@highflame/policy 2.0.8 → 2.0.9

package/dist/studio-ui.test.js

@@ -1,687 +0,0 @@
-/**
- * Studio UI Integration Tests
- *
- * These tests simulate exactly how the Studio UI (Overwatch admin dashboard)
- * will use the @highflame/policy npm package.
- */
-import { describe, it, expect } from 'vitest';
-// Browser-safe imports (simulating '@highflame/policy/types')
-import { PolicyBuilder, OVERWATCH_SCHEMA, PALISADE_SCHEMA, OVERWATCH_CONTEXT, OverwatchContextKey, PalisadeContextKey, 
-// Entity metadata for UI dropdowns
-OVERWATCH_ENTITIES, OVERWATCH_ACTION_ENTITIES, PALISADE_ENTITIES, PALISADE_ACTION_ENTITIES, } from './types.js';
-// Node.js only imports (for API routes)
-import { PolicyEngine, PolicyValidator, newEntityUID, newEntity, } from './index.js';
-describe('Studio UI Integration Tests', () => {
-    /**
-     * Test: PolicyBuilder action formatting
-     *
-     * Tests that simple action names are properly formatted to Cedar syntax.
-     * This is the "normal approach" for non-namespaced schemas.
-     */
-    it('should format simple action names to Cedar syntax', () => {
-        // Using simple action name (normal approach)
-        const policy = PolicyBuilder.permit()
-            .principalType('User')
-            .action('call_tool')
-            .resourceType('Tool')
-            .build();
-        const cedarText = policy.toCedar();
-        // Simple actions should be wrapped as Action::"..."
-        expect(cedarText).toContain('action == Action::"call_tool"');
-        expect(cedarText).not.toContain('Action::"Action::'); // No double-wrapping
-    });
-    /**
-     * Test 1: Schema and Context Loading
-     *
-     * Studio UI needs to load schemas for validation and context metadata
-     * for populating form dropdowns.
-     */
-    it('should load schemas and context metadata for form builders', () => {
-        // Schemas should be strings
-        expect(typeof OVERWATCH_SCHEMA).toBe('string');
-        expect(OVERWATCH_SCHEMA).toContain('namespace Overwatch');
-        expect(typeof PALISADE_SCHEMA).toBe('string');
-        expect(PALISADE_SCHEMA).toContain('namespace Palisade');
-        // Context metadata should have action definitions
-        expect(OVERWATCH_CONTEXT.service).toBe('overwatch');
-        expect(OVERWATCH_CONTEXT.actions.length).toBeGreaterThan(0);
-        // Find call_tool action and verify context attributes
-        const callToolAction = OVERWATCH_CONTEXT.actions.find((a) => a.name === 'call_tool');
-        expect(callToolAction).toBeDefined();
-        expect(callToolAction.context_attributes.length).toBeGreaterThan(0);
-        // Context keys should be available for type-safe form building
-        expect(OverwatchContextKey.ToolName).toBe('tool_name');
-        expect(OverwatchContextKey.ThreatCount).toBe('threat_count');
-        expect(PalisadeContextKey.Severity).toBe('severity');
-        expect(PalisadeContextKey.Environment).toBe('environment');
-    });
-    /**
-     * Test 2: Full Round-Trip - Create Policy → Validate → Evaluate
-     *
-     * This simulates the complete flow:
-     * 1. User creates a policy using PolicyBuilder in the UI
-     * 2. API validates the policy against the schema
-     * 3. Runtime evaluates the policy
-     */
-    it('should complete full policy lifecycle for Overwatch', () => {
-        // Step 1: User creates policy in form UI
-        const policy = PolicyBuilder.permit()
-            .principalType('Overwatch::User')
-            .action('Overwatch::Action::"call_tool"')
-            .resourceType('Overwatch::Tool')
-            .whenRaw('context.threat_count < 5')
-            .build();
-        const cedarText = policy.toCedar();
-        expect(cedarText).toContain('permit');
-        expect(cedarText).toContain('Overwatch::User');
-        // Step 2: API validates policy against schema
-        const validator = new PolicyValidator(OVERWATCH_SCHEMA);
-        const validationResult = validator.validate(cedarText);
-        expect(validationResult.valid).toBe(true);
-        // Step 3: Runtime loads and evaluates policy
-        const engine = new PolicyEngine({ schema: OVERWATCH_SCHEMA });
-        engine.loadPolicy(cedarText);
-        const entities = [
-            newEntity('Overwatch::User', 'mcp_client', { user_type: 'external', email: 'test@example.com' }),
-            newEntity('Overwatch::Tool', 'shell', { tool_name: 'shell', risk_level: 'high' }),
-        ];
-        // Full context as Guardian will provide at runtime
-        const baseContext = {
-            content: 'ls -la',
-            source: 'claudecode',
-            event: 'PreToolUse',
-            user_email: 'test@example.com',
-            tool_name: 'shell',
-            mcp_server: 'filesystem',
-            mcp_tool: 'shell',
-            path: '/workspace',
-            cwd: '/workspace',
-            workspace_root: '/workspace',
-            highest_severity: 'low',
-            threat_categories: [],
-            yara_threats: [],
-            max_threat_severity: 1,
-            contains_secrets: false,
-            response_content: '',
-        };
-        // Should allow when threat_count < 5
-        const allowDecision = engine.evaluate({
-            principal: newEntityUID('Overwatch::User', 'mcp_client'),
-            action: 'Overwatch::Action::"call_tool"',
-            resource: newEntityUID('Overwatch::Tool', 'shell'),
-            context: { ...baseContext, threat_count: 3 },
-            entities,
-        });
-        expect(allowDecision.effect).toBe('Allow');
-        // Should deny when threat_count >= 5 (no matching permit)
-        const denyDecision = engine.evaluate({
-            principal: newEntityUID('Overwatch::User', 'mcp_client'),
-            action: 'Overwatch::Action::"call_tool"',
-            resource: newEntityUID('Overwatch::Tool', 'shell'),
-            context: { ...baseContext, threat_count: 10 },
-            entities,
-        });
-        expect(denyDecision.effect).toBe('Deny');
-    });
-    /**
-     * Test 3: Full Round-Trip for Palisade
-     *
-     * Same flow but for Palisade ML security policies.
-     */
-    it('should complete full policy lifecycle for Palisade', () => {
-        // Step 1: Create a forbid policy for CRITICAL findings
-        const policy = PolicyBuilder.forbid()
-            .principalType('Palisade::Scanner')
-            .action('Palisade::Action::"load_model"')
-            .resourceType('Palisade::Artifact')
-            .whenRaw('context.severity == "CRITICAL"')
-            .build();
-        const cedarText = policy.toCedar();
-        // Step 2: Validate
-        const validator = new PolicyValidator(PALISADE_SCHEMA);
-        expect(validator.validate(cedarText).valid).toBe(true);
-        // Step 3: Evaluate
-        const engine = new PolicyEngine({ schema: PALISADE_SCHEMA });
-        engine.loadPolicy(cedarText);
-        const entities = [
-            newEntity('Palisade::Scanner', 'palisade', { scanner_type: 'ml' }),
-            newEntity('Palisade::Artifact', 'model.pkl', {
-                artifact_format: 'pickle',
-                path: '/model.pkl',
-                signed: false,
-                signer: 'unsigned',
-            }),
-        ];
-        // Should deny CRITICAL findings
-        const decision = engine.evaluate({
-            principal: newEntityUID('Palisade::Scanner', 'palisade'),
-            action: 'Palisade::Action::"load_model"',
-            resource: newEntityUID('Palisade::Artifact', 'model.pkl'),
-            context: { severity: 'CRITICAL' },
-            entities,
-        });
-        expect(decision.effect).toBe('Deny');
-    });
-    /**
-     * Test 4: Entity Metadata for UI Dropdowns - Overwatch
-     *
-     * Studio UI needs to know which entity types can be principals,
-     * which can be resources, and what actions are available.
-     * This data is extracted from Cedar schema appliesTo blocks.
-     */
-    it('should provide correct entity metadata for Overwatch UI dropdowns', () => {
-        // Verify ServiceEntityMetadata structure
-        expect(OVERWATCH_ENTITIES.principals).toBeDefined();
-        expect(OVERWATCH_ENTITIES.resources).toBeDefined();
-        expect(OVERWATCH_ENTITIES.actions).toBeDefined();
-        // Overwatch principals should include User and Agent
-        expect(OVERWATCH_ENTITIES.principals).toContain('Agent');
-        expect(OVERWATCH_ENTITIES.principals).toContain('User');
-        expect(OVERWATCH_ENTITIES.principals).toHaveLength(2);
-        // Overwatch resources should include all resource types
-        expect(OVERWATCH_ENTITIES.resources).toContain('FilePath');
-        expect(OVERWATCH_ENTITIES.resources).toContain('LlmPrompt');
-        expect(OVERWATCH_ENTITIES.resources).toContain('Server');
-        expect(OVERWATCH_ENTITIES.resources).toContain('Tool');
-        expect(OVERWATCH_ENTITIES.resources).toHaveLength(4);
-        // Overwatch actions should match schema
-        expect(OVERWATCH_ENTITIES.actions).toContain('call_tool');
-        expect(OVERWATCH_ENTITIES.actions).toContain('connect_server');
-        expect(OVERWATCH_ENTITIES.actions).toContain('process_prompt');
-        expect(OVERWATCH_ENTITIES.actions).toContain('read_file');
-        expect(OVERWATCH_ENTITIES.actions).toContain('write_file');
-        expect(OVERWATCH_ENTITIES.actions).toHaveLength(5);
-    });
-    /**
-     * Test 5: Per-Action Entity Mapping - Overwatch
-     *
-     * Studio UI needs to filter dropdowns based on selected action.
-     * Each action has specific valid principals and resources.
-     */
-    it('should provide per-action entity mapping for Overwatch', () => {
-        // call_tool action should have correct principals and resources
-        const callTool = OVERWATCH_ACTION_ENTITIES['call_tool'];
-        expect(callTool).toBeDefined();
-        expect(callTool.principals).toContain('User');
-        expect(callTool.principals).toContain('Agent');
-        expect(callTool.resources).toContain('Tool');
-        expect(callTool.resources).toContain('FilePath');
-        // connect_server action should only apply to Server resource
-        const connectServer = OVERWATCH_ACTION_ENTITIES['connect_server'];
-        expect(connectServer).toBeDefined();
-        expect(connectServer.principals).toContain('User');
-        expect(connectServer.principals).toContain('Agent');
-        expect(connectServer.resources).toContain('Server');
-        expect(connectServer.resources).not.toContain('Tool');
-        // process_prompt action should only apply to LlmPrompt resource
-        const processPrompt = OVERWATCH_ACTION_ENTITIES['process_prompt'];
-        expect(processPrompt).toBeDefined();
-        expect(processPrompt.resources).toContain('LlmPrompt');
-        expect(processPrompt.resources).not.toContain('Tool');
-        // read_file and write_file should apply to FilePath resource
-        const readFile = OVERWATCH_ACTION_ENTITIES['read_file'];
-        const writeFile = OVERWATCH_ACTION_ENTITIES['write_file'];
-        expect(readFile.resources).toContain('FilePath');
-        expect(writeFile.resources).toContain('FilePath');
-    });
-    /**
-     * Test 6: Entity Metadata for Palisade
-     *
-     * Verify Palisade service also has correct entity metadata.
-     */
-    it('should provide correct entity metadata for Palisade UI dropdowns', () => {
-        // Palisade has Scanner as principal
-        expect(PALISADE_ENTITIES.principals).toContain('Scanner');
-        // Palisade resources include Artifact and Package
-        expect(PALISADE_ENTITIES.resources).toContain('Artifact');
-        expect(PALISADE_ENTITIES.resources).toContain('Package');
-        // Palisade actions
-        expect(PALISADE_ENTITIES.actions).toContain('load_model');
-        expect(PALISADE_ENTITIES.actions).toContain('scan_artifact');
-        expect(PALISADE_ENTITIES.actions).toContain('quarantine_artifact');
-        // Per-action mapping - load_model applies to Artifact
-        const loadModel = PALISADE_ACTION_ENTITIES['load_model'];
-        expect(loadModel).toBeDefined();
-        expect(loadModel.principals).toContain('Scanner');
-        expect(loadModel.resources).toContain('Artifact');
-        // scan_package applies to Package resource
-        const scanPackage = PALISADE_ACTION_ENTITIES['scan_package'];
-        expect(scanPackage).toBeDefined();
-        expect(scanPackage.resources).toContain('Package');
-    });
-});
-/**
- * Cedar Policy Annotations Integration Tests
- *
- * These tests verify the full round-trip of Cedar policy annotations:
- * PolicyRule → Cedar text → parse back → verify annotations preserved
- */
-// Import annotation functions for tests
-import { ruleToCedar, rulesToCedar, parseCedarToRules, generateRuleId, isValidAnnotationKey, } from './index.js';
-describe('Cedar Annotations Integration Tests', () => {
-    /**
-     * Test 1: Basic Annotations Round-Trip
-     *
-     * Create a PolicyRule with all standard annotations, convert to Cedar,
-     * parse back, and verify all annotations are preserved.
-     */
-    it('should preserve annotations through Cedar round-trip', () => {
-        // Step 1: Create a PolicyRule with full annotations
-        const originalRule = {
-            annotations: {
-                id: 'rule-001',
-                name: 'Block high-threat tool calls',
-                description: 'Forbids tool calls when threat count exceeds threshold',
-                severity: 'high',
-                tags: ['security', 'baseline', 'v2'],
-            },
-            effect: 'forbid',
-            principal: { type: 'Overwatch::User' },
-            action: 'Overwatch::Action::"call_tool"',
-            resource: { type: 'Overwatch::Tool' },
-            conditions: [{ field: 'threat_count', operator: 'gt', value: 5 }],
-            enabled: true,
-            order: 0,
-        };
-        // Step 2: Convert to Cedar text
-        const cedarText = ruleToCedar(originalRule);
-        // Verify Cedar text contains annotations in proper syntax
-        expect(cedarText).toContain('@id("rule-001")');
-        expect(cedarText).toContain('@name("Block high-threat tool calls")');
-        expect(cedarText).toContain('@description("Forbids tool calls when threat count exceeds threshold")');
-        expect(cedarText).toContain('@severity("high")');
-        expect(cedarText).toContain('@tags("security,baseline,v2")');
-        expect(cedarText).toContain('forbid');
-        expect(cedarText).toContain('context.threat_count > 5');
-        // Step 3: Validate the generated Cedar against Overwatch schema
-        const validator = new PolicyValidator(OVERWATCH_SCHEMA);
-        const validationResult = validator.validate(cedarText);
-        expect(validationResult.valid).toBe(true);
-        // Step 4: Parse back to PolicyRule
-        const parseResult = parseCedarToRules(cedarText);
-        expect(parseResult.errors).toHaveLength(0);
-        expect(parseResult.rules).toHaveLength(1);
-        const parsedRule = parseResult.rules[0];
-        // Step 5: Verify all annotations are preserved
-        expect(parsedRule.annotations.id).toBe('rule-001');
-        expect(parsedRule.annotations.name).toBe('Block high-threat tool calls');
-        expect(parsedRule.annotations.description).toBe('Forbids tool calls when threat count exceeds threshold');
-        expect(parsedRule.annotations.severity).toBe('high');
-        expect(parsedRule.annotations.tags).toEqual(['security', 'baseline', 'v2']);
-    });
-    /**
-     * Test 2: Custom Annotations Round-Trip
-     *
-     * Verifies that custom user-defined annotations are preserved.
-     */
-    it('should preserve custom annotations through Cedar round-trip', () => {
-        const originalRule = {
-            annotations: {
-                id: 'compliance-rule',
-                name: 'SOC2 Compliance Policy',
-                severity: 'critical',
-            },
-            customAnnotations: {
-                compliance: 'SOC2',
-                ticket: 'SEC-1234',
-                owner: 'security-team',
-                review_date: '2024-06-01',
-            },
-            effect: 'forbid',
-            principal: null,
-            action: 'Overwatch::Action::"call_tool"',
-            resource: null,
-            conditions: [],
-            rawCondition: 'context.contains_secrets == true',
-            enabled: true,
-            order: 0,
-        };
-        // Convert to Cedar
-        const cedarText = ruleToCedar(originalRule);
-        // Verify custom annotations in Cedar text (alphabetically ordered)
-        expect(cedarText).toContain('@compliance("SOC2")');
-        expect(cedarText).toContain('@owner("security-team")');
-        expect(cedarText).toContain('@review_date("2024-06-01")');
-        expect(cedarText).toContain('@ticket("SEC-1234")');
-        // Validate Cedar
-        const validator = new PolicyValidator(OVERWATCH_SCHEMA);
-        expect(validator.validate(cedarText).valid).toBe(true);
-        // Parse back
-        const parseResult = parseCedarToRules(cedarText);
-        expect(parseResult.errors).toHaveLength(0);
-        const parsedRule = parseResult.rules[0];
-        // Verify custom annotations preserved
-        expect(parsedRule.customAnnotations).toBeDefined();
-        expect(parsedRule.customAnnotations?.compliance).toBe('SOC2');
-        expect(parsedRule.customAnnotations?.ticket).toBe('SEC-1234');
-        expect(parsedRule.customAnnotations?.owner).toBe('security-team');
-        expect(parsedRule.customAnnotations?.review_date).toBe('2024-06-01');
-    });
-    /**
-     * Test 3: Multiple Rules with rulesToCedar
-     *
-     * Verifies that multiple rules are correctly converted and ordered.
-     */
-    it('should handle multiple rules with correct ordering', () => {
-        const rules = [
-            {
-                annotations: { id: 'rule-c', name: 'Third Rule' },
-                effect: 'permit',
-                principal: null,
-                action: 'Overwatch::Action::"read_file"',
-                resource: null,
-                conditions: [],
-                enabled: true,
-                order: 2,
-            },
-            {
-                annotations: { id: 'rule-a', name: 'First Rule', severity: 'critical' },
-                effect: 'forbid',
-                principal: null,
-                action: 'Overwatch::Action::"call_tool"',
-                resource: null,
-                conditions: [],
-                rawCondition: 'context.threat_count > 0',
-                enabled: true,
-                order: 0,
-            },
-            {
-                annotations: { id: 'rule-b', name: 'Second Rule (Disabled)' },
-                effect: 'forbid',
-                principal: null,
-                action: 'Overwatch::Action::"write_file"',
-                resource: null,
-                conditions: [],
-                enabled: false, // Disabled rule
-                order: 1,
-            },
-        ];
-        // Convert to Cedar (enabled only, sorted by order)
-        const cedarText = rulesToCedar(rules);
-        // Verify order (rule-a order=0 should come before rule-c order=2)
-        const ruleAIndex = cedarText.indexOf('@id("rule-a")');
-        const ruleCIndex = cedarText.indexOf('@id("rule-c")');
-        expect(ruleAIndex).toBeLessThan(ruleCIndex);
-        // Disabled rule should NOT be included
-        expect(cedarText).not.toContain('@id("rule-b")');
-        // Validate the combined policy text
-        const validator = new PolicyValidator(OVERWATCH_SCHEMA);
-        expect(validator.validate(cedarText).valid).toBe(true);
-        // Parse back and verify
-        const parseResult = parseCedarToRules(cedarText);
-        expect(parseResult.errors).toHaveLength(0);
-        expect(parseResult.rules).toHaveLength(2); // Only enabled rules
-        // Verify parsed rules
-        const ruleIds = parseResult.rules.map((r) => r.annotations.id);
-        expect(ruleIds).toContain('rule-a');
-        expect(ruleIds).toContain('rule-c');
-        expect(ruleIds).not.toContain('rule-b');
-    });
-    /**
-     * Test 4: Disabled Rules as Comments
-     *
-     * Verifies that includeDisabled=true adds disabled rules as comments.
-     */
-    it('should include disabled rules as comments when requested', () => {
-        const rules = [
-            {
-                annotations: { id: 'active-rule', name: 'Active Rule' },
-                effect: 'permit',
-                principal: null,
-                action: 'Overwatch::Action::"call_tool"',
-                resource: null,
-                conditions: [],
-                enabled: true,
-                order: 0,
-            },
-            {
-                annotations: { id: 'disabled-rule', name: 'Disabled Rule' },
-                effect: 'forbid',
-                principal: null,
-                action: 'Overwatch::Action::"call_tool"',
-                resource: null,
-                conditions: [],
-                enabled: false,
-                order: 1,
-            },
-        ];
-        // Convert with includeDisabled=true
-        const cedarText = rulesToCedar(rules, true);
-        // Active rule should be normal
-        expect(cedarText).toContain('@id("active-rule")');
-        expect(cedarText).not.toMatch(/\/\/ \[DISABLED\].*@id\("active-rule"\)/);
-        // Disabled rule should be commented
-        expect(cedarText).toContain('// [DISABLED] @id("disabled-rule")');
-        expect(cedarText).toContain('// [DISABLED] @name("Disabled Rule")');
-        expect(cedarText).toContain('// [DISABLED] forbid');
-    });
-    /**
-     * Test 5: Annotation Value Escaping
-     *
-     * Verifies that special characters in annotation values are properly escaped.
-     */
-    it('should properly escape special characters in annotation values', () => {
-        const rule = {
-            annotations: {
-                id: 'escape-test',
-                name: 'Rule with "quotes" and \\backslashes',
-                description: 'Multi-line text works too',
-            },
-            effect: 'permit',
-            principal: null,
-            action: 'Overwatch::Action::"call_tool"',
-            resource: null,
-            conditions: [],
-            enabled: true,
-            order: 0,
-        };
-        const cedarText = ruleToCedar(rule);
-        // Quotes and backslashes should be escaped
-        expect(cedarText).toContain('Rule with \\"quotes\\" and \\\\backslashes');
-        // Parse back and verify values are unescaped
-        const parseResult = parseCedarToRules(cedarText);
-        expect(parseResult.errors).toHaveLength(0);
-        const parsedRule = parseResult.rules[0];
-        expect(parsedRule.annotations.name).toBe('Rule with "quotes" and \\backslashes');
-    });
-    /**
-     * Test 6: Annotation Key Validation
-     *
-     * Verifies that only valid annotation keys are accepted.
-     */
-    it('should validate annotation keys correctly', () => {
-        // Valid custom keys
-        expect(isValidAnnotationKey('compliance')).toBe(true);
-        expect(isValidAnnotationKey('ticket_number')).toBe(true);
-        expect(isValidAnnotationKey('_internal')).toBe(true);
-        expect(isValidAnnotationKey('myKey123')).toBe(true);
-        // Invalid - predefined keys (handled separately)
-        expect(isValidAnnotationKey('id')).toBe(false);
-        expect(isValidAnnotationKey('name')).toBe(false);
-        expect(isValidAnnotationKey('severity')).toBe(false);
-        expect(isValidAnnotationKey('tags')).toBe(false);
-        // Invalid - bad format
-        expect(isValidAnnotationKey('123abc')).toBe(false); // Starts with number
-        expect(isValidAnnotationKey('has-dash')).toBe(false); // Contains dash
-        expect(isValidAnnotationKey('has.dot')).toBe(false); // Contains dot
-        expect(isValidAnnotationKey('')).toBe(false); // Empty
-    });
-    /**
-     * Test 7: Generated Rule ID
-     *
-     * Verifies that rule IDs are auto-generated when not provided.
-     */
-    it('should auto-generate rule IDs when not provided', () => {
-        const id1 = generateRuleId();
-        const id2 = generateRuleId();
-        // Should be valid UUIDs
-        const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
-        expect(id1).toMatch(uuidRegex);
-        expect(id2).toMatch(uuidRegex);
-        // Should be unique
-        expect(id1).not.toBe(id2);
-    });
-    /**
-     * Test 8: Palisade Schema Compatibility
-     *
-     * Verifies annotations work correctly with Palisade schema.
-     */
-    it('should work correctly with Palisade schema', () => {
-        const rule = {
-            annotations: {
-                id: 'palisade-rule-001',
-                name: 'Block Critical ML Findings',
-                description: 'Prevents loading models with critical security findings',
-                severity: 'critical',
-                tags: ['ml-security', 'compliance'],
-            },
-            customAnnotations: {
-                framework: 'pytorch',
-                scan_type: 'static',
-            },
-            effect: 'forbid',
-            principal: { type: 'Palisade::Scanner' },
-            action: 'Palisade::Action::"load_model"',
-            resource: { type: 'Palisade::Artifact' },
-            conditions: [],
-            rawCondition: 'context.severity == "CRITICAL"',
-            enabled: true,
-            order: 0,
-        };
-        const cedarText = ruleToCedar(rule);
-        // Validate against Palisade schema
-        const validator = new PolicyValidator(PALISADE_SCHEMA);
-        expect(validator.validate(cedarText).valid).toBe(true);
-        // Parse and verify
-        const parseResult = parseCedarToRules(cedarText);
-        expect(parseResult.errors).toHaveLength(0);
-        const parsedRule = parseResult.rules[0];
-        expect(parsedRule.annotations.id).toBe('palisade-rule-001');
-        expect(parsedRule.annotations.severity).toBe('critical');
-        expect(parsedRule.customAnnotations?.framework).toBe('pytorch');
-    });
-    /**
-     * Test 9: Full Policy Lifecycle with Annotations
-     *
-     * Simulates the complete Studio UI workflow:
-     * 1. Create rules via UI form
-     * 2. Convert to Cedar for storage/evaluation
-     * 3. Validate against schema
-     * 4. Load into engine
-     * 5. Evaluate requests
-     * 6. Parse back for editing
-     */
-    it('should support full policy lifecycle with annotations', () => {
-        // Step 1: Create rules via UI form (simulated)
-        const rules = [
-            {
-                annotations: {
-                    id: 'allow-safe-tools',
-                    name: 'Allow Safe Tools',
-                    description: 'Permits tool calls with no detected threats',
-                    severity: 'low',
-                },
-                effect: 'permit',
-                principal: { type: 'Overwatch::User' },
-                action: 'Overwatch::Action::"call_tool"',
-                resource: { type: 'Overwatch::Tool' },
-                conditions: [],
-                rawCondition: 'context.threat_count == 0',
-                enabled: true,
-                order: 0,
-            },
-            {
-                annotations: {
-                    id: 'block-high-threats',
-                    name: 'Block High Threats',
-                    severity: 'critical',
-                    tags: ['security'],
-                },
-                effect: 'forbid',
-                principal: null,
-                action: 'Overwatch::Action::"call_tool"',
-                resource: null,
-                conditions: [{ field: 'threat_count', operator: 'gt', value: 0 }],
-                enabled: true,
-                order: 1,
-            },
-        ];
-        // Step 2: Convert to Cedar for storage
-        const cedarText = rulesToCedar(rules);
-        // Step 3: Validate
-        const validator = new PolicyValidator(OVERWATCH_SCHEMA);
-        expect(validator.validate(cedarText).valid).toBe(true);
-        // Step 4: Load into engine
-        const engine = new PolicyEngine({ schema: OVERWATCH_SCHEMA });
-        engine.loadPolicy(cedarText);
-        // Step 5: Evaluate - safe request (0 threats) should be allowed
-        const entities = [
-            newEntity('Overwatch::User', 'mcp_client', { user_type: 'external', email: 'test@example.com' }),
-            newEntity('Overwatch::Tool', 'shell', { tool_name: 'shell', risk_level: 'low' }),
-        ];
-        const safeRequest = engine.evaluate({
-            principal: newEntityUID('Overwatch::User', 'mcp_client'),
-            action: 'Overwatch::Action::"call_tool"',
-            resource: newEntityUID('Overwatch::Tool', 'shell'),
-            context: {
-                content: 'ls',
-                source: 'claudecode',
-                event: 'PreToolUse',
-                user_email: 'test@example.com',
-                tool_name: 'shell',
-                threat_count: 0,
-                highest_severity: 'low',
-                threat_categories: [],
-                yara_threats: [],
-                max_threat_severity: 0,
-                contains_secrets: false,
-                mcp_server: '',
-                mcp_tool: '',
-                path: '',
-                cwd: '',
-                workspace_root: '',
-                response_content: '',
-            },
-            entities,
-        });
-        expect(safeRequest.effect).toBe('Allow');
-        // Risky request (threats detected) should be denied
-        const riskyRequest = engine.evaluate({
-            principal: newEntityUID('Overwatch::User', 'mcp_client'),
-            action: 'Overwatch::Action::"call_tool"',
-            resource: newEntityUID('Overwatch::Tool', 'shell'),
-            context: {
-                content: 'rm -rf /',
-                source: 'claudecode',
-                event: 'PreToolUse',
-                user_email: 'test@example.com',
-                tool_name: 'shell',
-                threat_count: 3,
-                highest_severity: 'critical',
-                threat_categories: ['destructive'],
-                yara_threats: [],
-                max_threat_severity: 4,
-                contains_secrets: false,
-                mcp_server: '',
-                mcp_tool: '',
-                path: '',
-                cwd: '',
-                workspace_root: '',
-                response_content: '',
-            },
-            entities,
-        });
-        expect(riskyRequest.effect).toBe('Deny');
-        // Step 6: Parse back for editing
-        const parseResult = parseCedarToRules(cedarText);
-        expect(parseResult.errors).toHaveLength(0);
-        expect(parseResult.rules).toHaveLength(2);
-        // Verify all rules and annotations are preserved for editing
-        const allowRule = parseResult.rules.find((r) => r.annotations.id === 'allow-safe-tools');
-        const blockRule = parseResult.rules.find((r) => r.annotations.id === 'block-high-threats');
-        expect(allowRule?.annotations.name).toBe('Allow Safe Tools');
-        expect(blockRule?.annotations.severity).toBe('critical');
-        expect(blockRule?.annotations.tags).toEqual(['security']);
-    });
-});
-//# sourceMappingURL=studio-ui.test.js.map