@highflame/policy 2.0.0 → 2.0.1

package/src/studio-ui.test.ts

@@ -0,0 +1,207 @@
+/**
+ * Studio UI Integration Tests
+ *
+ * These tests simulate exactly how the Studio UI (Overwatch admin dashboard)
+ * will use the @highflame/policy npm package.
+ */
+
+import { describe, it, expect } from 'vitest';
+
+// Browser-safe imports (simulating '@highflame/policy/types')
+import {
+  EntityType,
+  ActionType,
+  PolicyBuilder,
+  OVERWATCH_SCHEMA,
+  PALISADE_SCHEMA,
+  OVERWATCH_CONTEXT,
+  PALISADE_CONTEXT,
+  OverwatchContextKey,
+  PalisadeContextKey,
+  type ServiceContext,
+  type ActionContext,
+} from './types.js';
+
+// Node.js only imports (for API routes)
+import {
+  PolicyEngine,
+  PolicyValidator,
+  newEntityUID,
+  newEntity,
+} from './index.js';
+
+describe('Studio UI Integration Tests', () => {
+  /**
+   * Test: PolicyBuilder action formatting
+   *
+   * Tests that simple action names are properly formatted to Cedar syntax.
+   * This is the "normal approach" for non-namespaced schemas.
+   */
+  it('should format simple action names to Cedar syntax', () => {
+    // Using simple action name (normal approach)
+    const policy = PolicyBuilder.permit()
+      .principalType('User')
+      .action('call_tool')
+      .resourceType('Tool')
+      .build();
+
+    const cedarText = policy.toCedar();
+
+    // Simple actions should be wrapped as Action::"..."
+    expect(cedarText).toContain('action == Action::"call_tool"');
+    expect(cedarText).not.toContain('Action::"Action::');  // No double-wrapping
+  });
+
+  /**
+   * Test 1: Schema and Context Loading
+   *
+   * Studio UI needs to load schemas for validation and context metadata
+   * for populating form dropdowns.
+   */
+  it('should load schemas and context metadata for form builders', () => {
+    // Schemas should be strings
+    expect(typeof OVERWATCH_SCHEMA).toBe('string');
+    expect(OVERWATCH_SCHEMA).toContain('namespace Overwatch');
+    expect(typeof PALISADE_SCHEMA).toBe('string');
+    expect(PALISADE_SCHEMA).toContain('namespace Palisade');
+
+    // Context metadata should have action definitions
+    expect(OVERWATCH_CONTEXT.service).toBe('overwatch');
+    expect(OVERWATCH_CONTEXT.actions.length).toBeGreaterThan(0);
+
+    // Find call_tool action and verify context attributes
+    const callToolAction = OVERWATCH_CONTEXT.actions.find(
+      (a: ActionContext) => a.name === 'call_tool'
+    );
+    expect(callToolAction).toBeDefined();
+    expect(callToolAction!.context_attributes.length).toBeGreaterThan(0);
+
+    // Context keys should be available for type-safe form building
+    expect(OverwatchContextKey.ToolName).toBe('tool_name');
+    expect(OverwatchContextKey.ThreatCount).toBe('threat_count');
+    expect(PalisadeContextKey.Severity).toBe('severity');
+    expect(PalisadeContextKey.Environment).toBe('environment');
+  });
+
+  /**
+   * Test 2: Full Round-Trip - Create Policy → Validate → Evaluate
+   *
+   * This simulates the complete flow:
+   * 1. User creates a policy using PolicyBuilder in the UI
+   * 2. API validates the policy against the schema
+   * 3. Runtime evaluates the policy
+   */
+  it('should complete full policy lifecycle for Overwatch', () => {
+    // Step 1: User creates policy in form UI
+    const policy = PolicyBuilder.permit()
+      .principalType('Overwatch::User')
+      .action('Overwatch::Action::"call_tool"')
+      .resourceType('Overwatch::Tool')
+      .whenRaw('context.threat_count < 5')
+      .build();
+
+    const cedarText = policy.toCedar();
+    expect(cedarText).toContain('permit');
+    expect(cedarText).toContain('Overwatch::User');
+
+    // Step 2: API validates policy against schema
+    const validator = new PolicyValidator(OVERWATCH_SCHEMA);
+    const validationResult = validator.validate(cedarText);
+    expect(validationResult.valid).toBe(true);
+
+    // Step 3: Runtime loads and evaluates policy
+    const engine = new PolicyEngine({ schema: OVERWATCH_SCHEMA });
+    engine.loadPolicies(cedarText);
+
+    const entities = [
+      newEntity('Overwatch::User', 'mcp_client', { user_type: 'external', email: 'test@example.com' }),
+      newEntity('Overwatch::Tool', 'shell', { tool_name: 'shell', risk_level: 'high' }),
+    ];
+
+    // Full context as Guardian will provide at runtime
+    const baseContext = {
+      content: 'ls -la',
+      source: 'claudecode',
+      event: 'PreToolUse',
+      user_email: 'test@example.com',
+      tool_name: 'shell',
+      mcp_server: 'filesystem',
+      mcp_tool: 'shell',
+      path: '/workspace',
+      cwd: '/workspace',
+      workspace_root: '/workspace',
+      highest_severity: 'low',
+      threat_categories: [],
+      threat_types: [],
+      yara_threats: [],
+      max_threat_severity: 1,
+      contains_secrets: false,
+      response_content: '',
+    };
+
+    // Should allow when threat_count < 5
+    const allowDecision = engine.evaluate({
+      principal: newEntityUID('Overwatch::User', 'mcp_client'),
+      action: 'Overwatch::Action::"call_tool"',
+      resource: newEntityUID('Overwatch::Tool', 'shell'),
+      context: { ...baseContext, threat_count: 3 },
+      entities,
+    });
+    expect(allowDecision.effect).toBe('Allow');
+
+    // Should deny when threat_count >= 5 (no matching permit)
+    const denyDecision = engine.evaluate({
+      principal: newEntityUID('Overwatch::User', 'mcp_client'),
+      action: 'Overwatch::Action::"call_tool"',
+      resource: newEntityUID('Overwatch::Tool', 'shell'),
+      context: { ...baseContext, threat_count: 10 },
+      entities,
+    });
+    expect(denyDecision.effect).toBe('Deny');
+  });
+
+  /**
+   * Test 3: Full Round-Trip for Palisade
+   *
+   * Same flow but for Palisade ML security policies.
+   */
+  it('should complete full policy lifecycle for Palisade', () => {
+    // Step 1: Create a forbid policy for CRITICAL findings
+    const policy = PolicyBuilder.forbid()
+      .principalType('Palisade::Scanner')
+      .action('Palisade::Action::"load_model"')
+      .resourceType('Palisade::Artifact')
+      .whenRaw('context.severity == "CRITICAL"')
+      .build();
+
+    const cedarText = policy.toCedar();
+
+    // Step 2: Validate
+    const validator = new PolicyValidator(PALISADE_SCHEMA);
+    expect(validator.validate(cedarText).valid).toBe(true);
+
+    // Step 3: Evaluate
+    const engine = new PolicyEngine({ schema: PALISADE_SCHEMA });
+    engine.loadPolicies(cedarText);
+
+    const entities = [
+      newEntity('Palisade::Scanner', 'palisade', { scanner_type: 'ml' }),
+      newEntity('Palisade::Artifact', 'model.pkl', {
+        artifact_format: 'pickle',
+        path: '/model.pkl',
+        signed: false,
+        signer: 'unsigned',
+      }),
+    ];
+
+    // Should deny CRITICAL findings
+    const decision = engine.evaluate({
+      principal: newEntityUID('Palisade::Scanner', 'palisade'),
+      action: 'Palisade::Action::"load_model"',
+      resource: newEntityUID('Palisade::Artifact', 'model.pkl'),
+      context: { severity: 'CRITICAL' },
+      entities,
+    });
+    expect(decision.effect).toBe('Deny');
+  });
+});

package/src/types.ts

@@ -16,3 +16,20 @@ export * from './builder.js';
 
 // Error types - works in browser (no WASM dependency)
 export * from './errors.js';
+
+// Service-specific schemas and context (inlined, browser-safe)
+export {
+  OVERWATCH_SCHEMA,
+  PALISADE_SCHEMA,
+  OVERWATCH_CONTEXT,
+  PALISADE_CONTEXT,
+} from './service-schemas.gen.js';
+export type {
+  ContextAttribute,
+  ActionContext,
+  ServiceContext,
+} from './service-schemas.gen.js';
+
+// Service-specific context key enums
+export { OverwatchContextKey } from './overwatch-context.gen.js';
+export { PalisadeContextKey } from './palisade-context.gen.js';