npm - @highflame/policy - Versions diffs - 2.0.7 → 2.0.9 - Mend

@highflame/policy 2.0.7 → 2.0.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (128) hide show

package/_schemas/overwatch/context.json +163 -1
package/_schemas/overwatch/schema.cedarschema +45 -0
package/dist/actions.gen.d.ts +0 -1
package/dist/actions.gen.js +0 -1
package/dist/annotations.d.ts +0 -1
package/dist/annotations.js +0 -1
package/dist/builder.d.ts +0 -1
package/dist/builder.js +0 -1
package/dist/context.gen.d.ts +0 -1
package/dist/context.gen.js +0 -1
package/dist/engine.d.ts +0 -1
package/dist/engine.js +0 -1
package/dist/entities.gen.d.ts +0 -1
package/dist/entities.gen.js +0 -1
package/dist/entity-metadata-types.gen.d.ts +0 -1
package/dist/entity-metadata-types.gen.js +0 -1
package/dist/errors.d.ts +0 -1
package/dist/errors.js +0 -1
package/dist/index.d.ts +0 -1
package/dist/index.js +0 -1
package/dist/overwatch-context.gen.d.ts +13 -1
package/dist/overwatch-context.gen.js +13 -1
package/dist/overwatch-defaults.gen.d.ts +1 -2
package/dist/overwatch-defaults.gen.js +346 -2
package/dist/overwatch-entities.gen.d.ts +0 -1
package/dist/overwatch-entities.gen.js +0 -1
package/dist/palisade-context.gen.d.ts +0 -1
package/dist/palisade-context.gen.js +0 -1
package/dist/palisade-entities.gen.d.ts +0 -1
package/dist/palisade-entities.gen.js +0 -1
package/dist/parser.d.ts +0 -1
package/dist/parser.js +0 -1
package/dist/schema.gen.d.ts +0 -1
package/dist/schema.gen.js +0 -1
package/dist/schemas.d.ts +0 -1
package/dist/schemas.js +0 -1
package/dist/service-schemas.gen.d.ts +0 -1
package/dist/service-schemas.gen.js +0 -1
package/dist/types.d.ts +0 -1
package/dist/types.js +0 -1
package/package.json +1 -2
package/dist/actions.gen.d.ts.map +0 -1
package/dist/actions.gen.js.map +0 -1
package/dist/annotations.d.ts.map +0 -1
package/dist/annotations.js.map +0 -1
package/dist/builder.d.ts.map +0 -1
package/dist/builder.js.map +0 -1
package/dist/context.gen.d.ts.map +0 -1
package/dist/context.gen.js.map +0 -1
package/dist/engine.d.ts.map +0 -1
package/dist/engine.js.map +0 -1
package/dist/engine.test.d.ts +0 -8
package/dist/engine.test.d.ts.map +0 -1
package/dist/engine.test.js +0 -190
package/dist/engine.test.js.map +0 -1
package/dist/entities.gen.d.ts.map +0 -1
package/dist/entities.gen.js.map +0 -1
package/dist/entity-metadata-types.gen.d.ts.map +0 -1
package/dist/entity-metadata-types.gen.js.map +0 -1
package/dist/errors.d.ts.map +0 -1
package/dist/errors.js.map +0 -1
package/dist/index.d.ts.map +0 -1
package/dist/index.js.map +0 -1
package/dist/overwatch-context.gen.d.ts.map +0 -1
package/dist/overwatch-context.gen.js.map +0 -1
package/dist/overwatch-defaults.gen.d.ts.map +0 -1
package/dist/overwatch-defaults.gen.js.map +0 -1
package/dist/overwatch-defaults.test.d.ts +0 -8
package/dist/overwatch-defaults.test.d.ts.map +0 -1
package/dist/overwatch-defaults.test.js +0 -145
package/dist/overwatch-defaults.test.js.map +0 -1
package/dist/overwatch-entities.gen.d.ts.map +0 -1
package/dist/overwatch-entities.gen.js.map +0 -1
package/dist/overwatch-rebac.test.d.ts +0 -25
package/dist/overwatch-rebac.test.d.ts.map +0 -1
package/dist/overwatch-rebac.test.js +0 -301
package/dist/overwatch-rebac.test.js.map +0 -1
package/dist/palisade-context.gen.d.ts.map +0 -1
package/dist/palisade-context.gen.js.map +0 -1
package/dist/palisade-entities.gen.d.ts.map +0 -1
package/dist/palisade-entities.gen.js.map +0 -1
package/dist/parser.d.ts.map +0 -1
package/dist/parser.js.map +0 -1
package/dist/parser.test.d.ts +0 -8
package/dist/parser.test.d.ts.map +0 -1
package/dist/parser.test.js +0 -212
package/dist/parser.test.js.map +0 -1
package/dist/schema.gen.d.ts.map +0 -1
package/dist/schema.gen.js.map +0 -1
package/dist/schemas.d.ts.map +0 -1
package/dist/schemas.js.map +0 -1
package/dist/schemas.test.d.ts +0 -8
package/dist/schemas.test.d.ts.map +0 -1
package/dist/schemas.test.js +0 -375
package/dist/schemas.test.js.map +0 -1
package/dist/service-schemas.gen.d.ts.map +0 -1
package/dist/service-schemas.gen.js.map +0 -1
package/dist/studio-ui.test.d.ts +0 -8
package/dist/studio-ui.test.d.ts.map +0 -1
package/dist/studio-ui.test.js +0 -687
package/dist/studio-ui.test.js.map +0 -1
package/dist/types.d.ts.map +0 -1
package/dist/types.js.map +0 -1
package/src/actions.gen.ts +0 -57
package/src/annotations.ts +0 -243
package/src/builder.ts +0 -799
package/src/context.gen.ts +0 -10
package/src/engine.test.ts +0 -370
package/src/engine.ts +0 -497
package/src/entities.gen.ts +0 -65
package/src/entity-metadata-types.gen.ts +0 -19
package/src/errors.ts +0 -195
package/src/index.ts +0 -62
package/src/overwatch-context.gen.ts +0 -32
package/src/overwatch-defaults.gen.ts +0 -907
package/src/overwatch-defaults.test.ts +0 -176
package/src/overwatch-entities.gen.ts +0 -41
package/src/overwatch-rebac.test.ts +0 -346
package/src/palisade-context.gen.ts +0 -28
package/src/palisade-entities.gen.ts +0 -49
package/src/parser.test.ts +0 -251
package/src/parser.ts +0 -579
package/src/schema.gen.ts +0 -134
package/src/schemas.test.ts +0 -445
package/src/schemas.ts +0 -91
package/src/service-schemas.gen.ts +0 -608
package/src/studio-ui.test.ts +0 -813
package/src/types.ts +0 -66

package/src/context.gen.ts DELETED Viewed

@@ -1,10 +0,0 @@
-// Code generated by highflame-policy-codegen. DO NOT EDIT.
-// Source: schema/context.yaml
-/**
- * Context attribute keys for Cedar policy evaluation.
- */
-export const ContextKey = {
-} as const;
-export type ContextKey = (typeof ContextKey)[keyof typeof ContextKey];

package/src/engine.test.ts DELETED Viewed

@@ -1,370 +0,0 @@
-/**
- * Engine unit tests
- *
- * Tests the PolicyEngine evaluate() function.
- * These tests are consistent across Go, TypeScript, and Python SDKs.
- */
-import { describe, it, expect, beforeEach } from 'vitest';
-import {
-  PolicyEngine,
-  Decision,
-  EntityType,
-  ActionType,
-  InputValidationError,
-  DEFAULT_LIMITS,
-} from './index.js';
-describe('PolicyEngine', () => {
-  let engine: PolicyEngine;
-  const permitAllPolicy = `
-    permit(principal, action, resource);
-  `;
-  const denyAllPolicy = `
-    forbid(principal, action, resource);
-  `;
-  // Simple context-based policy without action constraint for testing context evaluation
-  const contextBasedPolicy = `
-    @id("allow-production")
-    permit(
-      principal,
-      action,
-      resource
-    )
-    when { context.environment == "production" };
-    @id("deny-all")
-    forbid(principal, action, resource);
-  `;
-  beforeEach(() => {
-    engine = new PolicyEngine();
-  });
-  describe('basic evaluation', () => {
-    it('should allow when permit policy matches', () => {
-      engine.loadPolicy(permitAllPolicy);
-      const decision = engine.evaluateSimple(
-        EntityType.Scanner,
-        'test-scanner',
-        ActionType.ScanArtifact,
-        EntityType.Artifact,
-        '/model.safetensors'
-      );
-      expect(decision.effect).toBe('Allow');
-    });
-    it('should deny when forbid policy matches', () => {
-      engine.loadPolicy(denyAllPolicy);
-      const decision = engine.evaluateSimple(
-        EntityType.Scanner,
-        'test-scanner',
-        ActionType.ScanArtifact,
-        EntityType.Artifact,
-        '/model.safetensors'
-      );
-      expect(decision.effect).toBe('Deny');
-    });
-    it('should deny when no policies match (default deny)', () => {
-      engine.loadPolicy(''); // No policies
-      const decision = engine.evaluateSimple(
-        EntityType.Scanner,
-        'test-scanner',
-        ActionType.ScanArtifact,
-        EntityType.Artifact,
-        '/model.safetensors'
-      );
-      expect(decision.effect).toBe('Deny');
-    });
-  });
-  describe('context-based evaluation', () => {
-    beforeEach(() => {
-      engine.loadPolicy(contextBasedPolicy);
-    });
-    it('should allow when context matches permit condition', () => {
-      // Use simple permit policy to test context evaluation in isolation
-      const simplePermitPolicy = `
-        permit(principal, action, resource)
-        when { context.environment == "production" };
-      `;
-      const testEngine = new PolicyEngine();
-      testEngine.loadPolicy(simplePermitPolicy);
-      const decision = testEngine.evaluateSimple(
-        EntityType.Scanner,
-        'palisade',
-        ActionType.ScanArtifact,
-        EntityType.Artifact,
-        '/model.safetensors',
-        { environment: 'production' }
-      );
-      expect(decision.effect).toBe('Allow');
-    });
-    it('should deny when context does not match permit condition', () => {
-      const decision = engine.evaluateSimple(
-        EntityType.Scanner,
-        'palisade',
-        ActionType.ScanArtifact,
-        EntityType.Artifact,
-        '/model.safetensors',
-        { environment: 'development' }
-      );
-      expect(decision.effect).toBe('Deny');
-    });
-    it('should deny when context is missing required field', () => {
-      const decision = engine.evaluateSimple(
-        EntityType.Scanner,
-        'palisade',
-        ActionType.ScanArtifact,
-        EntityType.Artifact,
-        '/model.safetensors',
-        {} // Missing environment
-      );
-      expect(decision.effect).toBe('Deny');
-    });
-  });
-  describe('input validation', () => {
-    beforeEach(() => {
-      engine.loadPolicy(permitAllPolicy);
-    });
-    it('should accept valid context', () => {
-      const decision = engine.evaluateSimple(
-        EntityType.Scanner,
-        'test',
-        ActionType.ScanArtifact,
-        EntityType.Artifact,
-        '/model.safetensors',
-        {
-          environment: 'production',
-          severity: 'HIGH',
-          count: 42,
-          enabled: true,
-        }
-      );
-      expect(decision.effect).toBe('Allow');
-    });
-    it('should reject context with too many keys', () => {
-      const engine = new PolicyEngine({ limits: { maxContextKeys: 5 } });
-      engine.loadPolicy(permitAllPolicy);
-      const bigContext: Record<string, unknown> = {};
-      for (let i = 0; i < 10; i++) {
-        bigContext[`key${i}`] = 'value';
-      }
-      expect(() => {
-        engine.evaluateSimple(
-          EntityType.Scanner,
-          'test',
-          ActionType.ScanArtifact,
-          EntityType.Artifact,
-          '/model.safetensors',
-          bigContext
-        );
-      }).toThrow(InputValidationError);
-    });
-    it('should reject context with too long strings', () => {
-      const engine = new PolicyEngine({ limits: { maxStringLength: 100 } });
-      engine.loadPolicy(permitAllPolicy);
-      const longString = 'x'.repeat(200);
-      expect(() => {
-        engine.evaluateSimple(
-          EntityType.Scanner,
-          'test',
-          ActionType.ScanArtifact,
-          EntityType.Artifact,
-          '/model.safetensors',
-          { value: longString }
-        );
-      }).toThrow(InputValidationError);
-    });
-    it('should reject deeply nested context', () => {
-      const engine = new PolicyEngine({ limits: { maxNestingDepth: 3 } });
-      engine.loadPolicy(permitAllPolicy);
-      const deepContext = {
-        level1: {
-          level2: {
-            level3: {
-              level4: {
-                level5: 'too deep',
-              },
-            },
-          },
-        },
-      };
-      expect(() => {
-        engine.evaluateSimple(
-          EntityType.Scanner,
-          'test',
-          ActionType.ScanArtifact,
-          EntityType.Artifact,
-          '/model.safetensors',
-          deepContext
-        );
-      }).toThrow(InputValidationError);
-    });
-    it('should allow skipping validation', () => {
-      const engine = new PolicyEngine({
-        skipValidation: true,
-        limits: { maxContextKeys: 1 },
-      });
-      engine.loadPolicy(permitAllPolicy);
-      // This would normally fail validation
-      const decision = engine.evaluateSimple(
-        EntityType.Scanner,
-        'test',
-        ActionType.ScanArtifact,
-        EntityType.Artifact,
-        '/model.safetensors',
-        { key1: 'value1', key2: 'value2', key3: 'value3' }
-      );
-      expect(decision.effect).toBe('Allow');
-    });
-  });
-  describe('complex context types', () => {
-    beforeEach(() => {
-      engine.loadPolicy(permitAllPolicy);
-    });
-    it('should handle array context values', () => {
-      const decision = engine.evaluateSimple(
-        EntityType.Scanner,
-        'test',
-        ActionType.ScanArtifact,
-        EntityType.Artifact,
-        '/model.safetensors',
-        { threats: ['malware', 'backdoor', 'injection'] }
-      );
-      expect(decision.effect).toBe('Allow');
-    });
-    it('should handle nested object context', () => {
-      const decision = engine.evaluateSimple(
-        EntityType.Scanner,
-        'test',
-        ActionType.ScanArtifact,
-        EntityType.Artifact,
-        '/model.safetensors',
-        {
-          metadata: {
-            format: 'safetensors',
-            size: 1024,
-          },
-        }
-      );
-      expect(decision.effect).toBe('Allow');
-    });
-    it('should handle empty context', () => {
-      // Cedar doesn't have null values - this tests that empty context works
-      const decision = engine.evaluateSimple(
-        EntityType.Scanner,
-        'test',
-        ActionType.ScanArtifact,
-        EntityType.Artifact,
-        '/model.safetensors',
-        {}
-      );
-      expect(decision.effect).toBe('Allow');
-    });
-    it('should handle boolean context values', () => {
-      const decision = engine.evaluateSimple(
-        EntityType.Scanner,
-        'test',
-        ActionType.ScanArtifact,
-        EntityType.Artifact,
-        '/model.safetensors',
-        { is_signed: true, is_malicious: false }
-      );
-      expect(decision.effect).toBe('Allow');
-    });
-    it('should handle integer context values', () => {
-      // Cedar uses Long type for numbers (integers only, no floats)
-      const decision = engine.evaluateSimple(
-        EntityType.Scanner,
-        'test',
-        ActionType.ScanArtifact,
-        EntityType.Artifact,
-        '/model.safetensors',
-        { severity_score: 7, count: 100 }
-      );
-      expect(decision.effect).toBe('Allow');
-    });
-  });
-  describe('error handling', () => {
-    it('should handle invalid policy syntax gracefully', () => {
-      const invalidPolicy = `permit(principal, action, resource`; // Missing closing paren
-      expect(() => {
-        engine.loadPolicy(invalidPolicy);
-        engine.evaluateSimple(
-          EntityType.Scanner,
-          'test',
-          ActionType.ScanArtifact,
-          EntityType.Artifact,
-          '/model.safetensors'
-        );
-      }).not.toThrow();
-      // Should return deny with reason
-      engine.loadPolicy(invalidPolicy);
-      const decision = engine.evaluateSimple(
-        EntityType.Scanner,
-        'test',
-        ActionType.ScanArtifact,
-        EntityType.Artifact,
-        '/model.safetensors'
-      );
-      expect(decision.effect).toBe('Deny');
-    });
-  });
-  describe('DEFAULT_LIMITS', () => {
-    it('should have consistent default values', () => {
-      expect(DEFAULT_LIMITS.maxContextKeys).toBe(100);
-      expect(DEFAULT_LIMITS.maxStringLength).toBe(1_000_000);
-      expect(DEFAULT_LIMITS.maxNestingDepth).toBe(10);
-      expect(DEFAULT_LIMITS.maxContextSizeBytes).toBe(10_000_000);
-    });
-  });
-});