@highflame/policy 2.0.0 → 2.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/_schemas/overwatch/context.json +0 -30
- package/_schemas/overwatch/schema.cedarschema +0 -5
- package/dist/builder.d.ts.map +1 -1
- package/dist/builder.js +16 -3
- package/dist/builder.js.map +1 -1
- package/dist/entity-metadata-types.gen.d.ts +17 -0
- package/dist/entity-metadata-types.gen.d.ts.map +1 -0
- package/dist/entity-metadata-types.gen.js +3 -0
- package/dist/entity-metadata-types.gen.js.map +1 -0
- package/dist/index.d.ts +7 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +8 -0
- package/dist/index.js.map +1 -1
- package/dist/overwatch-context.gen.d.ts +0 -2
- package/dist/overwatch-context.gen.d.ts.map +1 -1
- package/dist/overwatch-context.gen.js +0 -2
- package/dist/overwatch-context.gen.js.map +1 -1
- package/dist/overwatch-entities.gen.d.ts +12 -0
- package/dist/overwatch-entities.gen.d.ts.map +1 -0
- package/dist/overwatch-entities.gen.js +38 -0
- package/dist/overwatch-entities.gen.js.map +1 -0
- package/dist/palisade-entities.gen.d.ts +12 -0
- package/dist/palisade-entities.gen.d.ts.map +1 -0
- package/dist/palisade-entities.gen.js +46 -0
- package/dist/palisade-entities.gen.js.map +1 -0
- package/dist/schemas.test.js +0 -4
- package/dist/schemas.test.js.map +1 -1
- package/dist/service-schemas.gen.d.ts +48 -0
- package/dist/service-schemas.gen.d.ts.map +1 -0
- package/dist/service-schemas.gen.js +581 -0
- package/dist/service-schemas.gen.js.map +1 -0
- package/dist/studio-ui.test.d.ts +8 -0
- package/dist/studio-ui.test.d.ts.map +1 -0
- package/dist/studio-ui.test.js +254 -0
- package/dist/studio-ui.test.js.map +1 -0
- package/dist/types.d.ts +7 -0
- package/dist/types.d.ts.map +1 -1
- package/dist/types.js +8 -0
- package/dist/types.js.map +1 -1
- package/package.json +1 -1
- package/src/builder.ts +17 -3
- package/src/entity-metadata-types.gen.ts +19 -0
- package/src/index.ts +28 -0
- package/src/overwatch-context.gen.ts +0 -2
- package/src/overwatch-entities.gen.ts +41 -0
- package/src/palisade-entities.gen.ts +49 -0
- package/src/schemas.test.ts +0 -4
- package/src/service-schemas.gen.ts +608 -0
- package/src/studio-ui.test.ts +314 -0
- package/src/types.ts +28 -0
|
@@ -0,0 +1,254 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Studio UI Integration Tests
|
|
3
|
+
*
|
|
4
|
+
* These tests simulate exactly how the Studio UI (Overwatch admin dashboard)
|
|
5
|
+
* will use the @highflame/policy npm package.
|
|
6
|
+
*/
|
|
7
|
+
import { describe, it, expect } from 'vitest';
|
|
8
|
+
// Browser-safe imports (simulating '@highflame/policy/types')
|
|
9
|
+
import { PolicyBuilder, OVERWATCH_SCHEMA, PALISADE_SCHEMA, OVERWATCH_CONTEXT, OverwatchContextKey, PalisadeContextKey,
|
|
10
|
+
// Entity metadata for UI dropdowns
|
|
11
|
+
OVERWATCH_ENTITIES, OVERWATCH_ACTION_ENTITIES, PALISADE_ENTITIES, PALISADE_ACTION_ENTITIES, } from './types.js';
|
|
12
|
+
// Node.js only imports (for API routes)
|
|
13
|
+
import { PolicyEngine, PolicyValidator, newEntityUID, newEntity, } from './index.js';
|
|
14
|
+
describe('Studio UI Integration Tests', () => {
|
|
15
|
+
/**
|
|
16
|
+
* Test: PolicyBuilder action formatting
|
|
17
|
+
*
|
|
18
|
+
* Tests that simple action names are properly formatted to Cedar syntax.
|
|
19
|
+
* This is the "normal approach" for non-namespaced schemas.
|
|
20
|
+
*/
|
|
21
|
+
it('should format simple action names to Cedar syntax', () => {
|
|
22
|
+
// Using simple action name (normal approach)
|
|
23
|
+
const policy = PolicyBuilder.permit()
|
|
24
|
+
.principalType('User')
|
|
25
|
+
.action('call_tool')
|
|
26
|
+
.resourceType('Tool')
|
|
27
|
+
.build();
|
|
28
|
+
const cedarText = policy.toCedar();
|
|
29
|
+
// Simple actions should be wrapped as Action::"..."
|
|
30
|
+
expect(cedarText).toContain('action == Action::"call_tool"');
|
|
31
|
+
expect(cedarText).not.toContain('Action::"Action::'); // No double-wrapping
|
|
32
|
+
});
|
|
33
|
+
/**
|
|
34
|
+
* Test 1: Schema and Context Loading
|
|
35
|
+
*
|
|
36
|
+
* Studio UI needs to load schemas for validation and context metadata
|
|
37
|
+
* for populating form dropdowns.
|
|
38
|
+
*/
|
|
39
|
+
it('should load schemas and context metadata for form builders', () => {
|
|
40
|
+
// Schemas should be strings
|
|
41
|
+
expect(typeof OVERWATCH_SCHEMA).toBe('string');
|
|
42
|
+
expect(OVERWATCH_SCHEMA).toContain('namespace Overwatch');
|
|
43
|
+
expect(typeof PALISADE_SCHEMA).toBe('string');
|
|
44
|
+
expect(PALISADE_SCHEMA).toContain('namespace Palisade');
|
|
45
|
+
// Context metadata should have action definitions
|
|
46
|
+
expect(OVERWATCH_CONTEXT.service).toBe('overwatch');
|
|
47
|
+
expect(OVERWATCH_CONTEXT.actions.length).toBeGreaterThan(0);
|
|
48
|
+
// Find call_tool action and verify context attributes
|
|
49
|
+
const callToolAction = OVERWATCH_CONTEXT.actions.find((a) => a.name === 'call_tool');
|
|
50
|
+
expect(callToolAction).toBeDefined();
|
|
51
|
+
expect(callToolAction.context_attributes.length).toBeGreaterThan(0);
|
|
52
|
+
// Context keys should be available for type-safe form building
|
|
53
|
+
expect(OverwatchContextKey.ToolName).toBe('tool_name');
|
|
54
|
+
expect(OverwatchContextKey.ThreatCount).toBe('threat_count');
|
|
55
|
+
expect(PalisadeContextKey.Severity).toBe('severity');
|
|
56
|
+
expect(PalisadeContextKey.Environment).toBe('environment');
|
|
57
|
+
});
|
|
58
|
+
/**
|
|
59
|
+
* Test 2: Full Round-Trip - Create Policy → Validate → Evaluate
|
|
60
|
+
*
|
|
61
|
+
* This simulates the complete flow:
|
|
62
|
+
* 1. User creates a policy using PolicyBuilder in the UI
|
|
63
|
+
* 2. API validates the policy against the schema
|
|
64
|
+
* 3. Runtime evaluates the policy
|
|
65
|
+
*/
|
|
66
|
+
it('should complete full policy lifecycle for Overwatch', () => {
|
|
67
|
+
// Step 1: User creates policy in form UI
|
|
68
|
+
const policy = PolicyBuilder.permit()
|
|
69
|
+
.principalType('Overwatch::User')
|
|
70
|
+
.action('Overwatch::Action::"call_tool"')
|
|
71
|
+
.resourceType('Overwatch::Tool')
|
|
72
|
+
.whenRaw('context.threat_count < 5')
|
|
73
|
+
.build();
|
|
74
|
+
const cedarText = policy.toCedar();
|
|
75
|
+
expect(cedarText).toContain('permit');
|
|
76
|
+
expect(cedarText).toContain('Overwatch::User');
|
|
77
|
+
// Step 2: API validates policy against schema
|
|
78
|
+
const validator = new PolicyValidator(OVERWATCH_SCHEMA);
|
|
79
|
+
const validationResult = validator.validate(cedarText);
|
|
80
|
+
expect(validationResult.valid).toBe(true);
|
|
81
|
+
// Step 3: Runtime loads and evaluates policy
|
|
82
|
+
const engine = new PolicyEngine({ schema: OVERWATCH_SCHEMA });
|
|
83
|
+
engine.loadPolicies(cedarText);
|
|
84
|
+
const entities = [
|
|
85
|
+
newEntity('Overwatch::User', 'mcp_client', { user_type: 'external', email: 'test@example.com' }),
|
|
86
|
+
newEntity('Overwatch::Tool', 'shell', { tool_name: 'shell', risk_level: 'high' }),
|
|
87
|
+
];
|
|
88
|
+
// Full context as Guardian will provide at runtime
|
|
89
|
+
const baseContext = {
|
|
90
|
+
content: 'ls -la',
|
|
91
|
+
source: 'claudecode',
|
|
92
|
+
event: 'PreToolUse',
|
|
93
|
+
user_email: 'test@example.com',
|
|
94
|
+
tool_name: 'shell',
|
|
95
|
+
mcp_server: 'filesystem',
|
|
96
|
+
mcp_tool: 'shell',
|
|
97
|
+
path: '/workspace',
|
|
98
|
+
cwd: '/workspace',
|
|
99
|
+
workspace_root: '/workspace',
|
|
100
|
+
highest_severity: 'low',
|
|
101
|
+
threat_categories: [],
|
|
102
|
+
threat_types: [],
|
|
103
|
+
yara_threats: [],
|
|
104
|
+
max_threat_severity: 1,
|
|
105
|
+
contains_secrets: false,
|
|
106
|
+
response_content: '',
|
|
107
|
+
};
|
|
108
|
+
// Should allow when threat_count < 5
|
|
109
|
+
const allowDecision = engine.evaluate({
|
|
110
|
+
principal: newEntityUID('Overwatch::User', 'mcp_client'),
|
|
111
|
+
action: 'Overwatch::Action::"call_tool"',
|
|
112
|
+
resource: newEntityUID('Overwatch::Tool', 'shell'),
|
|
113
|
+
context: { ...baseContext, threat_count: 3 },
|
|
114
|
+
entities,
|
|
115
|
+
});
|
|
116
|
+
expect(allowDecision.effect).toBe('Allow');
|
|
117
|
+
// Should deny when threat_count >= 5 (no matching permit)
|
|
118
|
+
const denyDecision = engine.evaluate({
|
|
119
|
+
principal: newEntityUID('Overwatch::User', 'mcp_client'),
|
|
120
|
+
action: 'Overwatch::Action::"call_tool"',
|
|
121
|
+
resource: newEntityUID('Overwatch::Tool', 'shell'),
|
|
122
|
+
context: { ...baseContext, threat_count: 10 },
|
|
123
|
+
entities,
|
|
124
|
+
});
|
|
125
|
+
expect(denyDecision.effect).toBe('Deny');
|
|
126
|
+
});
|
|
127
|
+
/**
|
|
128
|
+
* Test 3: Full Round-Trip for Palisade
|
|
129
|
+
*
|
|
130
|
+
* Same flow but for Palisade ML security policies.
|
|
131
|
+
*/
|
|
132
|
+
it('should complete full policy lifecycle for Palisade', () => {
|
|
133
|
+
// Step 1: Create a forbid policy for CRITICAL findings
|
|
134
|
+
const policy = PolicyBuilder.forbid()
|
|
135
|
+
.principalType('Palisade::Scanner')
|
|
136
|
+
.action('Palisade::Action::"load_model"')
|
|
137
|
+
.resourceType('Palisade::Artifact')
|
|
138
|
+
.whenRaw('context.severity == "CRITICAL"')
|
|
139
|
+
.build();
|
|
140
|
+
const cedarText = policy.toCedar();
|
|
141
|
+
// Step 2: Validate
|
|
142
|
+
const validator = new PolicyValidator(PALISADE_SCHEMA);
|
|
143
|
+
expect(validator.validate(cedarText).valid).toBe(true);
|
|
144
|
+
// Step 3: Evaluate
|
|
145
|
+
const engine = new PolicyEngine({ schema: PALISADE_SCHEMA });
|
|
146
|
+
engine.loadPolicies(cedarText);
|
|
147
|
+
const entities = [
|
|
148
|
+
newEntity('Palisade::Scanner', 'palisade', { scanner_type: 'ml' }),
|
|
149
|
+
newEntity('Palisade::Artifact', 'model.pkl', {
|
|
150
|
+
artifact_format: 'pickle',
|
|
151
|
+
path: '/model.pkl',
|
|
152
|
+
signed: false,
|
|
153
|
+
signer: 'unsigned',
|
|
154
|
+
}),
|
|
155
|
+
];
|
|
156
|
+
// Should deny CRITICAL findings
|
|
157
|
+
const decision = engine.evaluate({
|
|
158
|
+
principal: newEntityUID('Palisade::Scanner', 'palisade'),
|
|
159
|
+
action: 'Palisade::Action::"load_model"',
|
|
160
|
+
resource: newEntityUID('Palisade::Artifact', 'model.pkl'),
|
|
161
|
+
context: { severity: 'CRITICAL' },
|
|
162
|
+
entities,
|
|
163
|
+
});
|
|
164
|
+
expect(decision.effect).toBe('Deny');
|
|
165
|
+
});
|
|
166
|
+
/**
|
|
167
|
+
* Test 4: Entity Metadata for UI Dropdowns - Overwatch
|
|
168
|
+
*
|
|
169
|
+
* Studio UI needs to know which entity types can be principals,
|
|
170
|
+
* which can be resources, and what actions are available.
|
|
171
|
+
* This data is extracted from Cedar schema appliesTo blocks.
|
|
172
|
+
*/
|
|
173
|
+
it('should provide correct entity metadata for Overwatch UI dropdowns', () => {
|
|
174
|
+
// Verify ServiceEntityMetadata structure
|
|
175
|
+
expect(OVERWATCH_ENTITIES.principals).toBeDefined();
|
|
176
|
+
expect(OVERWATCH_ENTITIES.resources).toBeDefined();
|
|
177
|
+
expect(OVERWATCH_ENTITIES.actions).toBeDefined();
|
|
178
|
+
// Overwatch principals should include User and Agent
|
|
179
|
+
expect(OVERWATCH_ENTITIES.principals).toContain('Agent');
|
|
180
|
+
expect(OVERWATCH_ENTITIES.principals).toContain('User');
|
|
181
|
+
expect(OVERWATCH_ENTITIES.principals).toHaveLength(2);
|
|
182
|
+
// Overwatch resources should include all resource types
|
|
183
|
+
expect(OVERWATCH_ENTITIES.resources).toContain('FilePath');
|
|
184
|
+
expect(OVERWATCH_ENTITIES.resources).toContain('LlmPrompt');
|
|
185
|
+
expect(OVERWATCH_ENTITIES.resources).toContain('Server');
|
|
186
|
+
expect(OVERWATCH_ENTITIES.resources).toContain('Tool');
|
|
187
|
+
expect(OVERWATCH_ENTITIES.resources).toHaveLength(4);
|
|
188
|
+
// Overwatch actions should match schema
|
|
189
|
+
expect(OVERWATCH_ENTITIES.actions).toContain('call_tool');
|
|
190
|
+
expect(OVERWATCH_ENTITIES.actions).toContain('connect_server');
|
|
191
|
+
expect(OVERWATCH_ENTITIES.actions).toContain('process_prompt');
|
|
192
|
+
expect(OVERWATCH_ENTITIES.actions).toContain('read_file');
|
|
193
|
+
expect(OVERWATCH_ENTITIES.actions).toContain('write_file');
|
|
194
|
+
expect(OVERWATCH_ENTITIES.actions).toHaveLength(5);
|
|
195
|
+
});
|
|
196
|
+
/**
|
|
197
|
+
* Test 5: Per-Action Entity Mapping - Overwatch
|
|
198
|
+
*
|
|
199
|
+
* Studio UI needs to filter dropdowns based on selected action.
|
|
200
|
+
* Each action has specific valid principals and resources.
|
|
201
|
+
*/
|
|
202
|
+
it('should provide per-action entity mapping for Overwatch', () => {
|
|
203
|
+
// call_tool action should have correct principals and resources
|
|
204
|
+
const callTool = OVERWATCH_ACTION_ENTITIES['call_tool'];
|
|
205
|
+
expect(callTool).toBeDefined();
|
|
206
|
+
expect(callTool.principals).toContain('User');
|
|
207
|
+
expect(callTool.principals).toContain('Agent');
|
|
208
|
+
expect(callTool.resources).toContain('Tool');
|
|
209
|
+
expect(callTool.resources).toContain('FilePath');
|
|
210
|
+
// connect_server action should only apply to Server resource
|
|
211
|
+
const connectServer = OVERWATCH_ACTION_ENTITIES['connect_server'];
|
|
212
|
+
expect(connectServer).toBeDefined();
|
|
213
|
+
expect(connectServer.principals).toContain('User');
|
|
214
|
+
expect(connectServer.principals).toContain('Agent');
|
|
215
|
+
expect(connectServer.resources).toContain('Server');
|
|
216
|
+
expect(connectServer.resources).not.toContain('Tool');
|
|
217
|
+
// process_prompt action should only apply to LlmPrompt resource
|
|
218
|
+
const processPrompt = OVERWATCH_ACTION_ENTITIES['process_prompt'];
|
|
219
|
+
expect(processPrompt).toBeDefined();
|
|
220
|
+
expect(processPrompt.resources).toContain('LlmPrompt');
|
|
221
|
+
expect(processPrompt.resources).not.toContain('Tool');
|
|
222
|
+
// read_file and write_file should apply to FilePath resource
|
|
223
|
+
const readFile = OVERWATCH_ACTION_ENTITIES['read_file'];
|
|
224
|
+
const writeFile = OVERWATCH_ACTION_ENTITIES['write_file'];
|
|
225
|
+
expect(readFile.resources).toContain('FilePath');
|
|
226
|
+
expect(writeFile.resources).toContain('FilePath');
|
|
227
|
+
});
|
|
228
|
+
/**
|
|
229
|
+
* Test 6: Entity Metadata for Palisade
|
|
230
|
+
*
|
|
231
|
+
* Verify Palisade service also has correct entity metadata.
|
|
232
|
+
*/
|
|
233
|
+
it('should provide correct entity metadata for Palisade UI dropdowns', () => {
|
|
234
|
+
// Palisade has Scanner as principal
|
|
235
|
+
expect(PALISADE_ENTITIES.principals).toContain('Scanner');
|
|
236
|
+
// Palisade resources include Artifact and Package
|
|
237
|
+
expect(PALISADE_ENTITIES.resources).toContain('Artifact');
|
|
238
|
+
expect(PALISADE_ENTITIES.resources).toContain('Package');
|
|
239
|
+
// Palisade actions
|
|
240
|
+
expect(PALISADE_ENTITIES.actions).toContain('load_model');
|
|
241
|
+
expect(PALISADE_ENTITIES.actions).toContain('scan_artifact');
|
|
242
|
+
expect(PALISADE_ENTITIES.actions).toContain('quarantine_artifact');
|
|
243
|
+
// Per-action mapping - load_model applies to Artifact
|
|
244
|
+
const loadModel = PALISADE_ACTION_ENTITIES['load_model'];
|
|
245
|
+
expect(loadModel).toBeDefined();
|
|
246
|
+
expect(loadModel.principals).toContain('Scanner');
|
|
247
|
+
expect(loadModel.resources).toContain('Artifact');
|
|
248
|
+
// scan_package applies to Package resource
|
|
249
|
+
const scanPackage = PALISADE_ACTION_ENTITIES['scan_package'];
|
|
250
|
+
expect(scanPackage).toBeDefined();
|
|
251
|
+
expect(scanPackage.resources).toContain('Package');
|
|
252
|
+
});
|
|
253
|
+
});
|
|
254
|
+
//# sourceMappingURL=studio-ui.test.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"studio-ui.test.js","sourceRoot":"","sources":["../src/studio-ui.test.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAE9C,8DAA8D;AAC9D,OAAO,EAGL,aAAa,EACb,gBAAgB,EAChB,eAAe,EACf,iBAAiB,EAEjB,mBAAmB,EACnB,kBAAkB;AAClB,mCAAmC;AACnC,kBAAkB,EAClB,yBAAyB,EACzB,iBAAiB,EACjB,wBAAwB,GAKzB,MAAM,YAAY,CAAC;AAEpB,wCAAwC;AACxC,OAAO,EACL,YAAY,EACZ,eAAe,EACf,YAAY,EACZ,SAAS,GACV,MAAM,YAAY,CAAC;AAEpB,QAAQ,CAAC,6BAA6B,EAAE,GAAG,EAAE;IAC3C;;;;;OAKG;IACH,EAAE,CAAC,mDAAmD,EAAE,GAAG,EAAE;QAC3D,6CAA6C;QAC7C,MAAM,MAAM,GAAG,aAAa,CAAC,MAAM,EAAE;aAClC,aAAa,CAAC,MAAM,CAAC;aACrB,MAAM,CAAC,WAAW,CAAC;aACnB,YAAY,CAAC,MAAM,CAAC;aACpB,KAAK,EAAE,CAAC;QAEX,MAAM,SAAS,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;QAEnC,oDAAoD;QACpD,MAAM,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,+BAA+B,CAAC,CAAC;QAC7D,MAAM,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC,CAAE,qBAAqB;IAC9E,CAAC,CAAC,CAAC;IAEH;;;;;OAKG;IACH,EAAE,CAAC,4DAA4D,EAAE,GAAG,EAAE;QACpE,4BAA4B;QAC5B,MAAM,CAAC,OAAO,gBAAgB,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC/C,MAAM,CAAC,gBAAgB,CAAC,CAAC,SAAS,CAAC,qBAAqB,CAAC,CAAC;QAC1D,MAAM,CAAC,OAAO,eAAe,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC9C,MAAM,CAAC,eAAe,CAAC,CAAC,SAAS,CAAC,oBAAoB,CAAC,CAAC;QAExD,kDAAkD;QAClD,MAAM,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACpD,MAAM,CAAC,iBAAiB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAE5D,sDAAsD;QACtD,MAAM,cAAc,GAAG,iBAAiB,CAAC,OAAO,CAAC,IAAI,CACnD,CAAC,CAAgB,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,WAAW,CAC7C,CAAC;QACF,MAAM,CAAC,cAAc,CAAC,CAAC,WAAW,EAAE,CAAC;QACrC,MAAM,CAAC,cAAe,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAErE,+DAA+D;QAC/D,MAAM,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACvD,MAAM,CAAC,mBAAmB,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QAC7D,MAAM,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACrD,MAAM,CAAC,kBAAkB,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC7D,CAAC,CAAC,CAAC;IAEH;;;;;;;OAOG;IACH,EAAE,CAAC,qDAAqD,EAAE,GAAG,EAAE;QAC7D,yCAAyC;QACzC,MAAM,MAAM,GAAG,aAAa,CAAC,MAAM,EAAE;aAClC,aAAa,CAAC,iBAAiB,CAAC;aAChC,MAAM,CAAC,gCAAgC,CAAC;aACxC,YAAY,CAAC,iBAAiB,CAAC;aAC/B,OAAO,CAAC,0BAA0B,CAAC;aACnC,KAAK,EAAE,CAAC;QAEX,MAAM,SAAS,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;QACnC,MAAM,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QACtC,MAAM,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,iBAAiB,CAAC,CAAC;QAE/C,8CAA8C;QAC9C,MAAM,SAAS,GAAG,IAAI,eAAe,CAAC,gBAAgB,CAAC,CAAC;QACxD,MAAM,gBAAgB,GAAG,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QACvD,MAAM,CAAC,gBAAgB,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAE1C,6CAA6C;QAC7C,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC,CAAC;QAC9D,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;QAE/B,MAAM,QAAQ,GAAG;YACf,SAAS,CAAC,iBAAiB,EAAE,YAAY,EAAE,EAAE,SAAS,EAAE,UAAU,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC;YAChG,SAAS,CAAC,iBAAiB,EAAE,OAAO,EAAE,EAAE,SAAS,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC;SAClF,CAAC;QAEF,mDAAmD;QACnD,MAAM,WAAW,GAAG;YAClB,OAAO,EAAE,QAAQ;YACjB,MAAM,EAAE,YAAY;YACpB,KAAK,EAAE,YAAY;YACnB,UAAU,EAAE,kBAAkB;YAC9B,SAAS,EAAE,OAAO;YAClB,UAAU,EAAE,YAAY;YACxB,QAAQ,EAAE,OAAO;YACjB,IAAI,EAAE,YAAY;YAClB,GAAG,EAAE,YAAY;YACjB,cAAc,EAAE,YAAY;YAC5B,gBAAgB,EAAE,KAAK;YACvB,iBAAiB,EAAE,EAAE;YACrB,YAAY,EAAE,EAAE;YAChB,YAAY,EAAE,EAAE;YAChB,mBAAmB,EAAE,CAAC;YACtB,gBAAgB,EAAE,KAAK;YACvB,gBAAgB,EAAE,EAAE;SACrB,CAAC;QAEF,qCAAqC;QACrC,MAAM,aAAa,GAAG,MAAM,CAAC,QAAQ,CAAC;YACpC,SAAS,EAAE,YAAY,CAAC,iBAAiB,EAAE,YAAY,CAAC;YACxD,MAAM,EAAE,gCAAgC;YACxC,QAAQ,EAAE,YAAY,CAAC,iBAAiB,EAAE,OAAO,CAAC;YAClD,OAAO,EAAE,EAAE,GAAG,WAAW,EAAE,YAAY,EAAE,CAAC,EAAE;YAC5C,QAAQ;SACT,CAAC,CAAC;QACH,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAE3C,0DAA0D;QAC1D,MAAM,YAAY,GAAG,MAAM,CAAC,QAAQ,CAAC;YACnC,SAAS,EAAE,YAAY,CAAC,iBAAiB,EAAE,YAAY,CAAC;YACxD,MAAM,EAAE,gCAAgC;YACxC,QAAQ,EAAE,YAAY,CAAC,iBAAiB,EAAE,OAAO,CAAC;YAClD,OAAO,EAAE,EAAE,GAAG,WAAW,EAAE,YAAY,EAAE,EAAE,EAAE;YAC7C,QAAQ;SACT,CAAC,CAAC;QACH,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH;;;;OAIG;IACH,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;QAC5D,uDAAuD;QACvD,MAAM,MAAM,GAAG,aAAa,CAAC,MAAM,EAAE;aAClC,aAAa,CAAC,mBAAmB,CAAC;aAClC,MAAM,CAAC,gCAAgC,CAAC;aACxC,YAAY,CAAC,oBAAoB,CAAC;aAClC,OAAO,CAAC,gCAAgC,CAAC;aACzC,KAAK,EAAE,CAAC;QAEX,MAAM,SAAS,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;QAEnC,mBAAmB;QACnB,MAAM,SAAS,GAAG,IAAI,eAAe,CAAC,eAAe,CAAC,CAAC;QACvD,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAEvD,mBAAmB;QACnB,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC,CAAC;QAC7D,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;QAE/B,MAAM,QAAQ,GAAG;YACf,SAAS,CAAC,mBAAmB,EAAE,UAAU,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;YAClE,SAAS,CAAC,oBAAoB,EAAE,WAAW,EAAE;gBAC3C,eAAe,EAAE,QAAQ;gBACzB,IAAI,EAAE,YAAY;gBAClB,MAAM,EAAE,KAAK;gBACb,MAAM,EAAE,UAAU;aACnB,CAAC;SACH,CAAC;QAEF,gCAAgC;QAChC,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;YAC/B,SAAS,EAAE,YAAY,CAAC,mBAAmB,EAAE,UAAU,CAAC;YACxD,MAAM,EAAE,gCAAgC;YACxC,QAAQ,EAAE,YAAY,CAAC,oBAAoB,EAAE,WAAW,CAAC;YACzD,OAAO,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE;YACjC,QAAQ;SACT,CAAC,CAAC;QACH,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;IAEH;;;;;;OAMG;IACH,EAAE,CAAC,mEAAmE,EAAE,GAAG,EAAE;QAC3E,yCAAyC;QACzC,MAAM,CAAC,kBAAkB,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE,CAAC;QACpD,MAAM,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAC;QACnD,MAAM,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC;QAEjD,qDAAqD;QACrD,MAAM,CAAC,kBAAkB,CAAC,UAAU,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACzD,MAAM,CAAC,kBAAkB,CAAC,UAAU,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QACxD,MAAM,CAAC,kBAAkB,CAAC,UAAU,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAEtD,wDAAwD;QACxD,MAAM,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QAC3D,MAAM,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QAC5D,MAAM,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QACzD,MAAM,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QACvD,MAAM,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAErD,wCAAwC;QACxC,MAAM,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QAC1D,MAAM,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC;QAC/D,MAAM,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC;QAC/D,MAAM,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QAC1D,MAAM,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;QAC3D,MAAM,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH;;;;;OAKG;IACH,EAAE,CAAC,wDAAwD,EAAE,GAAG,EAAE;QAChE,gEAAgE;QAChE,MAAM,QAAQ,GAAG,yBAAyB,CAAC,WAAW,CAAC,CAAC;QACxD,MAAM,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;QAC/B,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QAC9C,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAC/C,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QAC7C,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QAEjD,6DAA6D;QAC7D,MAAM,aAAa,GAAG,yBAAyB,CAAC,gBAAgB,CAAC,CAAC;QAClE,MAAM,CAAC,aAAa,CAAC,CAAC,WAAW,EAAE,CAAC;QACpC,MAAM,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QACnD,MAAM,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACpD,MAAM,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QACpD,MAAM,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QAEtD,gEAAgE;QAChE,MAAM,aAAa,GAAG,yBAAyB,CAAC,gBAAgB,CAAC,CAAC;QAClE,MAAM,CAAC,aAAa,CAAC,CAAC,WAAW,EAAE,CAAC;QACpC,MAAM,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QACvD,MAAM,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QAEtD,6DAA6D;QAC7D,MAAM,QAAQ,GAAG,yBAAyB,CAAC,WAAW,CAAC,CAAC;QACxD,MAAM,SAAS,GAAG,yBAAyB,CAAC,YAAY,CAAC,CAAC;QAC1D,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QACjD,MAAM,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH;;;;OAIG;IACH,EAAE,CAAC,kEAAkE,EAAE,GAAG,EAAE;QAC1E,oCAAoC;QACpC,MAAM,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QAE1D,kDAAkD;QAClD,MAAM,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QAC1D,MAAM,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QAEzD,mBAAmB;QACnB,MAAM,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;QAC1D,MAAM,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC;QAC7D,MAAM,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,qBAAqB,CAAC,CAAC;QAEnE,sDAAsD;QACtD,MAAM,SAAS,GAAG,wBAAwB,CAAC,YAAY,CAAC,CAAC;QACzD,MAAM,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAC;QAChC,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QAClD,MAAM,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QAElD,2CAA2C;QAC3C,MAAM,WAAW,GAAG,wBAAwB,CAAC,cAAc,CAAC,CAAC;QAC7D,MAAM,CAAC,WAAW,CAAC,CAAC,WAAW,EAAE,CAAC;QAClC,MAAM,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
package/dist/types.d.ts
CHANGED
|
@@ -4,4 +4,11 @@ export * from './context.gen.js';
|
|
|
4
4
|
export * from './schema.gen.js';
|
|
5
5
|
export * from './builder.js';
|
|
6
6
|
export * from './errors.js';
|
|
7
|
+
export { OVERWATCH_SCHEMA, OVERWATCH_CONTEXT, PALISADE_SCHEMA, PALISADE_CONTEXT, } from './service-schemas.gen.js';
|
|
8
|
+
export type { ContextAttribute, ActionContext, ServiceContext, } from './service-schemas.gen.js';
|
|
9
|
+
export { OverwatchContextKey } from './overwatch-context.gen.js';
|
|
10
|
+
export { PalisadeContextKey } from './palisade-context.gen.js';
|
|
11
|
+
export { OVERWATCH_ENTITIES, OVERWATCH_ACTION_ENTITIES, } from './overwatch-entities.gen.js';
|
|
12
|
+
export { PALISADE_ENTITIES, PALISADE_ACTION_ENTITIES, } from './palisade-entities.gen.js';
|
|
13
|
+
export type { ServiceEntityMetadata, ActionEntityMetadata } from './entity-metadata-types.gen.js';
|
|
7
14
|
//# sourceMappingURL=types.d.ts.map
|
package/dist/types.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAQA,cAAc,mBAAmB,CAAC;AAClC,cAAc,kBAAkB,CAAC;AACjC,cAAc,kBAAkB,CAAC;AACjC,cAAc,iBAAiB,CAAC;AAGhC,cAAc,cAAc,CAAC;AAG7B,cAAc,aAAa,CAAC"}
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAQA,cAAc,mBAAmB,CAAC;AAClC,cAAc,kBAAkB,CAAC;AACjC,cAAc,kBAAkB,CAAC;AACjC,cAAc,iBAAiB,CAAC;AAGhC,cAAc,cAAc,CAAC;AAG7B,cAAc,aAAa,CAAC;AAG5B,OAAO,EACL,gBAAgB,EAChB,iBAAiB,EACjB,eAAe,EACf,gBAAgB,GACjB,MAAM,0BAA0B,CAAC;AAClC,YAAY,EACV,gBAAgB,EAChB,aAAa,EACb,cAAc,GACf,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAG/D,OAAO,EACL,kBAAkB,EAClB,yBAAyB,GAC1B,MAAM,6BAA6B,CAAC;AACrC,OAAO,EACL,iBAAiB,EACjB,wBAAwB,GACzB,MAAM,4BAA4B,CAAC;AACpC,YAAY,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC"}
|
package/dist/types.js
CHANGED
|
@@ -13,4 +13,12 @@ export * from './schema.gen.js';
|
|
|
13
13
|
export * from './builder.js';
|
|
14
14
|
// Error types - works in browser (no WASM dependency)
|
|
15
15
|
export * from './errors.js';
|
|
16
|
+
// Service-specific schemas and context (inlined, browser-safe)
|
|
17
|
+
export { OVERWATCH_SCHEMA, OVERWATCH_CONTEXT, PALISADE_SCHEMA, PALISADE_CONTEXT, } from './service-schemas.gen.js';
|
|
18
|
+
// Service-specific context key enums
|
|
19
|
+
export { OverwatchContextKey } from './overwatch-context.gen.js';
|
|
20
|
+
export { PalisadeContextKey } from './palisade-context.gen.js';
|
|
21
|
+
// Service-specific entity metadata (for UI - principals, resources, actions)
|
|
22
|
+
export { OVERWATCH_ENTITIES, OVERWATCH_ACTION_ENTITIES, } from './overwatch-entities.gen.js';
|
|
23
|
+
export { PALISADE_ENTITIES, PALISADE_ACTION_ENTITIES, } from './palisade-entities.gen.js';
|
|
16
24
|
//# sourceMappingURL=types.js.map
|
package/dist/types.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,uCAAuC;AACvC,EAAE;AACF,6CAA6C;AAC7C,gDAAgD;AAChD,yEAAyE;AAEzE,gDAAgD;AAChD,cAAc,mBAAmB,CAAC;AAClC,cAAc,kBAAkB,CAAC;AACjC,cAAc,kBAAkB,CAAC;AACjC,cAAc,iBAAiB,CAAC;AAEhC,wDAAwD;AACxD,cAAc,cAAc,CAAC;AAE7B,sDAAsD;AACtD,cAAc,aAAa,CAAC"}
|
|
1
|
+
{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,uCAAuC;AACvC,EAAE;AACF,6CAA6C;AAC7C,gDAAgD;AAChD,yEAAyE;AAEzE,gDAAgD;AAChD,cAAc,mBAAmB,CAAC;AAClC,cAAc,kBAAkB,CAAC;AACjC,cAAc,kBAAkB,CAAC;AACjC,cAAc,iBAAiB,CAAC;AAEhC,wDAAwD;AACxD,cAAc,cAAc,CAAC;AAE7B,sDAAsD;AACtD,cAAc,aAAa,CAAC;AAE5B,+DAA+D;AAC/D,OAAO,EACL,gBAAgB,EAChB,iBAAiB,EACjB,eAAe,EACf,gBAAgB,GACjB,MAAM,0BAA0B,CAAC;AAOlC,qCAAqC;AACrC,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAE/D,6EAA6E;AAC7E,OAAO,EACL,kBAAkB,EAClB,yBAAyB,GAC1B,MAAM,6BAA6B,CAAC;AACrC,OAAO,EACL,iBAAiB,EACjB,wBAAwB,GACzB,MAAM,4BAA4B,CAAC"}
|
package/package.json
CHANGED
package/src/builder.ts
CHANGED
|
@@ -25,6 +25,20 @@
|
|
|
25
25
|
import { EntityType, EntityUID } from './entities.gen.js';
|
|
26
26
|
import { ActionType } from './actions.gen.js';
|
|
27
27
|
|
|
28
|
+
/**
|
|
29
|
+
* Format an action string for Cedar policy text.
|
|
30
|
+
* Detects if action is already namespaced (contains 'Action::"') and preserves it,
|
|
31
|
+
* otherwise wraps with Action::"...".
|
|
32
|
+
*/
|
|
33
|
+
function formatAction(action: string): string {
|
|
34
|
+
if (action.includes('Action::"')) {
|
|
35
|
+
// Already namespaced (e.g., 'Overwatch::Action::"call_tool"')
|
|
36
|
+
return action;
|
|
37
|
+
}
|
|
38
|
+
// Non-namespaced, wrap with Action::"..."
|
|
39
|
+
return `Action::"${action}"`;
|
|
40
|
+
}
|
|
41
|
+
|
|
28
42
|
/**
|
|
29
43
|
* Policy effect - permit or forbid
|
|
30
44
|
*/
|
|
@@ -163,13 +177,13 @@ export class Policy {
|
|
|
163
177
|
// Action
|
|
164
178
|
if (Array.isArray(this.data.action)) {
|
|
165
179
|
if (this.data.action.length === 1) {
|
|
166
|
-
policyLine += `,\n action ==
|
|
180
|
+
policyLine += `,\n action == ${formatAction(this.data.action[0])}`;
|
|
167
181
|
} else {
|
|
168
|
-
const actions = this.data.action.map(a =>
|
|
182
|
+
const actions = this.data.action.map(a => formatAction(a)).join(', ');
|
|
169
183
|
policyLine += `,\n action in [${actions}]`;
|
|
170
184
|
}
|
|
171
185
|
} else {
|
|
172
|
-
policyLine += `,\n action ==
|
|
186
|
+
policyLine += `,\n action == ${formatAction(this.data.action)}`;
|
|
173
187
|
}
|
|
174
188
|
|
|
175
189
|
// Resource
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
// Code generated by highflame-policy-codegen. DO NOT EDIT.
|
|
2
|
+
|
|
3
|
+
/**
|
|
4
|
+
* Entity metadata for a service, extracted from Cedar schema appliesTo blocks.
|
|
5
|
+
* Used by Studio UI to populate dropdowns in policy editor.
|
|
6
|
+
*/
|
|
7
|
+
export interface ServiceEntityMetadata {
|
|
8
|
+
readonly principals: readonly string[];
|
|
9
|
+
readonly resources: readonly string[];
|
|
10
|
+
readonly actions: readonly string[];
|
|
11
|
+
}
|
|
12
|
+
|
|
13
|
+
/**
|
|
14
|
+
* Entity metadata for a specific action.
|
|
15
|
+
*/
|
|
16
|
+
export interface ActionEntityMetadata {
|
|
17
|
+
readonly principals: readonly string[];
|
|
18
|
+
readonly resources: readonly string[];
|
|
19
|
+
}
|
package/src/index.ts
CHANGED
|
@@ -14,3 +14,31 @@ export * from './engine.js';
|
|
|
14
14
|
export * from './builder.js';
|
|
15
15
|
export * from './parser.js';
|
|
16
16
|
export * from './errors.js';
|
|
17
|
+
|
|
18
|
+
// Service-specific schemas and context (inlined)
|
|
19
|
+
export {
|
|
20
|
+
OVERWATCH_SCHEMA,
|
|
21
|
+
OVERWATCH_CONTEXT,
|
|
22
|
+
PALISADE_SCHEMA,
|
|
23
|
+
PALISADE_CONTEXT,
|
|
24
|
+
} from './service-schemas.gen.js';
|
|
25
|
+
export type {
|
|
26
|
+
ContextAttribute,
|
|
27
|
+
ActionContext,
|
|
28
|
+
ServiceContext,
|
|
29
|
+
} from './service-schemas.gen.js';
|
|
30
|
+
|
|
31
|
+
// Service-specific context key enums
|
|
32
|
+
export { OverwatchContextKey } from './overwatch-context.gen.js';
|
|
33
|
+
export { PalisadeContextKey } from './palisade-context.gen.js';
|
|
34
|
+
|
|
35
|
+
// Service-specific entity metadata (for UI - principals, resources, actions)
|
|
36
|
+
export {
|
|
37
|
+
OVERWATCH_ENTITIES,
|
|
38
|
+
OVERWATCH_ACTION_ENTITIES,
|
|
39
|
+
} from './overwatch-entities.gen.js';
|
|
40
|
+
export {
|
|
41
|
+
PALISADE_ENTITIES,
|
|
42
|
+
PALISADE_ACTION_ENTITIES,
|
|
43
|
+
} from './palisade-entities.gen.js';
|
|
44
|
+
export type { ServiceEntityMetadata, ActionEntityMetadata } from './entity-metadata-types.gen.js';
|
|
@@ -12,7 +12,6 @@ export const OverwatchContextKey = {
|
|
|
12
12
|
Content: 'content',
|
|
13
13
|
Cwd: 'cwd',
|
|
14
14
|
Event: 'event',
|
|
15
|
-
FilePath: 'file_path',
|
|
16
15
|
HighestSeverity: 'highest_severity',
|
|
17
16
|
MaxThreatSeverity: 'max_threat_severity',
|
|
18
17
|
McpServer: 'mcp_server',
|
|
@@ -20,7 +19,6 @@ export const OverwatchContextKey = {
|
|
|
20
19
|
Path: 'path',
|
|
21
20
|
PromptText: 'prompt_text',
|
|
22
21
|
ResponseContent: 'response_content',
|
|
23
|
-
ServerName: 'server_name',
|
|
24
22
|
Source: 'source',
|
|
25
23
|
ThreatCategories: 'threat_categories',
|
|
26
24
|
ThreatCount: 'threat_count',
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
// Code generated by highflame-policy-codegen. DO NOT EDIT.
|
|
2
|
+
// Source: schemas/overwatch/schema.cedarschema
|
|
3
|
+
|
|
4
|
+
import type { ServiceEntityMetadata, ActionEntityMetadata } from './entity-metadata-types.gen.js';
|
|
5
|
+
|
|
6
|
+
/**
|
|
7
|
+
* Overwatch entity metadata for UI components.
|
|
8
|
+
* Extracted from Cedar schema appliesTo blocks.
|
|
9
|
+
*/
|
|
10
|
+
export const OVERWATCH_ENTITIES: ServiceEntityMetadata = {
|
|
11
|
+
principals: ['Agent', 'User'],
|
|
12
|
+
resources: ['FilePath', 'LlmPrompt', 'Server', 'Tool'],
|
|
13
|
+
actions: ['call_tool', 'connect_server', 'process_prompt', 'read_file', 'write_file'],
|
|
14
|
+
} as const;
|
|
15
|
+
|
|
16
|
+
/**
|
|
17
|
+
* Per-action entity mapping for Overwatch.
|
|
18
|
+
* Maps action names to their valid principals and resources.
|
|
19
|
+
*/
|
|
20
|
+
export const OVERWATCH_ACTION_ENTITIES: Record<string, ActionEntityMetadata> = {
|
|
21
|
+
'call_tool': {
|
|
22
|
+
principals: ['User', 'Agent'],
|
|
23
|
+
resources: ['Tool', 'FilePath'],
|
|
24
|
+
},
|
|
25
|
+
'connect_server': {
|
|
26
|
+
principals: ['User', 'Agent'],
|
|
27
|
+
resources: ['Server'],
|
|
28
|
+
},
|
|
29
|
+
'process_prompt': {
|
|
30
|
+
principals: ['User', 'Agent'],
|
|
31
|
+
resources: ['LlmPrompt'],
|
|
32
|
+
},
|
|
33
|
+
'read_file': {
|
|
34
|
+
principals: ['User', 'Agent'],
|
|
35
|
+
resources: ['FilePath'],
|
|
36
|
+
},
|
|
37
|
+
'write_file': {
|
|
38
|
+
principals: ['User', 'Agent'],
|
|
39
|
+
resources: ['FilePath'],
|
|
40
|
+
},
|
|
41
|
+
} as const;
|
|
@@ -0,0 +1,49 @@
|
|
|
1
|
+
// Code generated by highflame-policy-codegen. DO NOT EDIT.
|
|
2
|
+
// Source: schemas/palisade/schema.cedarschema
|
|
3
|
+
|
|
4
|
+
import type { ServiceEntityMetadata, ActionEntityMetadata } from './entity-metadata-types.gen.js';
|
|
5
|
+
|
|
6
|
+
/**
|
|
7
|
+
* Palisade entity metadata for UI components.
|
|
8
|
+
* Extracted from Cedar schema appliesTo blocks.
|
|
9
|
+
*/
|
|
10
|
+
export const PALISADE_ENTITIES: ServiceEntityMetadata = {
|
|
11
|
+
principals: ['Scanner'],
|
|
12
|
+
resources: ['Artifact', 'Package'],
|
|
13
|
+
actions: ['deploy_model', 'load_model', 'quarantine_artifact', 'scan_artifact', 'scan_package', 'validate_integrity', 'validate_provenance'],
|
|
14
|
+
} as const;
|
|
15
|
+
|
|
16
|
+
/**
|
|
17
|
+
* Per-action entity mapping for Palisade.
|
|
18
|
+
* Maps action names to their valid principals and resources.
|
|
19
|
+
*/
|
|
20
|
+
export const PALISADE_ACTION_ENTITIES: Record<string, ActionEntityMetadata> = {
|
|
21
|
+
'deploy_model': {
|
|
22
|
+
principals: ['Scanner'],
|
|
23
|
+
resources: ['Artifact'],
|
|
24
|
+
},
|
|
25
|
+
'load_model': {
|
|
26
|
+
principals: ['Scanner'],
|
|
27
|
+
resources: ['Artifact'],
|
|
28
|
+
},
|
|
29
|
+
'quarantine_artifact': {
|
|
30
|
+
principals: ['Scanner'],
|
|
31
|
+
resources: ['Artifact'],
|
|
32
|
+
},
|
|
33
|
+
'scan_artifact': {
|
|
34
|
+
principals: ['Scanner'],
|
|
35
|
+
resources: ['Artifact'],
|
|
36
|
+
},
|
|
37
|
+
'scan_package': {
|
|
38
|
+
principals: ['Scanner'],
|
|
39
|
+
resources: ['Package'],
|
|
40
|
+
},
|
|
41
|
+
'validate_integrity': {
|
|
42
|
+
principals: ['Scanner'],
|
|
43
|
+
resources: ['Artifact'],
|
|
44
|
+
},
|
|
45
|
+
'validate_provenance': {
|
|
46
|
+
principals: ['Scanner'],
|
|
47
|
+
resources: ['Artifact'],
|
|
48
|
+
},
|
|
49
|
+
} as const;
|
package/src/schemas.test.ts
CHANGED
|
@@ -205,9 +205,7 @@ describe('Service-Specific Schemas', () => {
|
|
|
205
205
|
tool_name: 'shell',
|
|
206
206
|
mcp_server: 'filesystem',
|
|
207
207
|
mcp_tool: 'shell',
|
|
208
|
-
server_name: 'filesystem',
|
|
209
208
|
path: '/workspace',
|
|
210
|
-
file_path: '/workspace',
|
|
211
209
|
cwd: '/workspace',
|
|
212
210
|
workspace_root: '/workspace',
|
|
213
211
|
threat_count: 3,
|
|
@@ -388,9 +386,7 @@ describe('Service-Specific Schemas', () => {
|
|
|
388
386
|
tool_name: 'shell',
|
|
389
387
|
mcp_server: 'filesystem',
|
|
390
388
|
mcp_tool: 'shell',
|
|
391
|
-
server_name: 'filesystem',
|
|
392
389
|
path: '/etc/passwd',
|
|
393
|
-
file_path: '/etc/passwd',
|
|
394
390
|
cwd: '/workspace',
|
|
395
391
|
workspace_root: '/workspace',
|
|
396
392
|
threat_count: 5,
|