+    evaluate(req: EvaluateRequest): Decision;
+    /**
+     * Convenience method for simple evaluations.
+     */
+    evaluateSimple(principalType: EntityType, principalId: string, action: ActionType, resourceType: EntityType, resourceId: string, context?: Record<string, unknown>): Decision;
+    /**
+     * Validate policies against the schema.
+     * Returns validation errors or empty array if valid.
+     */
+    validatePolicies(policies: string): string[];
+}
+/**
+ * PolicyValidator provides static validation against the Highflame schema.
+ * Use this for quick validation without creating an engine instance.
+ */
+export declare class PolicyValidator {
+    private schema;
+    /**
+     * Create a validator with the embedded Highflame schema.
+     */
+    constructor(schema?: string);
+    /**
+     * Validate Cedar policy text against the schema.
+     */
+    validate(policies: string): {
+        valid: boolean;
+        errors: string[];
+    };
+    /**
+     * Check if a policy parses correctly (syntax check only).
+     */
+    checkSyntax(policies: string): {
+        valid: boolean;
+        errors: string[];
+    };
+}
+/**
+ * Validate a Cedar policy against the Highflame schema.
+ * Convenience function that doesn't require creating a validator instance.
+ */
+export declare function validatePolicy(policy: string): {
+    valid: boolean;
+    errors: string[];
+};
+/**
+ * Get the embedded Highflame Cedar schema.
+ */
+export declare function getHighflameSchema(): string;
+export { EntityType, EntityUID, Entity, newEntityUID, newEntity } from "./entities.gen.js";
+export { ActionType, actionUID } from "./actions.gen.js";
+export * from "./context.gen.js";
+export { CEDAR_SCHEMA } from "./schema.gen.js";
+//# sourceMappingURL=engine.d.ts.map

package/dist/engine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../src/engine.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAE,UAAU,EAAE,SAAS,EAAU,MAAM,mBAAmB,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAG9C,MAAM,WAAW,QAAQ;IACvB,MAAM,EAAE,OAAO,GAAG,MAAM,CAAC;IACzB,oBAAoB,EAAE,MAAM,EAAE,CAAC;IAC/B,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,SAAS,EAAE,SAAS,CAAC;IACrB,MAAM,EAAE,UAAU,CAAC;IACnB,QAAQ,EAAE,SAAS,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC;AAyBD;;GAEG;AACH,qBAAa,YAAY;IACvB,OAAO,CAAC,QAAQ,CAAc;IAC9B,OAAO,CAAC,MAAM,CAAqB;IAEnC;;OAEG;IACH,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI;IAIpC;;;OAGG;IACH,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAIhC;;OAEG;IACH,mBAAmB,IAAI,IAAI;IAI3B;;OAEG;IACH,QAAQ,CAAC,GAAG,EAAE,eAAe,GAAG,QAAQ;IAyDxC;;OAEG;IACH,cAAc,CACZ,aAAa,EAAE,UAAU,EACzB,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,UAAU,EAClB,YAAY,EAAE,UAAU,EACxB,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAChC,QAAQ;IASX;;;OAGG;IACH,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,EAAE;CAe7C;AAED;;;GAGG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,MAAM,CAAS;IAEvB;;OAEG;gBACS,MAAM,CAAC,EAAE,MAAM;IAI3B;;OAEG;IACH,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE;IAwBhE;;OAEG;IACH,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE;CAUpE;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,CAGnF;AAED;;GAEG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,CAE3C;AAGD,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC3F,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AACzD,cAAc,kBAAkB,CAAC;AACjC,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/engine.js

@@ -0,0 +1,203 @@
+/**
+ * Highflame Policy Engine - TypeScript Wrapper
+ * Wraps @cedar-policy/cedar-wasm with Highflame-specific types
+ */
+import * as cedar from "@cedar-policy/cedar-wasm/nodejs";
+import { CEDAR_SCHEMA } from "./schema.gen.js";
+/**
+ * Convert a value to Cedar JSON format
+ */
+function toCedarValue(value) {
+    if (value === null || value === undefined) {
+        return null;
+    }
+    if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
+        return value;
+    }
+    if (Array.isArray(value)) {
+        return value.map(toCedarValue);
+    }
+    if (typeof value === "object") {
+        const result = {};
+        for (const [k, v] of Object.entries(value)) {
+            result[k] = toCedarValue(v);
+        }
+        return result;
+    }
+    return String(value);
+}
+/**
+ * PolicyEngine wraps cedar-wasm with Highflame schema types.
+ */
+export class PolicyEngine {
+    policies = "";
+    schema;
+    /**
+     * Load policies from a Cedar policy string.
+     */
+    loadPolicies(policies) {
+        this.policies = policies;
+    }
+    /**
+     * Load schema from a Cedar schema string.
+     * If not called, uses the embedded Highflame schema.
+     */
+    loadSchema(schema) {
+        this.schema = schema;
+    }
+    /**
+     * Load the embedded Highflame schema.
+     */
+    loadHighflameSchema() {
+        this.schema = CEDAR_SCHEMA;
+    }
+    /**
+     * Evaluate a policy request and return a decision.
+     */
+    evaluate(req) {
+        // Build EntityUIDs in Cedar JSON format
+        const principal = {
+            type: req.principal.type,
+            id: req.principal.id,
+        };
+        const action = {
+            type: "Action",
+            id: req.action,
+        };
+        const resource = {
+            type: req.resource.type,
+            id: req.resource.id,
+        };
+        // Convert context to Cedar format
+        const context = {};
+        if (req.context) {
+            for (const [k, v] of Object.entries(req.context)) {
+                context[k] = toCedarValue(v);
+            }
+        }
+        // Build the authorization call
+        const call = {
+            principal,
+            action,
+            resource,
+            context,
+            policies: { staticPolicies: this.policies },
+            entities: [],
+        };
+        // Add schema if available
+        if (this.schema) {
+            call.schema = this.schema;
+        }
+        const result = cedar.isAuthorized(call);
+        if (result.type === "failure") {
+            return {
+                effect: "Deny",
+                determining_policies: [],
+                reason: result.errors.map(e => e.message).join("; "),
+            };
+        }
+        return {
+            effect: result.response.decision === "allow" ? "Allow" : "Deny",
+            determining_policies: result.response.diagnostics.reason,
+            reason: result.response.diagnostics.errors.length > 0
+                ? result.response.diagnostics.errors.map(e => e.error.message).join("; ")
+                : undefined,
+        };
+    }
+    /**
+     * Convenience method for simple evaluations.
+     */
+    evaluateSimple(principalType, principalId, action, resourceType, resourceId, context) {
+        return this.evaluate({
+            principal: { type: principalType, id: principalId },
+            action,
+            resource: { type: resourceType, id: resourceId },
+            context,
+        });
+    }
+    /**
+     * Validate policies against the schema.
+     * Returns validation errors or empty array if valid.
+     */
+    validatePolicies(policies) {
+        const schemaToUse = this.schema ?? CEDAR_SCHEMA;
+        const result = cedar.validate({
+            validationSettings: { mode: "strict" },
+            schema: schemaToUse,
+            policies: { staticPolicies: policies },
+        });
+        if (result.type === "failure") {
+            return result.errors.map(e => e.message);
+        }
+        return result.validationErrors.map(e => e.error.message);
+    }
+}
+/**
+ * PolicyValidator provides static validation against the Highflame schema.
+ * Use this for quick validation without creating an engine instance.
+ */
+export class PolicyValidator {
+    schema;
+    /**
+     * Create a validator with the embedded Highflame schema.
+     */
+    constructor(schema) {
+        this.schema = schema ?? CEDAR_SCHEMA;
+    }
+    /**
+     * Validate Cedar policy text against the schema.
+     */
+    validate(policies) {
+        const result = cedar.validate({
+            validationSettings: { mode: "strict" },
+            schema: this.schema,
+            policies: { staticPolicies: policies },
+        });
+        if (result.type === "failure") {
+            return {
+                valid: false,
+                errors: result.errors.map(e => e.message),
+            };
+        }
+        if (result.validationErrors.length > 0) {
+            return {
+                valid: false,
+                errors: result.validationErrors.map(e => e.error.message),
+            };
+        }
+        return { valid: true, errors: [] };
+    }
+    /**
+     * Check if a policy parses correctly (syntax check only).
+     */
+    checkSyntax(policies) {
+        const result = cedar.checkParsePolicySet({ staticPolicies: policies });
+        if (result.type === "failure") {
+            return {
+                valid: false,
+                errors: result.errors.map(e => e.message),
+            };
+        }
+        return { valid: true, errors: [] };
+    }
+}
+/**
+ * Validate a Cedar policy against the Highflame schema.
+ * Convenience function that doesn't require creating a validator instance.
+ */
+export function validatePolicy(policy) {
+    const validator = new PolicyValidator();
+    return validator.validate(policy);
+}
+/**
+ * Get the embedded Highflame Cedar schema.
+ */
+export function getHighflameSchema() {
+    return CEDAR_SCHEMA;
+}
+// Re-export types
+export { EntityType, newEntityUID, newEntity } from "./entities.gen.js";
+export { ActionType, actionUID } from "./actions.gen.js";
+export * from "./context.gen.js";
+export { CEDAR_SCHEMA } from "./schema.gen.js";
+//# sourceMappingURL=engine.js.map

package/dist/engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.js","sourceRoot":"","sources":["../src/engine.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,KAAK,MAAM,iCAAiC,CAAC;AAGzD,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAe/C;;GAEG;AACH,SAAS,YAAY,CAAC,KAAc;IAClC,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QAC1C,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,OAAO,KAAK,KAAK,SAAS,EAAE,CAAC;QACzF,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IACjC,CAAC;IACD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,MAAM,GAAyC,EAAE,CAAC;QACxD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3C,MAAM,CAAC,CAAC,CAAC,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;QAC9B,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC;AACvB,CAAC;AAED;;GAEG;AACH,MAAM,OAAO,YAAY;IACf,QAAQ,GAAW,EAAE,CAAC;IACtB,MAAM,CAAqB;IAEnC;;OAEG;IACH,YAAY,CAAC,QAAgB;QAC3B,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;IAED;;;OAGG;IACH,UAAU,CAAC,MAAc;QACvB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED;;OAEG;IACH,mBAAmB;QACjB,IAAI,CAAC,MAAM,GAAG,YAAY,CAAC;IAC7B,CAAC;IAED;;OAEG;IACH,QAAQ,CAAC,GAAoB;QAC3B,wCAAwC;QACxC,MAAM,SAAS,GAAwB;YACrC,IAAI,EAAE,GAAG,CAAC,SAAS,CAAC,IAAI;YACxB,EAAE,EAAE,GAAG,CAAC,SAAS,CAAC,EAAE;SACrB,CAAC;QACF,MAAM,MAAM,GAAwB;YAClC,IAAI,EAAE,QAAQ;YACd,EAAE,EAAE,GAAG,CAAC,MAAM;SACf,CAAC;QACF,MAAM,QAAQ,GAAwB;YACpC,IAAI,EAAE,GAAG,CAAC,QAAQ,CAAC,IAAI;YACvB,EAAE,EAAE,GAAG,CAAC,QAAQ,CAAC,EAAE;SACpB,CAAC;QAEF,kCAAkC;QAClC,MAAM,OAAO,GAAkB,EAAE,CAAC;QAClC,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC;YAChB,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;gBACjD,OAAO,CAAC,CAAC,CAAC,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;YAC/B,CAAC;QACH,CAAC;QAED,+BAA+B;QAC/B,MAAM,IAAI,GAA4B;YACpC,SAAS;YACT,MAAM;YACN,QAAQ;YACR,OAAO;YACP,QAAQ,EAAE,EAAE,cAAc,EAAE,IAAI,CAAC,QAAQ,EAAE;YAC3C,QAAQ,EAAE,EAAE;SACb,CAAC;QAEF,0BAA0B;QAC1B,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;QAC5B,CAAC;QAED,MAAM,MAAM,GAAG,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;QAExC,IAAI,MAAM,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAC9B,OAAO;gBACL,MAAM,EAAE,MAAM;gBACd,oBAAoB,EAAE,EAAE;gBACxB,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;aACrD,CAAC;QACJ,CAAC;QAED,OAAO;YACL,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM;YAC/D,oBAAoB,EAAE,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,MAAM;YACxD,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC;gBACnD,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;gBACzE,CAAC,CAAC,SAAS;SACd,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,cAAc,CACZ,aAAyB,EACzB,WAAmB,EACnB,MAAkB,EAClB,YAAwB,EACxB,UAAkB,EAClB,OAAiC;QAEjC,OAAO,IAAI,CAAC,QAAQ,CAAC;YACnB,SAAS,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,EAAE,EAAE,WAAW,EAAE;YACnD,MAAM;YACN,QAAQ,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,EAAE,EAAE,UAAU,EAAE;YAChD,OAAO;SACR,CAAC,CAAC;IACL,CAAC;IAED;;;OAGG;IACH,gBAAgB,CAAC,QAAgB;QAC/B,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,IAAI,YAAY,CAAC;QAEhD,MAAM,MAAM,GAAG,KAAK,CAAC,QAAQ,CAAC;YAC5B,kBAAkB,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;YACtC,MAAM,EAAE,WAAW;YACnB,QAAQ,EAAE,EAAE,cAAc,EAAE,QAAQ,EAAE;SACvC,CAAC,CAAC;QAEH,IAAI,MAAM,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAC9B,OAAO,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;QAC3C,CAAC;QAED,OAAO,MAAM,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC3D,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,OAAO,eAAe;IAClB,MAAM,CAAS;IAEvB;;OAEG;IACH,YAAY,MAAe;QACzB,IAAI,CAAC,MAAM,GAAG,MAAM,IAAI,YAAY,CAAC;IACvC,CAAC;IAED;;OAEG;IACH,QAAQ,CAAC,QAAgB;QACvB,MAAM,MAAM,GAAG,KAAK,CAAC,QAAQ,CAAC;YAC5B,kBAAkB,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;YACtC,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,QAAQ,EAAE,EAAE,cAAc,EAAE,QAAQ,EAAE;SACvC,CAAC,CAAC;QAEH,IAAI,MAAM,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAC9B,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;aAC1C,CAAC;QACJ,CAAC;QAED,IAAI,MAAM,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvC,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,MAAM,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC;aAC1D,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;IACrC,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,QAAgB;QAC1B,MAAM,MAAM,GAAG,KAAK,CAAC,mBAAmB,CAAC,EAAE,cAAc,EAAE,QAAQ,EAAE,CAAC,CAAC;QACvE,IAAI,MAAM,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAC9B,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;aAC1C,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;IACrC,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,MAAc;IAC3C,MAAM,SAAS,GAAG,IAAI,eAAe,EAAE,CAAC;IACxC,OAAO,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AACpC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB;IAChC,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,kBAAkB;AAClB,OAAO,EAAE,UAAU,EAAqB,YAAY,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC3F,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AACzD,cAAc,kBAAkB,CAAC;AACjC,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/entities.gen.d.ts

@@ -0,0 +1,45 @@
+/**
+ * Entity types defined in the Highflame Cedar schema.
+ */
+export declare const EntityType: {
+    readonly Agent: "Agent";
+    readonly Artifact: "Artifact";
+    readonly FilePath: "FilePath";
+    readonly HttpEndpoint: "HttpEndpoint";
+    readonly Package: "Package";
+    readonly Repository: "Repository";
+    readonly Resource: "Resource";
+    readonly ResponseData: "ResponseData";
+    readonly Scanner: "Scanner";
+    readonly Server: "Server";
+    readonly Service: "Service";
+    readonly Tool: "Tool";
+    readonly User: "User";
+};
+export type EntityType = (typeof EntityType)[keyof typeof EntityType];
+/**
+ * Cedar entity unique identifier.
+ */
+export interface EntityUID {
+    type: EntityType | string;
+    id: string;
+}
+/**
+ * Cedar entity with attributes.
+ */
+export interface Entity {
+    uid: EntityUID;
+    attrs?: Record<string, unknown>;
+    parents?: EntityUID[];
+}
+/**
+ * Create a new EntityUID.
+ * Services should use this with their own identity from config/environment.
+ * @example newEntityUID(EntityType.Scanner, process.env.SERVICE_ID)
+ */
+export declare function newEntityUID(type: EntityType | string, id: string): EntityUID;
+/**
+ * Create a new Entity.
+ */
+export declare function newEntity(type: EntityType | string, id: string, attrs?: Record<string, unknown>): Entity;
+//# sourceMappingURL=entities.gen.d.ts.map

package/dist/entities.gen.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"entities.gen.d.ts","sourceRoot":"","sources":["../src/entities.gen.ts"],"names":[],"mappings":"AAGA;;GAEG;AACH,eAAO,MAAM,UAAU;;;;;;;;;;;;;;CAcb,CAAC;AAEX,MAAM,MAAM,UAAU,GAAG,CAAC,OAAO,UAAU,CAAC,CAAC,MAAM,OAAO,UAAU,CAAC,CAAC;AAEtE;;GAEG;AACH,MAAM,WAAW,SAAS;IACtB,IAAI,EAAE,UAAU,GAAG,MAAM,CAAC;IAC1B,EAAE,EAAE,MAAM,CAAC;CACd;AAED;;GAEG;AACH,MAAM,WAAW,MAAM;IACnB,GAAG,EAAE,SAAS,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,OAAO,CAAC,EAAE,SAAS,EAAE,CAAC;CACzB;AAED;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,UAAU,GAAG,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,SAAS,CAE7E;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,IAAI,EAAE,UAAU,GAAG,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAMxG"}

package/dist/entities.gen.js

@@ -0,0 +1,39 @@
+// Code generated by highflame-policy-codegen. DO NOT EDIT.
+// Source: schema/highflame.cedarschema
+/**
+ * Entity types defined in the Highflame Cedar schema.
+ */
+export const EntityType = {
+    Agent: 'Agent',
+    Artifact: 'Artifact',
+    FilePath: 'FilePath',
+    HttpEndpoint: 'HttpEndpoint',
+    Package: 'Package',
+    Repository: 'Repository',
+    Resource: 'Resource',
+    ResponseData: 'ResponseData',
+    Scanner: 'Scanner',
+    Server: 'Server',
+    Service: 'Service',
+    Tool: 'Tool',
+    User: 'User',
+};
+/**
+ * Create a new EntityUID.
+ * Services should use this with their own identity from config/environment.
+ * @example newEntityUID(EntityType.Scanner, process.env.SERVICE_ID)
+ */
+export function newEntityUID(type, id) {
+    return { type, id };
+}
+/**
+ * Create a new Entity.
+ */
+export function newEntity(type, id, attrs) {
+    return {
+        uid: { type, id },
+        attrs: attrs ?? {},
+        parents: [],
+    };
+}
+//# sourceMappingURL=entities.gen.js.map

package/dist/entities.gen.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"entities.gen.js","sourceRoot":"","sources":["../src/entities.gen.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,uCAAuC;AAEvC;;GAEG;AACH,MAAM,CAAC,MAAM,UAAU,GAAG;IACtB,KAAK,EAAE,OAAO;IACd,QAAQ,EAAE,UAAU;IACpB,QAAQ,EAAE,UAAU;IACpB,YAAY,EAAE,cAAc;IAC5B,OAAO,EAAE,SAAS;IAClB,UAAU,EAAE,YAAY;IACxB,QAAQ,EAAE,UAAU;IACpB,YAAY,EAAE,cAAc;IAC5B,OAAO,EAAE,SAAS;IAClB,MAAM,EAAE,QAAQ;IAChB,OAAO,EAAE,SAAS;IAClB,IAAI,EAAE,MAAM;IACZ,IAAI,EAAE,MAAM;CACN,CAAC;AAqBX;;;;GAIG;AACH,MAAM,UAAU,YAAY,CAAC,IAAyB,EAAE,EAAU;IAC9D,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;AACxB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,SAAS,CAAC,IAAyB,EAAE,EAAU,EAAE,KAA+B;IAC5F,OAAO;QACH,GAAG,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;QACjB,KAAK,EAAE,KAAK,IAAI,EAAE;QAClB,OAAO,EAAE,EAAE;KACd,CAAC;AACN,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,7 @@
+export * from './entities.gen.js';
+export * from './actions.gen.js';
+export * from './context.gen.js';
+export * from './schema.gen.js';
+export * from './engine.js';
+export * from './builder.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAMA,cAAc,mBAAmB,CAAC;AAClC,cAAc,kBAAkB,CAAC;AACjC,cAAc,kBAAkB,CAAC;AACjC,cAAc,iBAAiB,CAAC;AAGhC,cAAc,aAAa,CAAC;AAC5B,cAAc,cAAc,CAAC"}

package/dist/index.js

@@ -0,0 +1,13 @@
+// Code generated by highflame-policy-codegen. DO NOT EDIT.
+// Source: schema/highflame.cedarschema
+//
+// NOTE: This module requires Node.js (uses @cedar-policy/cedar-wasm).
+// For browser usage, import from '@highflame/policy/types' instead.
+export * from './entities.gen.js';
+export * from './actions.gen.js';
+export * from './context.gen.js';
+export * from './schema.gen.js';
+// Non-generated modules (require Node.js)
+export * from './engine.js';
+export * from './builder.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,uCAAuC;AACvC,EAAE;AACF,sEAAsE;AACtE,oEAAoE;AAEpE,cAAc,mBAAmB,CAAC;AAClC,cAAc,kBAAkB,CAAC;AACjC,cAAc,kBAAkB,CAAC;AACjC,cAAc,iBAAiB,CAAC;AAEhC,0CAA0C;AAC1C,cAAc,aAAa,CAAC;AAC5B,cAAc,cAAc,CAAC"}