@highflame/policy 2.0.0 → 2.0.1

package/dist/studio-ui.test.js

@@ -0,0 +1,165 @@
+/**
+ * Studio UI Integration Tests
+ *
+ * These tests simulate exactly how the Studio UI (Overwatch admin dashboard)
+ * will use the @highflame/policy npm package.
+ */
+import { describe, it, expect } from 'vitest';
+// Browser-safe imports (simulating '@highflame/policy/types')
+import { PolicyBuilder, OVERWATCH_SCHEMA, PALISADE_SCHEMA, OVERWATCH_CONTEXT, OverwatchContextKey, PalisadeContextKey, } from './types.js';
+// Node.js only imports (for API routes)
+import { PolicyEngine, PolicyValidator, newEntityUID, newEntity, } from './index.js';
+describe('Studio UI Integration Tests', () => {
+    /**
+     * Test: PolicyBuilder action formatting
+     *
+     * Tests that simple action names are properly formatted to Cedar syntax.
+     * This is the "normal approach" for non-namespaced schemas.
+     */
+    it('should format simple action names to Cedar syntax', () => {
+        // Using simple action name (normal approach)
+        const policy = PolicyBuilder.permit()
+            .principalType('User')
+            .action('call_tool')
+            .resourceType('Tool')
+            .build();
+        const cedarText = policy.toCedar();
+        // Simple actions should be wrapped as Action::"..."
+        expect(cedarText).toContain('action == Action::"call_tool"');
+        expect(cedarText).not.toContain('Action::"Action::'); // No double-wrapping
+    });
+    /**
+     * Test 1: Schema and Context Loading
+     *
+     * Studio UI needs to load schemas for validation and context metadata
+     * for populating form dropdowns.
+     */
+    it('should load schemas and context metadata for form builders', () => {
+        // Schemas should be strings
+        expect(typeof OVERWATCH_SCHEMA).toBe('string');
+        expect(OVERWATCH_SCHEMA).toContain('namespace Overwatch');
+        expect(typeof PALISADE_SCHEMA).toBe('string');
+        expect(PALISADE_SCHEMA).toContain('namespace Palisade');
+        // Context metadata should have action definitions
+        expect(OVERWATCH_CONTEXT.service).toBe('overwatch');
+        expect(OVERWATCH_CONTEXT.actions.length).toBeGreaterThan(0);
+        // Find call_tool action and verify context attributes
+        const callToolAction = OVERWATCH_CONTEXT.actions.find((a) => a.name === 'call_tool');
+        expect(callToolAction).toBeDefined();
+        expect(callToolAction.context_attributes.length).toBeGreaterThan(0);
+        // Context keys should be available for type-safe form building
+        expect(OverwatchContextKey.ToolName).toBe('tool_name');
+        expect(OverwatchContextKey.ThreatCount).toBe('threat_count');
+        expect(PalisadeContextKey.Severity).toBe('severity');
+        expect(PalisadeContextKey.Environment).toBe('environment');
+    });
+    /**
+     * Test 2: Full Round-Trip - Create Policy → Validate → Evaluate
+     *
+     * This simulates the complete flow:
+     * 1. User creates a policy using PolicyBuilder in the UI
+     * 2. API validates the policy against the schema
+     * 3. Runtime evaluates the policy
+     */
+    it('should complete full policy lifecycle for Overwatch', () => {
+        // Step 1: User creates policy in form UI
+        const policy = PolicyBuilder.permit()
+            .principalType('Overwatch::User')
+            .action('Overwatch::Action::"call_tool"')
+            .resourceType('Overwatch::Tool')
+            .whenRaw('context.threat_count < 5')
+            .build();
+        const cedarText = policy.toCedar();
+        expect(cedarText).toContain('permit');
+        expect(cedarText).toContain('Overwatch::User');
+        // Step 2: API validates policy against schema
+        const validator = new PolicyValidator(OVERWATCH_SCHEMA);
+        const validationResult = validator.validate(cedarText);
+        expect(validationResult.valid).toBe(true);
+        // Step 3: Runtime loads and evaluates policy
+        const engine = new PolicyEngine({ schema: OVERWATCH_SCHEMA });
+        engine.loadPolicies(cedarText);
+        const entities = [
+            newEntity('Overwatch::User', 'mcp_client', { user_type: 'external', email: 'test@example.com' }),
+            newEntity('Overwatch::Tool', 'shell', { tool_name: 'shell', risk_level: 'high' }),
+        ];
+        // Full context as Guardian will provide at runtime
+        const baseContext = {
+            content: 'ls -la',
+            source: 'claudecode',
+            event: 'PreToolUse',
+            user_email: 'test@example.com',
+            tool_name: 'shell',
+            mcp_server: 'filesystem',
+            mcp_tool: 'shell',
+            path: '/workspace',
+            cwd: '/workspace',
+            workspace_root: '/workspace',
+            highest_severity: 'low',
+            threat_categories: [],
+            threat_types: [],
+            yara_threats: [],
+            max_threat_severity: 1,
+            contains_secrets: false,
+            response_content: '',
+        };
+        // Should allow when threat_count < 5
+        const allowDecision = engine.evaluate({
+            principal: newEntityUID('Overwatch::User', 'mcp_client'),
+            action: 'Overwatch::Action::"call_tool"',
+            resource: newEntityUID('Overwatch::Tool', 'shell'),
+            context: { ...baseContext, threat_count: 3 },
+            entities,
+        });
+        expect(allowDecision.effect).toBe('Allow');
+        // Should deny when threat_count >= 5 (no matching permit)
+        const denyDecision = engine.evaluate({
+            principal: newEntityUID('Overwatch::User', 'mcp_client'),
+            action: 'Overwatch::Action::"call_tool"',
+            resource: newEntityUID('Overwatch::Tool', 'shell'),
+            context: { ...baseContext, threat_count: 10 },
+            entities,
+        });
+        expect(denyDecision.effect).toBe('Deny');
+    });
+    /**
+     * Test 3: Full Round-Trip for Palisade
+     *
+     * Same flow but for Palisade ML security policies.
+     */
+    it('should complete full policy lifecycle for Palisade', () => {
+        // Step 1: Create a forbid policy for CRITICAL findings
+        const policy = PolicyBuilder.forbid()
+            .principalType('Palisade::Scanner')
+            .action('Palisade::Action::"load_model"')
+            .resourceType('Palisade::Artifact')
+            .whenRaw('context.severity == "CRITICAL"')
+            .build();
+        const cedarText = policy.toCedar();
+        // Step 2: Validate
+        const validator = new PolicyValidator(PALISADE_SCHEMA);
+        expect(validator.validate(cedarText).valid).toBe(true);
+        // Step 3: Evaluate
+        const engine = new PolicyEngine({ schema: PALISADE_SCHEMA });
+        engine.loadPolicies(cedarText);
+        const entities = [
+            newEntity('Palisade::Scanner', 'palisade', { scanner_type: 'ml' }),
+            newEntity('Palisade::Artifact', 'model.pkl', {
+                artifact_format: 'pickle',
+                path: '/model.pkl',
+                signed: false,
+                signer: 'unsigned',
+            }),
+        ];
+        // Should deny CRITICAL findings
+        const decision = engine.evaluate({
+            principal: newEntityUID('Palisade::Scanner', 'palisade'),
+            action: 'Palisade::Action::"load_model"',
+            resource: newEntityUID('Palisade::Artifact', 'model.pkl'),
+            context: { severity: 'CRITICAL' },
+            entities,
+        });
+        expect(decision.effect).toBe('Deny');
+    });
+});
+//# sourceMappingURL=studio-ui.test.js.map

package/dist/studio-ui.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"studio-ui.test.js","sourceRoot":"","sources":["../src/studio-ui.test.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAE9C,8DAA8D;AAC9D,OAAO,EAGL,aAAa,EACb,gBAAgB,EAChB,eAAe,EACf,iBAAiB,EAEjB,mBAAmB,EACnB,kBAAkB,GAGnB,MAAM,YAAY,CAAC;AAEpB,wCAAwC;AACxC,OAAO,EACL,YAAY,EACZ,eAAe,EACf,YAAY,EACZ,SAAS,GACV,MAAM,YAAY,CAAC;AAEpB,QAAQ,CAAC,6BAA6B,EAAE,GAAG,EAAE;IAC3C;;;;;OAKG;IACH,EAAE,CAAC,mDAAmD,EAAE,GAAG,EAAE;QAC3D,6CAA6C;QAC7C,MAAM,MAAM,GAAG,aAAa,CAAC,MAAM,EAAE;aAClC,aAAa,CAAC,MAAM,CAAC;aACrB,MAAM,CAAC,WAAW,CAAC;aACnB,YAAY,CAAC,MAAM,CAAC;aACpB,KAAK,EAAE,CAAC;QAEX,MAAM,SAAS,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;QAEnC,oDAAoD;QACpD,MAAM,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,+BAA+B,CAAC,CAAC;QAC7D,MAAM,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC,CAAE,qBAAqB;IAC9E,CAAC,CAAC,CAAC;IAEH;;;;;OAKG;IACH,EAAE,CAAC,4DAA4D,EAAE,GAAG,EAAE;QACpE,4BAA4B;QAC5B,MAAM,CAAC,OAAO,gBAAgB,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC/C,MAAM,CAAC,gBAAgB,CAAC,CAAC,SAAS,CAAC,qBAAqB,CAAC,CAAC;QAC1D,MAAM,CAAC,OAAO,eAAe,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC9C,MAAM,CAAC,eAAe,CAAC,CAAC,SAAS,CAAC,oBAAoB,CAAC,CAAC;QAExD,kDAAkD;QAClD,MAAM,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACpD,MAAM,CAAC,iBAAiB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAE5D,sDAAsD;QACtD,MAAM,cAAc,GAAG,iBAAiB,CAAC,OAAO,CAAC,IAAI,CACnD,CAAC,CAAgB,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,WAAW,CAC7C,CAAC;QACF,MAAM,CAAC,cAAc,CAAC,CAAC,WAAW,EAAE,CAAC;QACrC,MAAM,CAAC,cAAe,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAErE,+DAA+D;QAC/D,MAAM,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACvD,MAAM,CAAC,mBAAmB,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QAC7D,MAAM,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACrD,MAAM,CAAC,kBAAkB,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC7D,CAAC,CAAC,CAAC;IAEH;;;;;;;OAOG;IACH,EAAE,CAAC,qDAAqD,EAAE,GAAG,EAAE;QAC7D,yCAAyC;QACzC,MAAM,MAAM,GAAG,aAAa,CAAC,MAAM,EAAE;aAClC,aAAa,CAAC,iBAAiB,CAAC;aAChC,MAAM,CAAC,gCAAgC,CAAC;aACxC,YAAY,CAAC,iBAAiB,CAAC;aAC/B,OAAO,CAAC,0BAA0B,CAAC;aACnC,KAAK,EAAE,CAAC;QAEX,MAAM,SAAS,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;QACnC,MAAM,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QACtC,MAAM,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,iBAAiB,CAAC,CAAC;QAE/C,8CAA8C;QAC9C,MAAM,SAAS,GAAG,IAAI,eAAe,CAAC,gBAAgB,CAAC,CAAC;QACxD,MAAM,gBAAgB,GAAG,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QACvD,MAAM,CAAC,gBAAgB,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAE1C,6CAA6C;QAC7C,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC,CAAC;QAC9D,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;QAE/B,MAAM,QAAQ,GAAG;YACf,SAAS,CAAC,iBAAiB,EAAE,YAAY,EAAE,EAAE,SAAS,EAAE,UAAU,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC;YAChG,SAAS,CAAC,iBAAiB,EAAE,OAAO,EAAE,EAAE,SAAS,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC;SAClF,CAAC;QAEF,mDAAmD;QACnD,MAAM,WAAW,GAAG;YAClB,OAAO,EAAE,QAAQ;YACjB,MAAM,EAAE,YAAY;YACpB,KAAK,EAAE,YAAY;YACnB,UAAU,EAAE,kBAAkB;YAC9B,SAAS,EAAE,OAAO;YAClB,UAAU,EAAE,YAAY;YACxB,QAAQ,EAAE,OAAO;YACjB,IAAI,EAAE,YAAY;YAClB,GAAG,EAAE,YAAY;YACjB,cAAc,EAAE,YAAY;YAC5B,gBAAgB,EAAE,KAAK;YACvB,iBAAiB,EAAE,EAAE;YACrB,YAAY,EAAE,EAAE;YAChB,YAAY,EAAE,EAAE;YAChB,mBAAmB,EAAE,CAAC;YACtB,gBAAgB,EAAE,KAAK;YACvB,gBAAgB,EAAE,EAAE;SACrB,CAAC;QAEF,qCAAqC;QACrC,MAAM,aAAa,GAAG,MAAM,CAAC,QAAQ,CAAC;YACpC,SAAS,EAAE,YAAY,CAAC,iBAAiB,EAAE,YAAY,CAAC;YACxD,MAAM,EAAE,gCAAgC;YACxC,QAAQ,EAAE,YAAY,CAAC,iBAAiB,EAAE,OAAO,CAAC;YAClD,OAAO,EAAE,EAAE,GAAG,WAAW,EAAE,YAAY,EAAE,CAAC,EAAE;YAC5C,QAAQ;SACT,CAAC,CAAC;QACH,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAE3C,0DAA0D;QAC1D,MAAM,YAAY,GAAG,MAAM,CAAC,QAAQ,CAAC;YACnC,SAAS,EAAE,YAAY,CAAC,iBAAiB,EAAE,YAAY,CAAC;YACxD,MAAM,EAAE,gCAAgC;YACxC,QAAQ,EAAE,YAAY,CAAC,iBAAiB,EAAE,OAAO,CAAC;YAClD,OAAO,EAAE,EAAE,GAAG,WAAW,EAAE,YAAY,EAAE,EAAE,EAAE;YAC7C,QAAQ;SACT,CAAC,CAAC;QACH,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH;;;;OAIG;IACH,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;QAC5D,uDAAuD;QACvD,MAAM,MAAM,GAAG,aAAa,CAAC,MAAM,EAAE;aAClC,aAAa,CAAC,mBAAmB,CAAC;aAClC,MAAM,CAAC,gCAAgC,CAAC;aACxC,YAAY,CAAC,oBAAoB,CAAC;aAClC,OAAO,CAAC,gCAAgC,CAAC;aACzC,KAAK,EAAE,CAAC;QAEX,MAAM,SAAS,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;QAEnC,mBAAmB;QACnB,MAAM,SAAS,GAAG,IAAI,eAAe,CAAC,eAAe,CAAC,CAAC;QACvD,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAEvD,mBAAmB;QACnB,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC,CAAC;QAC7D,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;QAE/B,MAAM,QAAQ,GAAG;YACf,SAAS,CAAC,mBAAmB,EAAE,UAAU,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;YAClE,SAAS,CAAC,oBAAoB,EAAE,WAAW,EAAE;gBAC3C,eAAe,EAAE,QAAQ;gBACzB,IAAI,EAAE,YAAY;gBAClB,MAAM,EAAE,KAAK;gBACb,MAAM,EAAE,UAAU;aACnB,CAAC;SACH,CAAC;QAEF,gCAAgC;QAChC,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;YAC/B,SAAS,EAAE,YAAY,CAAC,mBAAmB,EAAE,UAAU,CAAC;YACxD,MAAM,EAAE,gCAAgC;YACxC,QAAQ,EAAE,YAAY,CAAC,oBAAoB,EAAE,WAAW,CAAC;YACzD,OAAO,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE;YACjC,QAAQ;SACT,CAAC,CAAC;QACH,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/types.d.ts

@@ -4,4 +4,8 @@ export * from './context.gen.js';
 export * from './schema.gen.js';
 export * from './builder.js';
 export * from './errors.js';
+export { OVERWATCH_SCHEMA, PALISADE_SCHEMA, OVERWATCH_CONTEXT, PALISADE_CONTEXT, } from './service-schemas.gen.js';
+export type { ContextAttribute, ActionContext, ServiceContext, } from './service-schemas.gen.js';
+export { OverwatchContextKey } from './overwatch-context.gen.js';
+export { PalisadeContextKey } from './palisade-context.gen.js';
 //# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAQA,cAAc,mBAAmB,CAAC;AAClC,cAAc,kBAAkB,CAAC;AACjC,cAAc,kBAAkB,CAAC;AACjC,cAAc,iBAAiB,CAAC;AAGhC,cAAc,cAAc,CAAC;AAG7B,cAAc,aAAa,CAAC"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAQA,cAAc,mBAAmB,CAAC;AAClC,cAAc,kBAAkB,CAAC;AACjC,cAAc,kBAAkB,CAAC;AACjC,cAAc,iBAAiB,CAAC;AAGhC,cAAc,cAAc,CAAC;AAG7B,cAAc,aAAa,CAAC;AAG5B,OAAO,EACL,gBAAgB,EAChB,eAAe,EACf,iBAAiB,EACjB,gBAAgB,GACjB,MAAM,0BAA0B,CAAC;AAClC,YAAY,EACV,gBAAgB,EAChB,aAAa,EACb,cAAc,GACf,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC"}

package/dist/types.js

@@ -13,4 +13,9 @@ export * from './schema.gen.js';
 export * from './builder.js';
 // Error types - works in browser (no WASM dependency)
 export * from './errors.js';
+// Service-specific schemas and context (inlined, browser-safe)
+export { OVERWATCH_SCHEMA, PALISADE_SCHEMA, OVERWATCH_CONTEXT, PALISADE_CONTEXT, } from './service-schemas.gen.js';
+// Service-specific context key enums
+export { OverwatchContextKey } from './overwatch-context.gen.js';
+export { PalisadeContextKey } from './palisade-context.gen.js';
 //# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -1 +1 @@
-{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,uCAAuC;AACvC,EAAE;AACF,6CAA6C;AAC7C,gDAAgD;AAChD,yEAAyE;AAEzE,gDAAgD;AAChD,cAAc,mBAAmB,CAAC;AAClC,cAAc,kBAAkB,CAAC;AACjC,cAAc,kBAAkB,CAAC;AACjC,cAAc,iBAAiB,CAAC;AAEhC,wDAAwD;AACxD,cAAc,cAAc,CAAC;AAE7B,sDAAsD;AACtD,cAAc,aAAa,CAAC"}
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,uCAAuC;AACvC,EAAE;AACF,6CAA6C;AAC7C,gDAAgD;AAChD,yEAAyE;AAEzE,gDAAgD;AAChD,cAAc,mBAAmB,CAAC;AAClC,cAAc,kBAAkB,CAAC;AACjC,cAAc,kBAAkB,CAAC;AACjC,cAAc,iBAAiB,CAAC;AAEhC,wDAAwD;AACxD,cAAc,cAAc,CAAC;AAE7B,sDAAsD;AACtD,cAAc,aAAa,CAAC;AAE5B,+DAA+D;AAC/D,OAAO,EACL,gBAAgB,EAChB,eAAe,EACf,iBAAiB,EACjB,gBAAgB,GACjB,MAAM,0BAA0B,CAAC;AAOlC,qCAAqC;AACrC,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@highflame/policy",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "description": "Highflame Cedar policy types and engine wrapper",
   "readme": "README.md",
   "main": "dist/index.js",

package/src/builder.ts

@@ -25,6 +25,20 @@
 import { EntityType, EntityUID } from './entities.gen.js';
 import { ActionType } from './actions.gen.js';
 
+/**
+ * Format an action string for Cedar policy text.
+ * Detects if action is already namespaced (contains 'Action::"') and preserves it,
+ * otherwise wraps with Action::"...".
+ */
+function formatAction(action: string): string {
+    if (action.includes('Action::"')) {
+        // Already namespaced (e.g., 'Overwatch::Action::"call_tool"')
+        return action;
+    }
+    // Non-namespaced, wrap with Action::"..."
+    return `Action::"${action}"`;
+}
+
 /**
  * Policy effect - permit or forbid
  */
@@ -163,13 +177,13 @@ export class Policy {
         // Action
         if (Array.isArray(this.data.action)) {
             if (this.data.action.length === 1) {
-                policyLine += `,\n    action == Action::\"${this.data.action[0]}\"`;
+                policyLine += `,\n    action == ${formatAction(this.data.action[0])}`;
             } else {
-                const actions = this.data.action.map(a => `Action::\"${a}\"`).join(', ');
+                const actions = this.data.action.map(a => formatAction(a)).join(', ');
                 policyLine += `,\n    action in [${actions}]`;
             }
         } else {
-            policyLine += `,\n    action == Action::\"${this.data.action}\"`;
+            policyLine += `,\n    action == ${formatAction(this.data.action)}`;
         }
 
         // Resource

package/src/index.ts

@@ -14,3 +14,20 @@ export * from './engine.js';
 export * from './builder.js';
 export * from './parser.js';
 export * from './errors.js';
+
+// Service-specific schemas and context (inlined)
+export {
+  OVERWATCH_SCHEMA,
+  PALISADE_SCHEMA,
+  OVERWATCH_CONTEXT,
+  PALISADE_CONTEXT,
+} from './service-schemas.gen.js';
+export type {
+  ContextAttribute,
+  ActionContext,
+  ServiceContext,
+} from './service-schemas.gen.js';
+
+// Service-specific context key enums
+export { OverwatchContextKey } from './overwatch-context.gen.js';
+export { PalisadeContextKey } from './palisade-context.gen.js';

package/src/overwatch-context.gen.ts

@@ -12,7 +12,6 @@ export const OverwatchContextKey = {
   Content: 'content',
   Cwd: 'cwd',
   Event: 'event',
-  FilePath: 'file_path',
   HighestSeverity: 'highest_severity',
   MaxThreatSeverity: 'max_threat_severity',
   McpServer: 'mcp_server',
@@ -20,7 +19,6 @@ export const OverwatchContextKey = {
   Path: 'path',
   PromptText: 'prompt_text',
   ResponseContent: 'response_content',
-  ServerName: 'server_name',
   Source: 'source',
   ThreatCategories: 'threat_categories',
   ThreatCount: 'threat_count',

package/src/schemas.test.ts

@@ -205,9 +205,7 @@ describe('Service-Specific Schemas', () => {
           tool_name: 'shell',
           mcp_server: 'filesystem',
           mcp_tool: 'shell',
-          server_name: 'filesystem',
           path: '/workspace',
-          file_path: '/workspace',
           cwd: '/workspace',
           workspace_root: '/workspace',
           threat_count: 3,
@@ -388,9 +386,7 @@ describe('Service-Specific Schemas', () => {
           tool_name: 'shell',
           mcp_server: 'filesystem',
           mcp_tool: 'shell',
-          server_name: 'filesystem',
           path: '/etc/passwd',
-          file_path: '/etc/passwd',
           cwd: '/workspace',
           workspace_root: '/workspace',
           threat_count: 5,