@highflame/policy 1.2.0 → 2.0.0

package/dist/entities.gen.js

@@ -10,6 +10,7 @@ export const EntityType = {
     FilePath: 'FilePath',
     GitBranch: 'GitBranch',
     HttpEndpoint: 'HttpEndpoint',
+    LlmPrompt: 'LlmPrompt',
     Memory: 'Memory',
     Model: 'Model',
     Package: 'Package',

package/dist/entities.gen.js.map

@@ -1 +1 @@
-{"version":3,"file":"entities.gen.js","sourceRoot":"","sources":["../src/entities.gen.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,uCAAuC;AAEvC;;GAEG;AACH,MAAM,CAAC,MAAM,UAAU,GAAG;IACtB,KAAK,EAAE,OAAO;IACd,QAAQ,EAAE,UAAU;IACpB,WAAW,EAAE,aAAa;IAC1B,QAAQ,EAAE,UAAU;IACpB,SAAS,EAAE,WAAW;IACtB,YAAY,EAAE,cAAc;IAC5B,MAAM,EAAE,QAAQ;IAChB,KAAK,EAAE,OAAO;IACd,OAAO,EAAE,SAAS;IAClB,UAAU,EAAE,YAAY;IACxB,QAAQ,EAAE,UAAU;IACpB,YAAY,EAAE,cAAc;IAC5B,OAAO,EAAE,SAAS;IAClB,MAAM,EAAE,QAAQ;IAChB,OAAO,EAAE,SAAS;IAClB,IAAI,EAAE,MAAM;IACZ,IAAI,EAAE,MAAM;CACN,CAAC;AAqBX;;;;GAIG;AACH,MAAM,UAAU,YAAY,CAAC,IAAyB,EAAE,EAAU;IAC9D,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;AACxB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,SAAS,CAAC,IAAyB,EAAE,EAAU,EAAE,KAA+B;IAC5F,OAAO;QACH,GAAG,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;QACjB,KAAK,EAAE,KAAK,IAAI,EAAE;QAClB,OAAO,EAAE,EAAE;KACd,CAAC;AACN,CAAC"}
+{"version":3,"file":"entities.gen.js","sourceRoot":"","sources":["../src/entities.gen.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,uCAAuC;AAEvC;;GAEG;AACH,MAAM,CAAC,MAAM,UAAU,GAAG;IACtB,KAAK,EAAE,OAAO;IACd,QAAQ,EAAE,UAAU;IACpB,WAAW,EAAE,aAAa;IAC1B,QAAQ,EAAE,UAAU;IACpB,SAAS,EAAE,WAAW;IACtB,YAAY,EAAE,cAAc;IAC5B,SAAS,EAAE,WAAW;IACtB,MAAM,EAAE,QAAQ;IAChB,KAAK,EAAE,OAAO;IACd,OAAO,EAAE,SAAS;IAClB,UAAU,EAAE,YAAY;IACxB,QAAQ,EAAE,UAAU;IACpB,YAAY,EAAE,cAAc;IAC5B,OAAO,EAAE,SAAS;IAClB,MAAM,EAAE,QAAQ;IAChB,OAAO,EAAE,SAAS;IAClB,IAAI,EAAE,MAAM;IACZ,IAAI,EAAE,MAAM;CACN,CAAC;AAqBX;;;;GAIG;AACH,MAAM,UAAU,YAAY,CAAC,IAAyB,EAAE,EAAU;IAC9D,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;AACxB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,SAAS,CAAC,IAAyB,EAAE,EAAU,EAAE,KAA+B;IAC5F,OAAO;QACH,GAAG,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;QACjB,KAAK,EAAE,KAAK,IAAI,EAAE;QAClB,OAAO,EAAE,EAAE;KACd,CAAC;AACN,CAAC"}

package/dist/errors.d.ts

@@ -0,0 +1,102 @@
+/**
+ * Parser error types and codes for highflame-policy.
+ *
+ * This module provides standardized error codes that are consistent
+ * across all language implementations (Rust, Go, TypeScript, Python).
+ */
+/**
+ * Error codes for parser errors.
+ *
+ * These codes are stable and consistent across all language implementations.
+ * Format: HFP-<CATEGORY>-<NUMBER>
+ * - HFP = HighFlame Policy
+ * - CATEGORY = SCOPE | ACTION | COND | PARSE
+ * - NUMBER = 3-digit incremental
+ */
+export declare const ErrorCodes: {
+    /** Scope constraint is missing an entity (for == operator) */
+    readonly SCOPE_MISSING_ENTITY: "HFP-SCOPE-001";
+    /** Scope constraint is missing an entity type (for is operator) */
+    readonly SCOPE_MISSING_ENTITY_TYPE: "HFP-SCOPE-002";
+    /** Scope constraint is missing entity list (for in operator) */
+    readonly SCOPE_MISSING_ENTITY_LIST: "HFP-SCOPE-003";
+    /** Slot constraints are not supported in PolicyRule */
+    readonly SCOPE_SLOT_NOT_SUPPORTED: "HFP-SCOPE-004";
+    /** Unsupported scope operator */
+    readonly SCOPE_UNSUPPORTED_OP: "HFP-SCOPE-005";
+    /** Action constraint is missing an entity (for == operator) */
+    readonly ACTION_MISSING_ENTITY: "HFP-ACTION-001";
+    /** Action constraint is missing entities (for in operator) */
+    readonly ACTION_MISSING_ENTITIES: "HFP-ACTION-002";
+    /** Unsupported action operator */
+    readonly ACTION_UNSUPPORTED_OP: "HFP-ACTION-003";
+    /** Action scope is null/nil */
+    readonly ACTION_SCOPE_NIL: "HFP-ACTION-004";
+    /** Unless clauses are not supported in PolicyRule */
+    readonly COND_UNLESS_NOT_SUPPORTED: "HFP-COND-001";
+    /** Complex condition cannot be parsed */
+    readonly COND_COMPLEX_EXPRESSION: "HFP-COND-002";
+    /** Invalid Cedar syntax */
+    readonly PARSE_INVALID_SYNTAX: "HFP-PARSE-001";
+    /** Failed to convert policy to JSON */
+    readonly PARSE_JSON_CONVERSION: "HFP-PARSE-002";
+    /** Failed to parse Cedar JSON structure */
+    readonly PARSE_JSON_STRUCTURE: "HFP-PARSE-003";
+    /** Unknown policy effect (not permit or forbid) */
+    readonly PARSE_UNKNOWN_EFFECT: "HFP-PARSE-004";
+    /** Duplicate policy ID found */
+    readonly PARSE_DUPLICATE_ID: "HFP-PARSE-005";
+};
+export type ErrorCode = (typeof ErrorCodes)[keyof typeof ErrorCodes];
+/**
+ * Context information for parser errors.
+ */
+export interface ErrorContext {
+    /** The operator that caused the error (e.g., "==", "in", "is") */
+    operator?: string;
+    /** The field that caused the error (e.g., "principal", "action", "resource") */
+    field?: string;
+    /** The policy ID if available */
+    policyId?: string;
+}
+/**
+ * A structured parser error with code, message, and optional context.
+ */
+export declare class ParserError extends Error {
+    /** Machine-readable error code (e.g., "HFP-SCOPE-001") */
+    readonly code: ErrorCode;
+    /** Optional context for debugging */
+    readonly context?: ErrorContext;
+    constructor(code: ErrorCode, message: string, context?: ErrorContext);
+    /**
+     * Returns a string representation including the error code.
+     */
+    toString(): string;
+    /**
+     * Serializes the error to a plain object for JSON serialization.
+     */
+    toJSON(): {
+        code: string;
+        message: string;
+        context?: ErrorContext;
+    };
+    /** Scope constraint is missing an entity */
+    static scopeMissingEntity(operator: string, field: string): ParserError;
+    /** Scope constraint is missing an entity type */
+    static scopeMissingEntityType(field: string): ParserError;
+    /** Scope constraint is missing entity list */
+    static scopeMissingEntityList(field: string): ParserError;
+    /** Slot constraints are not supported */
+    static scopeSlotNotSupported(operator: string, field: string): ParserError;
+    /** Unsupported scope operator */
+    static scopeUnsupportedOp(operator: string, field: string): ParserError;
+    /** Action constraint is missing an entity */
+    static actionMissingEntity(operator: string): ParserError;
+    /** Action constraint is missing entities */
+    static actionMissingEntities(): ParserError;
+    /** Unsupported action operator */
+    static actionUnsupportedOp(operator: string): ParserError;
+    /** Action scope is nil */
+    static actionScopeNil(): ParserError;
+}
+//# sourceMappingURL=errors.d.ts.map

package/dist/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;;;;;;GAQG;AACH,eAAO,MAAM,UAAU;IAErB,8DAA8D;;IAE9D,mEAAmE;;IAEnE,gEAAgE;;IAEhE,uDAAuD;;IAEvD,iCAAiC;;IAIjC,+DAA+D;;IAE/D,8DAA8D;;IAE9D,kCAAkC;;IAElC,+BAA+B;;IAI/B,qDAAqD;;IAErD,yCAAyC;;IAIzC,2BAA2B;;IAE3B,uCAAuC;;IAEvC,2CAA2C;;IAE3C,mDAAmD;;IAEnD,gCAAgC;;CAExB,CAAC;AAEX,MAAM,MAAM,SAAS,GAAG,CAAC,OAAO,UAAU,CAAC,CAAC,MAAM,OAAO,UAAU,CAAC,CAAC;AAErE;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,kEAAkE;IAClE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,gFAAgF;IAChF,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,iCAAiC;IACjC,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,qBAAa,WAAY,SAAQ,KAAK;IACpC,0DAA0D;IAC1D,SAAgB,IAAI,EAAE,SAAS,CAAC;IAChC,qCAAqC;IACrC,SAAgB,OAAO,CAAC,EAAE,YAAY,CAAC;gBAE3B,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,YAAY;IAapE;;OAEG;IACM,QAAQ,IAAI,MAAM;IAI3B;;OAEG;IACH,MAAM,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,YAAY,CAAA;KAAE;IAUnE,4CAA4C;IAC5C,MAAM,CAAC,kBAAkB,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,WAAW;IAQvE,iDAAiD;IACjD,MAAM,CAAC,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,WAAW;IAQzD,8CAA8C;IAC9C,MAAM,CAAC,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,WAAW;IAQzD,yCAAyC;IACzC,MAAM,CAAC,qBAAqB,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,WAAW;IAQ1E,iCAAiC;IACjC,MAAM,CAAC,kBAAkB,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,WAAW;IAQvE,6CAA6C;IAC7C,MAAM,CAAC,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,WAAW;IAQzD,4CAA4C;IAC5C,MAAM,CAAC,qBAAqB,IAAI,WAAW;IAQ3C,kCAAkC;IAClC,MAAM,CAAC,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,WAAW;IAQzD,0BAA0B;IAC1B,MAAM,CAAC,cAAc,IAAI,WAAW;CAOrC"}

package/dist/errors.js

@@ -0,0 +1,127 @@
+/**
+ * Parser error types and codes for highflame-policy.
+ *
+ * This module provides standardized error codes that are consistent
+ * across all language implementations (Rust, Go, TypeScript, Python).
+ */
+/**
+ * Error codes for parser errors.
+ *
+ * These codes are stable and consistent across all language implementations.
+ * Format: HFP-<CATEGORY>-<NUMBER>
+ * - HFP = HighFlame Policy
+ * - CATEGORY = SCOPE | ACTION | COND | PARSE
+ * - NUMBER = 3-digit incremental
+ */
+export const ErrorCodes = {
+    // Scope constraint errors (HFP-SCOPE-xxx)
+    /** Scope constraint is missing an entity (for == operator) */
+    SCOPE_MISSING_ENTITY: "HFP-SCOPE-001",
+    /** Scope constraint is missing an entity type (for is operator) */
+    SCOPE_MISSING_ENTITY_TYPE: "HFP-SCOPE-002",
+    /** Scope constraint is missing entity list (for in operator) */
+    SCOPE_MISSING_ENTITY_LIST: "HFP-SCOPE-003",
+    /** Slot constraints are not supported in PolicyRule */
+    SCOPE_SLOT_NOT_SUPPORTED: "HFP-SCOPE-004",
+    /** Unsupported scope operator */
+    SCOPE_UNSUPPORTED_OP: "HFP-SCOPE-005",
+    // Action constraint errors (HFP-ACTION-xxx)
+    /** Action constraint is missing an entity (for == operator) */
+    ACTION_MISSING_ENTITY: "HFP-ACTION-001",
+    /** Action constraint is missing entities (for in operator) */
+    ACTION_MISSING_ENTITIES: "HFP-ACTION-002",
+    /** Unsupported action operator */
+    ACTION_UNSUPPORTED_OP: "HFP-ACTION-003",
+    /** Action scope is null/nil */
+    ACTION_SCOPE_NIL: "HFP-ACTION-004",
+    // Condition errors (HFP-COND-xxx)
+    /** Unless clauses are not supported in PolicyRule */
+    COND_UNLESS_NOT_SUPPORTED: "HFP-COND-001",
+    /** Complex condition cannot be parsed */
+    COND_COMPLEX_EXPRESSION: "HFP-COND-002",
+    // Parse errors (HFP-PARSE-xxx)
+    /** Invalid Cedar syntax */
+    PARSE_INVALID_SYNTAX: "HFP-PARSE-001",
+    /** Failed to convert policy to JSON */
+    PARSE_JSON_CONVERSION: "HFP-PARSE-002",
+    /** Failed to parse Cedar JSON structure */
+    PARSE_JSON_STRUCTURE: "HFP-PARSE-003",
+    /** Unknown policy effect (not permit or forbid) */
+    PARSE_UNKNOWN_EFFECT: "HFP-PARSE-004",
+    /** Duplicate policy ID found */
+    PARSE_DUPLICATE_ID: "HFP-PARSE-005",
+};
+/**
+ * A structured parser error with code, message, and optional context.
+ */
+export class ParserError extends Error {
+    /** Machine-readable error code (e.g., "HFP-SCOPE-001") */
+    code;
+    /** Optional context for debugging */
+    context;
+    constructor(code, message, context) {
+        super(message);
+        this.name = "ParserError";
+        this.code = code;
+        this.context = context;
+        // Maintains proper stack trace for where our error was thrown (only available on V8)
+        const ErrorWithCapture = Error;
+        if (ErrorWithCapture.captureStackTrace) {
+            ErrorWithCapture.captureStackTrace(this, ParserError);
+        }
+    }
+    /**
+     * Returns a string representation including the error code.
+     */
+    toString() {
+        return `[${this.code}] ${this.message}`;
+    }
+    /**
+     * Serializes the error to a plain object for JSON serialization.
+     */
+    toJSON() {
+        return {
+            code: this.code,
+            message: this.message,
+            ...(this.context && { context: this.context }),
+        };
+    }
+    // Convenience static factory methods for common errors
+    /** Scope constraint is missing an entity */
+    static scopeMissingEntity(operator, field) {
+        return new ParserError(ErrorCodes.SCOPE_MISSING_ENTITY, `'${operator}' constraint is missing an entity`, { operator, field });
+    }
+    /** Scope constraint is missing an entity type */
+    static scopeMissingEntityType(field) {
+        return new ParserError(ErrorCodes.SCOPE_MISSING_ENTITY_TYPE, "'is' constraint is missing an entity_type", { operator: "is", field });
+    }
+    /** Scope constraint is missing entity list */
+    static scopeMissingEntityList(field) {
+        return new ParserError(ErrorCodes.SCOPE_MISSING_ENTITY_LIST, "'in' constraint is missing an entity", { operator: "in", field });
+    }
+    /** Slot constraints are not supported */
+    static scopeSlotNotSupported(operator, field) {
+        return new ParserError(ErrorCodes.SCOPE_SLOT_NOT_SUPPORTED, `'${operator}' constraint with slot cannot be represented`, { operator, field });
+    }
+    /** Unsupported scope operator */
+    static scopeUnsupportedOp(operator, field) {
+        return new ParserError(ErrorCodes.SCOPE_UNSUPPORTED_OP, `Unsupported scope operator: ${operator}`, { operator, field });
+    }
+    /** Action constraint is missing an entity */
+    static actionMissingEntity(operator) {
+        return new ParserError(ErrorCodes.ACTION_MISSING_ENTITY, `Action '${operator}' constraint is missing an entity`, { operator, field: "action" });
+    }
+    /** Action constraint is missing entities */
+    static actionMissingEntities() {
+        return new ParserError(ErrorCodes.ACTION_MISSING_ENTITIES, "Action 'in' constraint is missing entities", { operator: "in", field: "action" });
+    }
+    /** Unsupported action operator */
+    static actionUnsupportedOp(operator) {
+        return new ParserError(ErrorCodes.ACTION_UNSUPPORTED_OP, `Unsupported action operator: ${operator}`, { operator, field: "action" });
+    }
+    /** Action scope is nil */
+    static actionScopeNil() {
+        return new ParserError(ErrorCodes.ACTION_SCOPE_NIL, "Action scope is nil", { field: "action" });
+    }
+}
+//# sourceMappingURL=errors.js.map

package/dist/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,UAAU,GAAG;IACxB,0CAA0C;IAC1C,8DAA8D;IAC9D,oBAAoB,EAAE,eAAe;IACrC,mEAAmE;IACnE,yBAAyB,EAAE,eAAe;IAC1C,gEAAgE;IAChE,yBAAyB,EAAE,eAAe;IAC1C,uDAAuD;IACvD,wBAAwB,EAAE,eAAe;IACzC,iCAAiC;IACjC,oBAAoB,EAAE,eAAe;IAErC,4CAA4C;IAC5C,+DAA+D;IAC/D,qBAAqB,EAAE,gBAAgB;IACvC,8DAA8D;IAC9D,uBAAuB,EAAE,gBAAgB;IACzC,kCAAkC;IAClC,qBAAqB,EAAE,gBAAgB;IACvC,+BAA+B;IAC/B,gBAAgB,EAAE,gBAAgB;IAElC,kCAAkC;IAClC,qDAAqD;IACrD,yBAAyB,EAAE,cAAc;IACzC,yCAAyC;IACzC,uBAAuB,EAAE,cAAc;IAEvC,+BAA+B;IAC/B,2BAA2B;IAC3B,oBAAoB,EAAE,eAAe;IACrC,uCAAuC;IACvC,qBAAqB,EAAE,eAAe;IACtC,2CAA2C;IAC3C,oBAAoB,EAAE,eAAe;IACrC,mDAAmD;IACnD,oBAAoB,EAAE,eAAe;IACrC,gCAAgC;IAChC,kBAAkB,EAAE,eAAe;CAC3B,CAAC;AAgBX;;GAEG;AACH,MAAM,OAAO,WAAY,SAAQ,KAAK;IACpC,0DAA0D;IAC1C,IAAI,CAAY;IAChC,qCAAqC;IACrB,OAAO,CAAgB;IAEvC,YAAY,IAAe,EAAE,OAAe,EAAE,OAAsB;QAClE,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,aAAa,CAAC;QAC1B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QAEvB,qFAAqF;QACrF,MAAM,gBAAgB,GAAG,KAA2F,CAAC;QACrH,IAAI,gBAAgB,CAAC,iBAAiB,EAAE,CAAC;YACvC,gBAAgB,CAAC,iBAAiB,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IAED;;OAEG;IACM,QAAQ;QACf,OAAO,IAAI,IAAI,CAAC,IAAI,KAAK,IAAI,CAAC,OAAO,EAAE,CAAC;IAC1C,CAAC;IAED;;OAEG;IACH,MAAM;QACJ,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,GAAG,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC;SAC/C,CAAC;IACJ,CAAC;IAED,uDAAuD;IAEvD,4CAA4C;IAC5C,MAAM,CAAC,kBAAkB,CAAC,QAAgB,EAAE,KAAa;QACvD,OAAO,IAAI,WAAW,CACpB,UAAU,CAAC,oBAAoB,EAC/B,IAAI,QAAQ,mCAAmC,EAC/C,EAAE,QAAQ,EAAE,KAAK,EAAE,CACpB,CAAC;IACJ,CAAC;IAED,iDAAiD;IACjD,MAAM,CAAC,sBAAsB,CAAC,KAAa;QACzC,OAAO,IAAI,WAAW,CACpB,UAAU,CAAC,yBAAyB,EACpC,2CAA2C,EAC3C,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE,CAC1B,CAAC;IACJ,CAAC;IAED,8CAA8C;IAC9C,MAAM,CAAC,sBAAsB,CAAC,KAAa;QACzC,OAAO,IAAI,WAAW,CACpB,UAAU,CAAC,yBAAyB,EACpC,sCAAsC,EACtC,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE,CAC1B,CAAC;IACJ,CAAC;IAED,yCAAyC;IACzC,MAAM,CAAC,qBAAqB,CAAC,QAAgB,EAAE,KAAa;QAC1D,OAAO,IAAI,WAAW,CACpB,UAAU,CAAC,wBAAwB,EACnC,IAAI,QAAQ,8CAA8C,EAC1D,EAAE,QAAQ,EAAE,KAAK,EAAE,CACpB,CAAC;IACJ,CAAC;IAED,iCAAiC;IACjC,MAAM,CAAC,kBAAkB,CAAC,QAAgB,EAAE,KAAa;QACvD,OAAO,IAAI,WAAW,CACpB,UAAU,CAAC,oBAAoB,EAC/B,+BAA+B,QAAQ,EAAE,EACzC,EAAE,QAAQ,EAAE,KAAK,EAAE,CACpB,CAAC;IACJ,CAAC;IAED,6CAA6C;IAC7C,MAAM,CAAC,mBAAmB,CAAC,QAAgB;QACzC,OAAO,IAAI,WAAW,CACpB,UAAU,CAAC,qBAAqB,EAChC,WAAW,QAAQ,mCAAmC,EACtD,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,CAC9B,CAAC;IACJ,CAAC;IAED,4CAA4C;IAC5C,MAAM,CAAC,qBAAqB;QAC1B,OAAO,IAAI,WAAW,CACpB,UAAU,CAAC,uBAAuB,EAClC,4CAA4C,EAC5C,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,CACpC,CAAC;IACJ,CAAC;IAED,kCAAkC;IAClC,MAAM,CAAC,mBAAmB,CAAC,QAAgB;QACzC,OAAO,IAAI,WAAW,CACpB,UAAU,CAAC,qBAAqB,EAChC,gCAAgC,QAAQ,EAAE,EAC1C,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,CAC9B,CAAC;IACJ,CAAC;IAED,0BAA0B;IAC1B,MAAM,CAAC,cAAc;QACnB,OAAO,IAAI,WAAW,CACpB,UAAU,CAAC,gBAAgB,EAC3B,qBAAqB,EACrB,EAAE,KAAK,EAAE,QAAQ,EAAE,CACpB,CAAC;IACJ,CAAC;CACF"}

package/dist/index.d.ts

@@ -4,4 +4,6 @@ export * from './context.gen.js';
 export * from './schema.gen.js';
 export * from './engine.js';
 export * from './builder.js';
+export * from './parser.js';
+export * from './errors.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAMA,cAAc,mBAAmB,CAAC;AAClC,cAAc,kBAAkB,CAAC;AACjC,cAAc,kBAAkB,CAAC;AACjC,cAAc,iBAAiB,CAAC;AAGhC,cAAc,aAAa,CAAC;AAC5B,cAAc,cAAc,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAMA,cAAc,mBAAmB,CAAC;AAClC,cAAc,kBAAkB,CAAC;AACjC,cAAc,kBAAkB,CAAC;AACjC,cAAc,iBAAiB,CAAC;AAGhC,cAAc,aAAa,CAAC;AAC5B,cAAc,cAAc,CAAC;AAC7B,cAAc,aAAa,CAAC;AAC5B,cAAc,aAAa,CAAC"}

package/dist/index.js

@@ -10,4 +10,6 @@ export * from './schema.gen.js';
 // Non-generated modules (require Node.js)
 export * from './engine.js';
 export * from './builder.js';
+export * from './parser.js';
+export * from './errors.js';
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,uCAAuC;AACvC,EAAE;AACF,sEAAsE;AACtE,oEAAoE;AAEpE,cAAc,mBAAmB,CAAC;AAClC,cAAc,kBAAkB,CAAC;AACjC,cAAc,kBAAkB,CAAC;AACjC,cAAc,iBAAiB,CAAC;AAEhC,0CAA0C;AAC1C,cAAc,aAAa,CAAC;AAC5B,cAAc,cAAc,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,uCAAuC;AACvC,EAAE;AACF,sEAAsE;AACtE,oEAAoE;AAEpE,cAAc,mBAAmB,CAAC;AAClC,cAAc,kBAAkB,CAAC;AACjC,cAAc,kBAAkB,CAAC;AACjC,cAAc,iBAAiB,CAAC;AAEhC,0CAA0C;AAC1C,cAAc,aAAa,CAAC;AAC5B,cAAc,cAAc,CAAC;AAC7B,cAAc,aAAa,CAAC;AAC5B,cAAc,aAAa,CAAC"}

package/dist/overwatch-context.gen.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Context attribute keys for Overwatch Overwatch (Guardian) IDE security & policy enforcement.
+ *
+ * These constants correspond to the context attributes defined in the
+ * Overwatch Cedar schema and are used at policy evaluation time.
+ */
+export declare const OverwatchContextKey: {
+    readonly ContainsSecrets: "contains_secrets";
+    readonly Content: "content";
+    readonly Cwd: "cwd";
+    readonly Event: "event";
+    readonly FilePath: "file_path";
+    readonly HighestSeverity: "highest_severity";
+    readonly MaxThreatSeverity: "max_threat_severity";
+    readonly McpServer: "mcp_server";
+    readonly McpTool: "mcp_tool";
+    readonly Path: "path";
+    readonly PromptText: "prompt_text";
+    readonly ResponseContent: "response_content";
+    readonly ServerName: "server_name";
+    readonly Source: "source";
+    readonly ThreatCategories: "threat_categories";
+    readonly ThreatCount: "threat_count";
+    readonly ThreatTypes: "threat_types";
+    readonly ToolName: "tool_name";
+    readonly UserEmail: "user_email";
+    readonly WorkspaceRoot: "workspace_root";
+    readonly YaraThreats: "yara_threats";
+};
+export type OverwatchContextKey = (typeof OverwatchContextKey)[keyof typeof OverwatchContextKey];
+//# sourceMappingURL=overwatch-context.gen.d.ts.map

package/dist/overwatch-context.gen.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"overwatch-context.gen.d.ts","sourceRoot":"","sources":["../src/overwatch-context.gen.ts"],"names":[],"mappings":"AAGA;;;;;GAKG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;CAsBtB,CAAC;AAEX,MAAM,MAAM,mBAAmB,GAAG,CAAC,OAAO,mBAAmB,CAAC,CAAC,MAAM,OAAO,mBAAmB,CAAC,CAAC"}

package/dist/overwatch-context.gen.js

@@ -0,0 +1,32 @@
+// Code generated by highflame-policy-codegen. DO NOT EDIT.
+// Source: schemas/overwatch/context.json
+/**
+ * Context attribute keys for Overwatch Overwatch (Guardian) IDE security & policy enforcement.
+ *
+ * These constants correspond to the context attributes defined in the
+ * Overwatch Cedar schema and are used at policy evaluation time.
+ */
+export const OverwatchContextKey = {
+    ContainsSecrets: 'contains_secrets',
+    Content: 'content',
+    Cwd: 'cwd',
+    Event: 'event',
+    FilePath: 'file_path',
+    HighestSeverity: 'highest_severity',
+    MaxThreatSeverity: 'max_threat_severity',
+    McpServer: 'mcp_server',
+    McpTool: 'mcp_tool',
+    Path: 'path',
+    PromptText: 'prompt_text',
+    ResponseContent: 'response_content',
+    ServerName: 'server_name',
+    Source: 'source',
+    ThreatCategories: 'threat_categories',
+    ThreatCount: 'threat_count',
+    ThreatTypes: 'threat_types',
+    ToolName: 'tool_name',
+    UserEmail: 'user_email',
+    WorkspaceRoot: 'workspace_root',
+    YaraThreats: 'yara_threats',
+};
+//# sourceMappingURL=overwatch-context.gen.js.map

package/dist/overwatch-context.gen.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"overwatch-context.gen.js","sourceRoot":"","sources":["../src/overwatch-context.gen.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,yCAAyC;AAEzC;;;;;GAKG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG;IACjC,eAAe,EAAE,kBAAkB;IACnC,OAAO,EAAE,SAAS;IAClB,GAAG,EAAE,KAAK;IACV,KAAK,EAAE,OAAO;IACd,QAAQ,EAAE,WAAW;IACrB,eAAe,EAAE,kBAAkB;IACnC,iBAAiB,EAAE,qBAAqB;IACxC,SAAS,EAAE,YAAY;IACvB,OAAO,EAAE,UAAU;IACnB,IAAI,EAAE,MAAM;IACZ,UAAU,EAAE,aAAa;IACzB,eAAe,EAAE,kBAAkB;IACnC,UAAU,EAAE,aAAa;IACzB,MAAM,EAAE,QAAQ;IAChB,gBAAgB,EAAE,mBAAmB;IACrC,WAAW,EAAE,cAAc;IAC3B,WAAW,EAAE,cAAc;IAC3B,QAAQ,EAAE,WAAW;IACrB,SAAS,EAAE,YAAY;IACvB,aAAa,EAAE,gBAAgB;IAC/B,WAAW,EAAE,cAAc;CACnB,CAAC"}

package/dist/palisade-context.gen.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Context attribute keys for Palisade Palisade ML supply chain security & artifact scanning.
+ *
+ * These constants correspond to the context attributes defined in the
+ * Palisade Cedar schema and are used at policy evaluation time.
+ */
+export declare const PalisadeContextKey: {
+    readonly AdapterBaseDigestMismatch: "adapter_base_digest_mismatch";
+    readonly ArtifactFormat: "artifact_format";
+    readonly ArtifactSigned: "artifact_signed";
+    readonly Environment: "environment";
+    readonly FindingType: "finding_type";
+    readonly GgufSuspiciousMetadata: "gguf_suspicious_metadata";
+    readonly MatchCount: "match_count";
+    readonly MetadataCosaiLevelNumeric: "metadata_cosai_level_numeric";
+    readonly MetadataMaliciousPattern: "metadata_malicious_pattern";
+    readonly Path: "path";
+    readonly PickleExecPathDetected: "pickle_exec_path_detected";
+    readonly ProvenanceSigner: "provenance_signer";
+    readonly SafetensorsIntegrityViolation: "safetensors_integrity_violation";
+    readonly Severity: "severity";
+    readonly TokenizerAddedTokensCount: "tokenizer_added_tokens_count";
+};
+export type PalisadeContextKey = (typeof PalisadeContextKey)[keyof typeof PalisadeContextKey];
+//# sourceMappingURL=palisade-context.gen.d.ts.map

package/dist/palisade-context.gen.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"palisade-context.gen.d.ts","sourceRoot":"","sources":["../src/palisade-context.gen.ts"],"names":[],"mappings":"AAGA;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;CAgBrB,CAAC;AAEX,MAAM,MAAM,kBAAkB,GAAG,CAAC,OAAO,kBAAkB,CAAC,CAAC,MAAM,OAAO,kBAAkB,CAAC,CAAC"}

package/dist/palisade-context.gen.js

@@ -0,0 +1,26 @@
+// Code generated by highflame-policy-codegen. DO NOT EDIT.
+// Source: schemas/palisade/context.json
+/**
+ * Context attribute keys for Palisade Palisade ML supply chain security & artifact scanning.
+ *
+ * These constants correspond to the context attributes defined in the
+ * Palisade Cedar schema and are used at policy evaluation time.
+ */
+export const PalisadeContextKey = {
+    AdapterBaseDigestMismatch: 'adapter_base_digest_mismatch',
+    ArtifactFormat: 'artifact_format',
+    ArtifactSigned: 'artifact_signed',
+    Environment: 'environment',
+    FindingType: 'finding_type',
+    GgufSuspiciousMetadata: 'gguf_suspicious_metadata',
+    MatchCount: 'match_count',
+    MetadataCosaiLevelNumeric: 'metadata_cosai_level_numeric',
+    MetadataMaliciousPattern: 'metadata_malicious_pattern',
+    Path: 'path',
+    PickleExecPathDetected: 'pickle_exec_path_detected',
+    ProvenanceSigner: 'provenance_signer',
+    SafetensorsIntegrityViolation: 'safetensors_integrity_violation',
+    Severity: 'severity',
+    TokenizerAddedTokensCount: 'tokenizer_added_tokens_count',
+};
+//# sourceMappingURL=palisade-context.gen.js.map

package/dist/palisade-context.gen.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"palisade-context.gen.js","sourceRoot":"","sources":["../src/palisade-context.gen.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,wCAAwC;AAExC;;;;;GAKG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAG;IAChC,yBAAyB,EAAE,8BAA8B;IACzD,cAAc,EAAE,iBAAiB;IACjC,cAAc,EAAE,iBAAiB;IACjC,WAAW,EAAE,aAAa;IAC1B,WAAW,EAAE,cAAc;IAC3B,sBAAsB,EAAE,0BAA0B;IAClD,UAAU,EAAE,aAAa;IACzB,yBAAyB,EAAE,8BAA8B;IACzD,wBAAwB,EAAE,4BAA4B;IACtD,IAAI,EAAE,MAAM;IACZ,sBAAsB,EAAE,2BAA2B;IACnD,gBAAgB,EAAE,mBAAmB;IACrC,6BAA6B,EAAE,iCAAiC;IAChE,QAAQ,EAAE,UAAU;IACpB,yBAAyB,EAAE,8BAA8B;CACjD,CAAC"}

package/dist/parser.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"parser.d.ts","sourceRoot":"","sources":["../src/parser.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,KAAK,EAAE,UAAU,EAAkE,MAAM,cAAc,CAAC;AAE/G;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,2DAA2D;IAC3D,KAAK,EAAE,UAAU,EAAE,CAAC;IACpB,iFAAiF;IACjF,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,qCAAqC;IACrC,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAmDD;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,WAAW,CA2DhE"}
+{"version":3,"file":"parser.d.ts","sourceRoot":"","sources":["../src/parser.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,KAAK,EAAE,UAAU,EAAkE,MAAM,cAAc,CAAC;AAG/G;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,2DAA2D;IAC3D,KAAK,EAAE,UAAU,EAAE,CAAC;IACpB,iFAAiF;IACjF,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,qCAAqC;IACrC,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAmDD;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,WAAW,CA4EhE"}

package/dist/parser.js

@@ -9,6 +9,7 @@
  * 2. Cedar JSON → PolicyRule (simple JSON mapping)
  */
 import * as cedar from "@cedar-policy/cedar-wasm/nodejs";
+import { ParserError, ErrorCodes } from "./errors.js";
 /**
  * Normalize entity reference to simple { type, id } format
  */
@@ -77,6 +78,20 @@ export function parseCedarToRules(cedarText) {
     catch (e) {
         result.errors.push(`Parse error: ${e instanceof Error ? e.message : String(e)}`);
     }
+    // Check for duplicate policy IDs and add warnings
+    const idOccurrences = new Map();
+    result.rules.forEach((rule, idx) => {
+        if (rule.id) {
+            const indices = idOccurrences.get(rule.id) || [];
+            indices.push(idx);
+            idOccurrences.set(rule.id, indices);
+        }
+    });
+    for (const [id, indices] of idOccurrences) {
+        if (indices.length > 1) {
+            result.errors.push(`[${ErrorCodes.PARSE_DUPLICATE_ID}] Duplicate policy ID '${id}' found at indices [${indices.join(", ")}]`);
+        }
+    }
     return result;
 }
 /**
@@ -90,28 +105,35 @@ function cedarJsonToRule(policy, policyId, index, originalText) {
         const raw = originalText || getRawCedar(policyId, policy);
         return { raw };
     }
-    const rule = {
-        id: policy.annotations?.id || policyId,
-        name: policy.annotations?.name || policy.annotations?.id || policyId,
-        effect: policy.effect,
-        principal: mapScopeToEntity(policy.principal),
-        action: mapActionScope(policy.action),
-        resource: mapScopeToEntity(policy.resource),
-        conditions: [],
-        enabled: true,
-        order: index,
-    };
-    // Map description from annotations
-    if (policy.annotations?.description) {
-        rule.description = policy.annotations.description;
+    try {
+        const rule = {
+            id: policy.annotations?.id || policyId,
+            name: policy.annotations?.name || policy.annotations?.id || policyId,
+            effect: policy.effect,
+            principal: mapScopeToEntity(policy.principal, "principal"),
+            action: mapActionScope(policy.action),
+            resource: mapScopeToEntity(policy.resource, "resource"),
+            conditions: [],
+            enabled: true,
+            order: index,
+        };
+        // Map description from annotations
+        if (policy.annotations?.description) {
+            rule.description = policy.annotations.description;
+        }
+        // Map conditions
+        const { conditions, rawCondition } = mapConditions(policy.conditions);
+        rule.conditions = conditions;
+        if (rawCondition) {
+            rule.rawCondition = rawCondition;
+        }
+        return { rule };
     }
-    // Map conditions
-    const { conditions, rawCondition } = mapConditions(policy.conditions);
-    rule.conditions = conditions;
-    if (rawCondition) {
-        rule.rawCondition = rawCondition;
+    catch (e) {
+        const error = e instanceof Error ? e.message : String(e);
+        const raw = originalText || getRawCedar(policyId, policy);
+        return { raw, error };
     }
-    return { rule };
 }
 /**
  * Check if a Cedar policy can be represented as PolicyRule
@@ -157,12 +179,20 @@ function getRawCedar(policyId, policy) {
     catch {
         // Ignore conversion errors
     }
-    return `// Complex policy: ${policyId}`;
+    // Sanitize policyId to prevent newline injection attacks
+    const safeId = policyId.replace(/[\n\r]/g, " ");
+    return `// Complex policy: ${safeId}`;
 }
 /**
  * Map Cedar scope constraint to PolicyEntity
+ *
+ * Returns null for unconstrained ("All") scopes.
+ * Throws ParserError for malformed constraints to prevent silent misinterpretation.
+ *
+ * @param scope - The Cedar scope constraint
+ * @param field - The field name ("principal" or "resource") for error context
  */
-function mapScopeToEntity(scope) {
+function mapScopeToEntity(scope, field) {
     if (scope.op === "All") {
         return null;
     }
@@ -171,33 +201,44 @@ function mapScopeToEntity(scope) {
             const entity = normalizeEntityRef(scope.entity);
             return { type: entity.type, id: entity.id };
         }
-        // Slot - can't represent
-        return null;
+        if ("slot" in scope) {
+            throw ParserError.scopeSlotNotSupported("==", field);
+        }
+        throw ParserError.scopeMissingEntity("==", field);
     }
     if (scope.op === "is") {
-        // Type constraint
-        return { type: scope.entity_type };
+        if (scope.entity_type) {
+            return { type: scope.entity_type };
+        }
+        throw ParserError.scopeMissingEntityType(field);
     }
     if (scope.op === "in") {
         if ("entity" in scope) {
             const entity = normalizeEntityRef(scope.entity);
             return { type: entity.type, id: entity.id };
         }
-        // Slot - can't represent
-        return null;
+        if ("slot" in scope) {
+            throw ParserError.scopeSlotNotSupported("in", field);
+        }
+        throw ParserError.scopeMissingEntityList(field);
     }
-    return null;
+    throw ParserError.scopeUnsupportedOp(scope.op, field);
 }
 /**
  * Map action scope to action string(s)
+ *
+ * Throws ParserError for malformed constraints to prevent silent misinterpretation.
  */
 function mapActionScope(scope) {
     if (scope.op === "All") {
         return "*";
     }
     if (scope.op === "==") {
-        const entity = normalizeEntityRef(scope.entity);
-        return entity.id;
+        if ("entity" in scope) {
+            const entity = normalizeEntityRef(scope.entity);
+            return entity.id;
+        }
+        throw ParserError.actionMissingEntity("==");
     }
     if (scope.op === "in") {
         if ("entities" in scope) {
@@ -208,8 +249,9 @@ function mapActionScope(scope) {
             const entity = normalizeEntityRef(scope.entity);
             return entity.id;
         }
+        throw ParserError.actionMissingEntities();
     }
-    return "";
+    throw ParserError.actionUnsupportedOp(scope.op);
 }
 /**
  * Map Cedar conditions to PolicyCondition array
@@ -229,9 +271,11 @@ function mapConditions(conditions) {
             rawParts.push(parsed.raw);
         }
     }
+    // Store raw conditions as a valid JSON array instead of joining with " && "
+    // This ensures downstream systems can parse the rawCondition field
     return {
         conditions: result,
-        rawCondition: rawParts.length > 0 ? rawParts.join(" && ") : undefined,
+        rawCondition: rawParts.length > 0 ? `[${rawParts.join(",")}]` : undefined,
     };
 }
 /**
@@ -292,11 +336,12 @@ function mapLike(args) {
     if (!field)
         return null;
     // Convert pattern to string (e.g., ["Wildcard", { Literal: "foo" }, "Wildcard"] -> "*foo*")
+    // Escape literal * characters to distinguish from wildcards on round-trip
     const patternStr = args.pattern.map(p => {
         if (p === "Wildcard")
             return "*";
         if (typeof p === "object" && "Literal" in p)
-            return p.Literal;
+            return p.Literal.replace(/\*/g, "\\*");
         return "";
     }).join("");
     return { field, operator: "like", value: patternStr };