@highflame/policy 2.0.9 → 2.1.0

package/dist/guardrails-entities.gen.d.ts

@@ -0,0 +1,11 @@
+import type { ServiceEntityMetadata, ActionEntityMetadata } from './entity-metadata-types.gen.js';
+/**
+ * Guardrails entity metadata for UI components.
+ * Extracted from Cedar schema appliesTo blocks.
+ */
+export declare const GUARDRAILS_ENTITIES: ServiceEntityMetadata;
+/**
+ * Per-action entity mapping for Guardrails.
+ * Maps action names to their valid principals and resources.
+ */
+export declare const GUARDRAILS_ACTION_ENTITIES: Record<string, ActionEntityMetadata>;

package/dist/guardrails-entities.gen.js

@@ -0,0 +1,37 @@
+// Code generated by highflame-policy-codegen. DO NOT EDIT.
+// Source: schemas/guardrails/schema.cedarschema
+/**
+ * Guardrails entity metadata for UI components.
+ * Extracted from Cedar schema appliesTo blocks.
+ */
+export const GUARDRAILS_ENTITIES = {
+    principals: ['Agent', 'User'],
+    resources: ['App', 'Session'],
+    actions: ['call_tool', 'connect_server', 'process_prompt', 'read_file', 'write_file'],
+};
+/**
+ * Per-action entity mapping for Guardrails.
+ * Maps action names to their valid principals and resources.
+ */
+export const GUARDRAILS_ACTION_ENTITIES = {
+    'call_tool': {
+        principals: ['User', 'Agent'],
+        resources: ['Session'],
+    },
+    'connect_server': {
+        principals: ['User', 'Agent'],
+        resources: ['Session'],
+    },
+    'process_prompt': {
+        principals: ['User', 'Agent'],
+        resources: ['App', 'Session'],
+    },
+    'read_file': {
+        principals: ['User', 'Agent'],
+        resources: ['Session'],
+    },
+    'write_file': {
+        principals: ['User', 'Agent'],
+        resources: ['Session'],
+    },
+};

package/dist/index.d.ts

@@ -7,12 +7,17 @@ export * from './builder.js';
 export * from './parser.js';
 export * from './errors.js';
 export * from './annotations.js';
-export { OVERWATCH_SCHEMA, OVERWATCH_CONTEXT, PALISADE_SCHEMA, PALISADE_CONTEXT, } from './service-schemas.gen.js';
+export * from './explain.js';
+export { GUARDRAILS_SCHEMA, GUARDRAILS_CONTEXT, OVERWATCH_SCHEMA, OVERWATCH_CONTEXT, PALISADE_SCHEMA, PALISADE_CONTEXT, } from './service-schemas.gen.js';
 export type { ContextAttribute, ActionContext, ServiceContext, } from './service-schemas.gen.js';
+export { GuardrailsContextKey } from './guardrails-context.gen.js';
 export { OverwatchContextKey } from './overwatch-context.gen.js';
 export { PalisadeContextKey } from './palisade-context.gen.js';
+export { GUARDRAILS_ENTITIES, GUARDRAILS_ACTION_ENTITIES, } from './guardrails-entities.gen.js';
 export { OVERWATCH_ENTITIES, OVERWATCH_ACTION_ENTITIES, } from './overwatch-entities.gen.js';
 export { PALISADE_ENTITIES, PALISADE_ACTION_ENTITIES, } from './palisade-entities.gen.js';
 export type { ServiceEntityMetadata, ActionEntityMetadata } from './entity-metadata-types.gen.js';
+export { GUARDRAILS_DEFAULTS, GUARDRAILS_TEMPLATES, GUARDRAILS_CATEGORIES, GUARDRAILS_TEMPLATES_JSON, getGuardrailsDefaultsByCategory, getGuardrailsTemplatesByCategory, getGuardrailsTemplateById, } from './guardrails-defaults.gen.js';
+export type { GuardrailsCategory, GuardrailsCategoryInfo, GuardrailsDefaultPolicy, GuardrailsTemplate, } from './guardrails-defaults.gen.js';
 export { OVERWATCH_DEFAULTS, OVERWATCH_TEMPLATES, OVERWATCH_CATEGORIES, OVERWATCH_TEMPLATES_JSON, getOverwatchDefaultsByCategory, getOverwatchTemplatesByCategory, getOverwatchTemplateById, } from './overwatch-defaults.gen.js';
 export type { OverwatchCategory, OverwatchCategoryInfo, OverwatchDefaultPolicy, OverwatchTemplate, } from './overwatch-defaults.gen.js';

package/dist/index.js

@@ -13,13 +13,18 @@ export * from './builder.js';
 export * from './parser.js';
 export * from './errors.js';
 export * from './annotations.js';
+// Decision explanation
+export * from './explain.js';
 // Service-specific schemas and context (inlined)
-export { OVERWATCH_SCHEMA, OVERWATCH_CONTEXT, PALISADE_SCHEMA, PALISADE_CONTEXT, } from './service-schemas.gen.js';
+export { GUARDRAILS_SCHEMA, GUARDRAILS_CONTEXT, OVERWATCH_SCHEMA, OVERWATCH_CONTEXT, PALISADE_SCHEMA, PALISADE_CONTEXT, } from './service-schemas.gen.js';
 // Service-specific context key enums
+export { GuardrailsContextKey } from './guardrails-context.gen.js';
 export { OverwatchContextKey } from './overwatch-context.gen.js';
 export { PalisadeContextKey } from './palisade-context.gen.js';
 // Service-specific entity metadata (for UI - principals, resources, actions)
+export { GUARDRAILS_ENTITIES, GUARDRAILS_ACTION_ENTITIES, } from './guardrails-entities.gen.js';
 export { OVERWATCH_ENTITIES, OVERWATCH_ACTION_ENTITIES, } from './overwatch-entities.gen.js';
 export { PALISADE_ENTITIES, PALISADE_ACTION_ENTITIES, } from './palisade-entities.gen.js';
 // Service-specific default policies, templates, and categories
+export { GUARDRAILS_DEFAULTS, GUARDRAILS_TEMPLATES, GUARDRAILS_CATEGORIES, GUARDRAILS_TEMPLATES_JSON, getGuardrailsDefaultsByCategory, getGuardrailsTemplatesByCategory, getGuardrailsTemplateById, } from './guardrails-defaults.gen.js';
 export { OVERWATCH_DEFAULTS, OVERWATCH_TEMPLATES, OVERWATCH_CATEGORIES, OVERWATCH_TEMPLATES_JSON, getOverwatchDefaultsByCategory, getOverwatchTemplatesByCategory, getOverwatchTemplateById, } from './overwatch-defaults.gen.js';

package/dist/overwatch-defaults.gen.js

@@ -59,6 +59,7 @@ const OVERWATCH_SECRETS_DEFAULT_CEDAR = `// ====================================
 @description("Block prompts when YARA scanners detect API keys, tokens, or credential patterns")
 @severity("critical")
 @tags("secrets,credentials,prompts,nist-sc-28,nist-ia-5")
+@reject_message("Your prompt was blocked because it contains detected secrets such as API keys, tokens, or credentials. Remove all secrets before resubmitting.")
 forbid (
     principal,
     action == Overwatch::Action::"process_prompt",
@@ -74,6 +75,7 @@ when {
 @description("Prevent file reads and tool execution when secrets or credentials are detected in content")
 @severity("high")
 @tags("secrets,file-access,tools,credentials,nist-sc-28")
+@reject_message("This operation was blocked because secrets or credentials were detected in the content. File reads and tool calls are restricted when credential exposure is identified.")
 forbid (
     principal,
     action in [Overwatch::Action::"read_file", Overwatch::Action::"call_tool"],
@@ -93,6 +95,7 @@ when {
 @description("Block access to .env files that commonly contain secrets, API keys, and database credentials")
 @severity("high")
 @tags("secrets,env-files,config,nist-sc-28,mitre-t1552")
+@reject_message("Access to .env files is blocked because they commonly contain secrets, API keys, and database credentials. Use a secrets manager instead of .env files.")
 forbid (
     principal,
     action in [Overwatch::Action::"read_file", Overwatch::Action::"write_file", Overwatch::Action::"call_tool"],
@@ -113,6 +116,7 @@ when {
 @description("Detect and block AWS access key IDs (AKIA prefix) in AI responses to prevent credential exfiltration")
 @severity("critical")
 @tags("secrets,aws,credentials,response-scan,nist-ia-5,mitre-t1552")
+@reject_message("This response was blocked because an AWS access key ID (AKIA prefix) was detected. AWS credentials must never be exposed in AI responses.")
 forbid (
     principal,
     action,
@@ -129,6 +133,7 @@ when {
 @description("Detect and block AWS secret access keys in AI responses")
 @severity("critical")
 @tags("secrets,aws,credentials,response-scan,nist-ia-5")
+@reject_message("This response was blocked because an AWS secret access key was detected. AWS credentials must never be exposed in AI responses.")
 forbid (
     principal,
     action,
@@ -146,6 +151,7 @@ when {
 @description("Detect and block GitHub personal access tokens (ghp_), fine-grained tokens (github_pat_), and app tokens (ghs_)")
 @severity("critical")
 @tags("secrets,github,tokens,response-scan,mitre-t1552")
+@reject_message("This response was blocked because a GitHub token (personal access token, fine-grained token, or app token) was detected. GitHub tokens must never be exposed in AI responses.")
 forbid (
     principal,
     action,
@@ -164,6 +170,7 @@ when {
 @description("Detect and block SSH, RSA, and OpenSSH private keys in AI responses")
 @severity("critical")
 @tags("secrets,ssh,private-keys,response-scan,nist-sc-28,mitre-t1552")
+@reject_message("This response was blocked because a private key (SSH, RSA, or OpenSSH) was detected. Private keys must never be exposed in AI responses.")
 forbid (
     principal,
     action,
@@ -187,6 +194,7 @@ when {
 @description("Block content flagged by YARA rules for credential exposure, API key leaks, JWT tokens, and bearer tokens")
 @severity("critical")
 @tags("secrets,yara,credentials,jwt,bearer,nist-ia-5")
+@reject_message("This content was blocked because YARA scanning detected credential patterns including secret exposure, credential leaks, API keys, JWT tokens, or bearer tokens.")
 forbid (
     principal,
     action,
@@ -219,6 +227,7 @@ const OVERWATCH_PII_DEFAULT_CEDAR = `// ========================================
 @description("Detect and block content containing credit card number patterns (PCI DSS compliance)")
 @severity("critical")
 @tags("pci,credit-card,payment,compliance,pci-dss-3.4")
+@reject_message("Your prompt was blocked because credit card number patterns were detected. Sharing payment card data violates PCI DSS requirements.")
 forbid (
     principal,
     action == Overwatch::Action::"process_prompt",
@@ -234,6 +243,7 @@ when {
 @description("Detect and block content containing SSN patterns (XXX-XX-XXXX format)")
 @severity("critical")
 @tags("ssn,identity,privacy,compliance")
+@reject_message("Your prompt was blocked because Social Security Number patterns (XXX-XX-XXXX) were detected. SSNs are protected personal identifiers that must not be shared.")
 forbid (
     principal,
     action == Overwatch::Action::"process_prompt",
@@ -249,6 +259,7 @@ when {
 @description("Block content when PII-related threat categories are detected by YARA or Javelin scanners")
 @severity("high")
 @tags("pii,privacy,data-protection,gdpr")
+@reject_message("Your prompt was blocked because personally identifiable information was detected by threat scanners. Remove all PII before resubmitting.")
 forbid (
     principal,
     action == Overwatch::Action::"process_prompt",
@@ -280,6 +291,7 @@ when {
 @description("Prevent tool execution when PII patterns are detected in content")
 @severity("high")
 @tags("pii,tools,data-protection")
+@reject_message("Tool execution was blocked because personally identifiable information was detected in the content. PII must be removed before tool calls are permitted.")
 forbid (
     principal,
     action == Overwatch::Action::"call_tool",
@@ -308,6 +320,7 @@ const OVERWATCH_SEMANTIC_DEFAULT_CEDAR = `// ===================================
 @description("Detect and block prompt injection patterns in user input via YARA scanning (OWASP LLM01)")
 @severity("critical")
 @tags("injection,security,llm,owasp-llm01,baseline")
+@reject_message("Your prompt was blocked because prompt injection patterns were detected by YARA scanning. This is a security measure to prevent manipulation of AI agent behavior.")
 forbid (
     principal,
     action == Overwatch::Action::"process_prompt",
@@ -339,6 +352,7 @@ when {
 @description("Detect and block jailbreak and bypass attempts against AI agents (OWASP LLM02)")
 @severity("critical")
 @tags("jailbreak,bypass,security,owasp-llm02,baseline")
+@reject_message("Your prompt was blocked because jailbreak or bypass patterns were detected by YARA scanning. This is a security measure to prevent circumvention of AI safety controls.")
 forbid (
     principal,
     action == Overwatch::Action::"process_prompt",
@@ -370,6 +384,7 @@ when {
 @description("Block prompts when semantic threat scanners detect high severity issues (severity >= 3)")
 @severity("high")
 @tags("semantic,severity,security")
+@reject_message("Your prompt was blocked because semantic threat scanners detected high severity issues in the content. Review your prompt for manipulative or adversarial patterns.")
 forbid (
     principal,
     action == Overwatch::Action::"process_prompt",
@@ -387,6 +402,7 @@ when {
 @description("Block all content when any scanner detects critical severity threats")
 @severity("critical")
 @tags("critical,baseline,security")
+@reject_message("Your prompt was blocked because security scanners detected a critical-severity threat. This content cannot be processed.")
 forbid (
     principal,
     action == Overwatch::Action::"process_prompt",
@@ -402,6 +418,7 @@ when {
 @description("Prevent tool execution when prompt injection patterns are detected in content")
 @severity("critical")
 @tags("injection,tools,security,owasp-llm01")
+@reject_message("Tool execution was blocked because prompt injection patterns were detected in the content by YARA scanning.")
 forbid (
     principal,
     action == Overwatch::Action::"call_tool",
@@ -435,6 +452,7 @@ const OVERWATCH_TOOLS_DEFAULT_CEDAR = `// ======================================
 @description("Block direct shell, bash, and command execution tools to prevent command injection (MITRE T1059)")
 @severity("critical")
 @tags("shell,command-injection,execution,nist-cm-7,mitre-t1059,baseline")
+@reject_message("Tool execution was blocked because direct shell and command execution tools (shell, bash, terminal, system.exec) are restricted to prevent command injection attacks.")
 forbid (
     principal,
     action == Overwatch::Action::"call_tool",
@@ -456,6 +474,7 @@ when {
 @description("Block file deletion and other destructive tool operations to prevent data loss")
 @severity("high")
 @tags("file,delete,destructive,nist-ac-3")
+@reject_message("Tool execution was blocked because destructive file operations (delete, rmdir, unlink) are restricted to prevent data loss.")
 forbid (
     principal,
     action == Overwatch::Action::"call_tool",
@@ -478,6 +497,7 @@ when {
 @description("Prevent access to system directories, credential files, SSH keys, and cloud config (MITRE T1005, T1552.001)")
 @severity("high")
 @tags("file,path,system,security,nist-ac-6,mitre-t1005")
+@reject_message("Access to this path was blocked because it targets a sensitive system directory or credential file (/etc, /proc, /sys, .ssh, .aws, .gnupg, or private key files).")
 forbid (
     principal,
     action in [Overwatch::Action::"read_file", Overwatch::Action::"write_file", Overwatch::Action::"call_tool"],
@@ -508,6 +528,7 @@ when {
 @description("Prevent tool execution when high or critical severity threats are detected in content")
 @severity("high")
 @tags("tools,threats,severity,security")
+@reject_message("Tool execution was blocked because high or critical severity threats were detected in the content by security scanners.")
 forbid (
     principal,
     action == Overwatch::Action::"call_tool",
@@ -736,8 +757,9 @@ permit (
     resource
 )
 when {
-    context.mcp_server == "filesystem" ||
-    context.mcp_server == "playwright"
+    context has mcp_server &&
+    (context.mcp_server == "filesystem" ||
+    context.mcp_server == "playwright")
 };
 
 @id("mcp-allowlist-deny")
@@ -751,6 +773,86 @@ forbid (
     resource
 );
 `;
+const OVERWATCH_TOOLS_MCP_TOOL_PERMISSIONS_CEDAR = `// =============================================================================
+// MCP Tool Permissions Template (Overwatch)
+// =============================================================================
+// Per-tool access control for MCP servers in IDE environments.
+// Complements the existing MCP Server Allowlist (connect_server action)
+// with fine-grained per-tool control on call_tool action.
+//
+// Category: tools
+// Namespace: Overwatch
+// =============================================================================
+
+// -- GitHub MCP: Read-only access -------------------------------------------
+
+@id("mcp-tool-allow-read-github")
+@name("Allow read-only GitHub tools")
+@description("Permit read operations from GitHub MCP server")
+@severity("medium")
+@tags("mcp,github,read-only,least-privilege")
+permit (
+    principal,
+    action == Overwatch::Action::"call_tool",
+    resource
+) when {
+    context has mcp_server && context.mcp_server == "github" &&
+    context has tool_name &&
+    (context.tool_name == "read_issues" ||
+     context.tool_name == "get_issue" ||
+     context.tool_name == "list_repos" ||
+     context.tool_name == "get_pull_request" ||
+     context.tool_name == "search_code" ||
+     context.tool_name == "get_file_contents")
+};
+
+@id("mcp-tool-deny-write-github")
+@name("Deny write GitHub tools")
+@description("Block create/update/delete operations on GitHub MCP server")
+@severity("high")
+@tags("mcp,github,write-block,least-privilege")
+forbid (
+    principal,
+    action == Overwatch::Action::"call_tool",
+    resource
+) when {
+    context has mcp_server && context.mcp_server == "github"
+};
+
+// -- Organization-wide MCP server exclusions --------------------------------
+
+@id("mcp-tool-exclude-server")
+@name("Exclude specific MCP servers")
+@description("Block all tool calls from excluded MCP servers (org-wide exclusion list)")
+@severity("critical")
+@tags("mcp,exclusion,org-wide,block")
+forbid (
+    principal,
+    action == Overwatch::Action::"call_tool",
+    resource
+) when {
+    // Add server names to block across the organization.
+    // Modify this list to match your exclusion requirements.
+    context has mcp_server &&
+    (context.mcp_server == "untrusted-server" ||
+     context.mcp_server == "deprecated-server")
+};
+
+// -- Block unverified MCP servers -------------------------------------------
+
+@id("mcp-tool-block-unverified")
+@name("Block tools from unverified MCP servers")
+@description("Deny tool calls from MCP servers not in the verified registry")
+@severity("high")
+@tags("mcp,trust,verification")
+forbid (
+    principal,
+    action == Overwatch::Action::"call_tool",
+    resource
+) when {
+    context has mcp_server_verified && context.mcp_server_verified == false
+};
+`;
 const OVERWATCH_ORG_DEFAULT_DENY_CEDAR = `// Default Deny All Template
 // Organization-wide baseline: deny all unless explicitly permitted
 // Category: organization
@@ -956,6 +1058,15 @@ export const OVERWATCH_TEMPLATES = [
         severity: 'medium',
         tags: ['mcp', 'allowlist', 'whitelist'],
     },
+    {
+        id: 'tools-mcp-tool-permissions',
+        name: 'MCP Tool Permissions',
+        description: 'Per-tool access control for MCP servers — allow specific tools while denying others, exclude servers org-wide, block unverified sources',
+        category: 'tools',
+        cedarText: OVERWATCH_TOOLS_MCP_TOOL_PERMISSIONS_CEDAR,
+        severity: 'high',
+        tags: ['mcp', 'tools', 'least-privilege', 'per-server', 'exclusion'],
+    },
     {
         id: 'org-default-deny',
         name: 'Default Deny All',
@@ -1120,6 +1231,15 @@ export const OVERWATCH_TEMPLATES_JSON = `{
       "severity": "medium",
       "tags": ["mcp", "allowlist", "whitelist"]
     },
+    {
+      "id": "tools-mcp-tool-permissions",
+      "name": "MCP Tool Permissions",
+      "description": "Per-tool access control for MCP servers — allow specific tools while denying others, exclude servers org-wide, block unverified sources",
+      "category": "tools",
+      "file": "mcp_tool_permissions.cedar",
+      "severity": "high",
+      "tags": ["mcp", "tools", "least-privilege", "per-server", "exclusion"]
+    },
     {
       "id": "org-default-deny",
       "name": "Default Deny All",

package/dist/parser.js

@@ -134,11 +134,14 @@ function cedarJsonToRule(policy, policyId, index, originalText) {
             order: index,
         };
         // Map conditions
-        const { conditions, rawCondition } = mapConditions(policy.conditions, originalText);
+        const { conditions, rawCondition, conditionExpression } = mapConditions(policy.conditions, originalText);
         rule.conditions = conditions;
         if (rawCondition) {
             rule.rawCondition = rawCondition;
         }
+        if (conditionExpression) {
+            rule.conditionExpression = conditionExpression;
+        }
         return { rule };
     }
     catch (e) {
@@ -227,7 +230,7 @@ function mapScopeToEntity(scope, field) {
     if (scope.op === "in") {
         if ("entity" in scope) {
             const entity = normalizeEntityRef(scope.entity);
-            return { type: entity.type, id: entity.id };
+            return { type: entity.type, id: entity.id, operator: 'in' };
         }
         if ("slot" in scope) {
             throw ParserError.scopeSlotNotSupported("in", field);
@@ -279,17 +282,20 @@ function mapActionScope(scope) {
     throw ParserError.actionUnsupportedOp(scope.op);
 }
 /**
- * Map Cedar conditions to PolicyCondition array.
- * When conditions can't be mapped to structured format, extract the raw Cedar
+ * Map Cedar conditions to PolicyCondition array + recursive ConditionExpression.
+ * When conditions can't be mapped to the flat format, extract the raw Cedar
  * condition text from the engine-serialized policy text (not JSON AST).
  */
 function mapConditions(conditions, originalText) {
     const result = [];
     let hasUnmapped = false;
+    // Collect condition expressions from all when clauses
+    const expressions = [];
     for (const cond of conditions) {
         if (cond.kind !== "when") {
             continue;
         }
+        // Flat mapping (backward compat)
         const parsed = mapConditionBody(cond.body);
         if (parsed.condition) {
             result.push(parsed.condition);
@@ -297,15 +303,26 @@ function mapConditions(conditions, originalText) {
         else if (parsed.raw) {
             hasUnmapped = true;
         }
+        // Recursive mapping (new)
+        expressions.push(mapConditionBodyToExpression(cond.body, originalText));
     }
     // Extract readable Cedar condition text instead of storing JSON AST
     let rawCondition;
     if (hasUnmapped && originalText) {
         rawCondition = extractWhenClause(originalText);
     }
+    // Build the final condition expression
+    let conditionExpression;
+    if (expressions.length === 1) {
+        conditionExpression = expressions[0];
+    }
+    else if (expressions.length > 1) {
+        conditionExpression = { kind: 'and', children: expressions };
+    }
     return {
         conditions: result,
         rawCondition: rawCondition || undefined,
+        conditionExpression,
     };
 }
 /**
@@ -365,6 +382,121 @@ function mapConditionBody(body) {
     // Can't map - return as raw JSON
     return { raw: JSON.stringify(body) };
 }
+// ---------------------------------------------------------------------------
+// Recursive condition expression walker
+// ---------------------------------------------------------------------------
+/**
+ * Recursively walk the Cedar JSON AST to build a ConditionExpression tree.
+ * Flattens binary && / || chains into n-ary and/or nodes.
+ */
+function mapConditionBodyToExpression(expr, originalText) {
+    // Logical AND — flatten binary chain
+    if (expr["&&"]) {
+        const children = flattenBinaryChain("&&", expr);
+        return { kind: 'and', children };
+    }
+    // Logical OR — flatten binary chain
+    if (expr["||"]) {
+        const children = flattenBinaryChain("||", expr);
+        return { kind: 'or', children };
+    }
+    // Negation
+    if (expr["!"]) {
+        const child = mapConditionBodyToExpression(expr["!"].arg, originalText);
+        return { kind: 'not', child };
+    }
+    // Has (existence check): { has: { left: { Var: "context" }, attr: "field" } }
+    if (expr.has) {
+        const field = extractHasField(expr.has);
+        if (field) {
+            return { kind: 'has', field };
+        }
+    }
+    // Leaf: comparison operators
+    for (const op of ["==", "!=", "<", "<=", ">", ">="]) {
+        const comparison = expr[op];
+        if (comparison) {
+            const mapped = mapComparisonToExpression(op, comparison);
+            if (mapped)
+                return mapped;
+        }
+    }
+    // Leaf: contains
+    if (expr.contains) {
+        const mapped = mapContainsToExpression(expr.contains);
+        if (mapped)
+            return mapped;
+    }
+    // Leaf: like
+    if (expr.like) {
+        const mapped = mapLikeToExpression(expr.like);
+        if (mapped)
+            return mapped;
+    }
+    // Fallback — extract readable text if possible
+    const text = originalText ? extractWhenClause(originalText) : JSON.stringify(expr);
+    return { kind: 'raw', text };
+}
+/**
+ * Flatten a binary chain of && or || into a flat array of expressions.
+ * (A && B) && C becomes [A, B, C] instead of nested binary pairs.
+ */
+function flattenBinaryChain(op, expr) {
+    const node = expr[op];
+    if (!node)
+        return [mapConditionBodyToExpression(expr)];
+    return [
+        ...flattenBinaryChain(op, node.left),
+        ...flattenBinaryChain(op, node.right),
+    ];
+}
+/**
+ * Extract field name from a "has" expression.
+ * Pattern: { left: { Var: "context" }, attr: "field_name" }
+ */
+function extractHasField(has) {
+    if (has.left.Var === "context") {
+        return has.attr;
+    }
+    return null;
+}
+function mapComparisonToExpression(op, args) {
+    const field = extractContextField(args.left);
+    if (!field)
+        return null;
+    const value = extractLiteralValue(args.right);
+    if (value === undefined)
+        return null;
+    const operator = mapOperator(op);
+    if (!operator)
+        return null;
+    return { kind: 'comparison', field, operator, value };
+}
+function mapContainsToExpression(args) {
+    const field = extractContextField(args.left);
+    if (!field)
+        return null;
+    const value = extractLiteralValue(args.right);
+    if (value === undefined || typeof value === 'object')
+        return null;
+    return { kind: 'contains', field, value: value };
+}
+function mapLikeToExpression(args) {
+    const field = extractContextField(args.left);
+    if (!field)
+        return null;
+    const patternStr = args.pattern.map(p => {
+        if (p === "Wildcard")
+            return "*";
+        if (typeof p === "object" && "Literal" in p)
+            return p.Literal.replace(/\*/g, "\\*");
+        return "";
+    }).join("");
+    return { kind: 'like', field, pattern: patternStr };
+}
+// ---------------------------------------------------------------------------
+// Flat condition mapping (backward compat)
+// ---------------------------------------------------------------------------
 function mapComparison(op, args) {
     const field = extractContextField(args.left);
     if (!field)

package/dist/schema.gen.d.ts

@@ -2,4 +2,4 @@
  * Embedded Cedar schema for policy validation.
  * This is the Highflame Cedar schema used across all services.
  */
-export declare const CEDAR_SCHEMA = "// Highflame Cedar Schema - Entity and Action Definitions\n// =======================================================\n// This file defines all entity types and actions used across Highflame services.\n// Used for code generation (EntityType and ActionType constants).\n//\n// For policy validation, use service-specific schemas:\n// - schemas/overwatch/schema.cedarschema (Guardian IDE security)\n// - schemas/palisade/schema.cedarschema (ML supply chain security)\n\nnamespace Highflame {\n\n// =============================================================================\n// ENTITIES\n// =============================================================================\n\nentity User {\n    user_type: String,\n};\n\nentity Agent {\n    agent_type: String,\n};\n\nentity Scanner {\n    scanner_type: String,\n};\n\nentity Service {\n    service_type: String,\n};\n\nentity Resource {};\n\nentity LlmPrompt {\n    prompt_type: String,\n};\n\nentity ResponseData {};\n\nentity Tool {\n    tool_name: String,\n};\n\nentity FilePath {\n    path: String,\n};\n\nentity HttpEndpoint {\n    hostname: String,\n};\n\nentity Server {\n    server_name: String,\n};\n\nentity Artifact {\n    artifact_format: String,\n};\n\nentity Repository {\n    repo_url: String,\n};\n\nentity Package {\n    package_name: String,\n};\n\nentity GitBranch {\n    branch_name: String,\n};\n\nentity Model {\n    model_name: String,\n};\n\nentity ExternalAPI {\n    api_name: String,\n};\n\nentity Memory {\n    memory_type: String,\n};\n\n// =============================================================================\n// ACTIONS\n// =============================================================================\n\naction process_prompt;\naction process_response;\naction invoke_model;\naction filter_content;\naction call_tool;\naction connect_server;\naction access_server_resource;\naction skip_guardrails;\naction read_file;\naction write_file;\naction delete_file;\naction http_request;\naction call_external_api;\naction execute_code;\naction run_tests;\naction run_build;\naction git_operation;\naction git_clone;\naction git_commit;\naction git_push;\naction git_pull;\naction git_merge;\naction git_checkout;\naction git_reset;\naction git_rebase;\naction delegate_task;\naction spawn_subprocess;\naction access_memory;\naction scan_target;\naction scan_package;\naction scan_artifact;\naction validate_integrity;\naction validate_provenance;\naction quarantine_artifact;\naction load_model;\naction deploy_model;\naction transfer_data;\naction export_data;\n}\n";
+export declare const CEDAR_SCHEMA = "// Highflame Cedar Schema - Entity and Action Definitions\n// =======================================================\n// This file defines all entity types and actions used across Highflame services.\n// Used for code generation (EntityType and ActionType constants).\n//\n// For policy validation, use service-specific schemas:\n// - schemas/overwatch/schema.cedarschema (Guardian IDE security)\n// - schemas/palisade/schema.cedarschema (ML supply chain security)\n\nnamespace Highflame {\n\n// =============================================================================\n// ENTITIES\n// =============================================================================\n\n// Multi-tenant hierarchy (used by services for ReBAC policy scoping)\nentity Account {};\nentity Project {};\nentity App {};\nentity Session {};\n\nentity User {\n    user_type: String,\n};\n\nentity Agent {\n    agent_type: String,\n};\n\nentity Scanner {\n    scanner_type: String,\n};\n\nentity Service {\n    service_type: String,\n};\n\nentity Resource {};\n\nentity LlmPrompt {\n    prompt_type: String,\n};\n\nentity ResponseData {};\n\nentity Tool {\n    tool_name: String,\n};\n\nentity FilePath {\n    path: String,\n};\n\nentity HttpEndpoint {\n    hostname: String,\n};\n\nentity Server {\n    server_name: String,\n};\n\nentity Artifact {\n    artifact_format: String,\n};\n\nentity Repository {\n    repo_url: String,\n};\n\nentity Package {\n    package_name: String,\n};\n\nentity GitBranch {\n    branch_name: String,\n};\n\nentity Model {\n    model_name: String,\n};\n\nentity ExternalAPI {\n    api_name: String,\n};\n\nentity Memory {\n    memory_type: String,\n};\n\n// =============================================================================\n// ACTIONS\n// =============================================================================\n\naction process_prompt;\naction process_response;\naction invoke_model;\naction filter_content;\naction call_tool;\naction connect_server;\naction access_server_resource;\naction skip_guardrails;\naction read_file;\naction write_file;\naction delete_file;\naction http_request;\naction call_external_api;\naction execute_code;\naction run_tests;\naction run_build;\naction git_operation;\naction git_clone;\naction git_commit;\naction git_push;\naction git_pull;\naction git_merge;\naction git_checkout;\naction git_reset;\naction git_rebase;\naction delegate_task;\naction spawn_subprocess;\naction access_memory;\naction scan_target;\naction scan_package;\naction scan_artifact;\naction validate_integrity;\naction validate_provenance;\naction quarantine_artifact;\naction load_model;\naction deploy_model;\naction transfer_data;\naction export_data;\n}\n";

package/dist/schema.gen.js

@@ -19,6 +19,12 @@ namespace Highflame {
 // ENTITIES
 // =============================================================================
 
+// Multi-tenant hierarchy (used by services for ReBAC policy scoping)
+entity Account {};
+entity Project {};
+entity App {};
+entity Session {};
+
 entity User {
     user_type: String,
 };