@highflame/policy 2.1.2 → 2.1.4

package/dist/condition-groups.js

@@ -0,0 +1,305 @@
+/**
+ * Condition Groups — flat UI-friendly representation of ConditionExpression trees.
+ *
+ * Provides bidirectional conversion between recursive ConditionExpression ASTs
+ * and flat ConditionGroup arrays suitable for visual condition builder UIs.
+ *
+ * Also provides:
+ * - expressionToCedar(): render any AST node to valid Cedar condition text
+ * - extractContextFields(): collect all context field names from an AST
+ */
+import { conditionToCedar, sanitizeIdentifier, isValidRawCondition, } from './builder.js';
+/** Sentinel field name used for raw (unparseable) conditions. */
+export const RAW_CONDITION_FIELD = '__raw';
+// ---------------------------------------------------------------------------
+// ID generation
+// ---------------------------------------------------------------------------
+let _groupCounter = 0;
+/** Generate a unique group ID. Uses a simple counter for deterministic output. */
+function nextGroupId() {
+    return `group-${++_groupCounter}`;
+}
+/** Reset the group counter (for testing). */
+export function resetGroupCounter() {
+    _groupCounter = 0;
+}
+// ---------------------------------------------------------------------------
+// expressionToGroups
+// ---------------------------------------------------------------------------
+/**
+ * Convert a ConditionExpression AST into a flat array of ConditionGroups.
+ *
+ * The top-level AND is split into separate groups. Each OR subtree becomes
+ * a single group with `logic: 'or'`. NOT wrappers set `negated: true`.
+ * Raw nodes produce a sentinel condition with `field: "__raw"`.
+ */
+export function expressionToGroups(expr) {
+    // Top-level AND → split children into groups
+    if (expr.kind === 'and') {
+        const groups = [];
+        for (const child of expr.children) {
+            groups.push(...nodeToGroups(child));
+        }
+        return groups;
+    }
+    // Anything else → delegate
+    return nodeToGroups(expr);
+}
+/**
+ * Convert a single AST node (not a top-level AND) into one or more groups.
+ */
+function nodeToGroups(expr) {
+    switch (expr.kind) {
+        case 'and': {
+            // Nested AND within a top-level AND child → single AND group
+            const conditions = collectLeafConditions(expr.children);
+            return [{ id: nextGroupId(), logic: 'and', conditions, negated: false }];
+        }
+        case 'or': {
+            const conditions = collectLeafConditions(expr.children);
+            return [{ id: nextGroupId(), logic: 'or', conditions, negated: false }];
+        }
+        case 'not': {
+            return notToGroups(expr.child);
+        }
+        case 'raw': {
+            return [{
+                    id: nextGroupId(),
+                    logic: 'and',
+                    conditions: [{ field: RAW_CONDITION_FIELD, operator: 'eq', value: expr.text }],
+                    negated: false,
+                }];
+        }
+        default: {
+            // Leaf node → single AND group with one condition
+            const cond = leafToCondition(expr);
+            return [{ id: nextGroupId(), logic: 'and', conditions: [cond], negated: false }];
+        }
+    }
+}
+/** Convert a NOT node's inner expression into negated group(s). */
+function notToGroups(inner) {
+    switch (inner.kind) {
+        case 'or': {
+            const conditions = collectLeafConditions(inner.children);
+            return [{ id: nextGroupId(), logic: 'or', conditions, negated: true }];
+        }
+        case 'and': {
+            const conditions = collectLeafConditions(inner.children);
+            return [{ id: nextGroupId(), logic: 'and', conditions, negated: true }];
+        }
+        case 'not': {
+            // Double negation: NOT(NOT(x)) → just x
+            return nodeToGroups(inner.child);
+        }
+        case 'raw': {
+            return [{
+                    id: nextGroupId(),
+                    logic: 'and',
+                    conditions: [{ field: RAW_CONDITION_FIELD, operator: 'eq', value: inner.text }],
+                    negated: true,
+                }];
+        }
+        default: {
+            // NOT wrapping a leaf
+            const cond = leafToCondition(inner);
+            return [{ id: nextGroupId(), logic: 'and', conditions: [cond], negated: true }];
+        }
+    }
+}
+/** Collect leaf conditions from an array of children. Non-leaf children become raw fallbacks. */
+function collectLeafConditions(children) {
+    return children.map(child => {
+        if (isLeaf(child)) {
+            return leafToCondition(child);
+        }
+        // Non-leaf in OR/AND children → raw fallback with Cedar text
+        return { field: RAW_CONDITION_FIELD, operator: 'eq', value: expressionToCedar(child) };
+    });
+}
+/** Check if an expression is a leaf (comparison, contains, like, has). */
+function isLeaf(expr) {
+    return expr.kind === 'comparison' || expr.kind === 'contains'
+        || expr.kind === 'like' || expr.kind === 'has';
+}
+/** Convert a leaf expression to a PolicyCondition. */
+function leafToCondition(expr) {
+    switch (expr.kind) {
+        case 'comparison':
+            return { field: expr.field, operator: expr.operator, value: expr.value };
+        case 'contains':
+            return { field: expr.field, operator: 'contains', value: expr.value };
+        case 'like':
+            return { field: expr.field, operator: 'like', value: expr.pattern };
+        case 'has':
+            return { field: expr.field, operator: 'eq', value: true };
+        default:
+            // Fallback — shouldn't reach here for true leaves
+            return { field: RAW_CONDITION_FIELD, operator: 'eq', value: expressionToCedar(expr) };
+    }
+}
+// ---------------------------------------------------------------------------
+// groupsToExpression
+// ---------------------------------------------------------------------------
+/**
+ * Convert a flat array of ConditionGroups back into a ConditionExpression AST.
+ *
+ * Each group becomes an AND/OR node (or single leaf if only one condition).
+ * If `negated`, the group is wrapped in NOT. Multiple groups are combined
+ * with a top-level AND.
+ */
+export function groupsToExpression(groups) {
+    if (groups.length === 0) {
+        return { kind: 'and', children: [] };
+    }
+    const expressions = groups.map(groupToExpression);
+    if (expressions.length === 1) {
+        return expressions[0];
+    }
+    return { kind: 'and', children: expressions };
+}
+/** Convert a single ConditionGroup to a ConditionExpression. */
+function groupToExpression(group) {
+    const children = group.conditions.map(conditionToExpression);
+    let inner;
+    if (children.length === 1) {
+        inner = children[0];
+    }
+    else if (group.logic === 'or') {
+        inner = { kind: 'or', children };
+    }
+    else {
+        inner = { kind: 'and', children };
+    }
+    if (group.negated) {
+        return { kind: 'not', child: inner };
+    }
+    return inner;
+}
+/** Convert a PolicyCondition back to a leaf ConditionExpression. */
+function conditionToExpression(cond) {
+    // Raw sentinel → raw expression
+    if (cond.field === RAW_CONDITION_FIELD) {
+        return { kind: 'raw', text: String(cond.value) };
+    }
+    switch (cond.operator) {
+        case 'contains': {
+            // contains() checks a single value against a set — value is never string[]
+            const containsVal = Array.isArray(cond.value) ? cond.value[0] ?? '' : cond.value;
+            return { kind: 'contains', field: cond.field, value: containsVal };
+        }
+        case 'like':
+            return { kind: 'like', field: cond.field, pattern: String(cond.value) };
+        default:
+            return {
+                kind: 'comparison',
+                field: cond.field,
+                operator: cond.operator,
+                value: cond.value,
+            };
+    }
+}
+// ---------------------------------------------------------------------------
+// expressionToCedar
+// ---------------------------------------------------------------------------
+/**
+ * Render any ConditionExpression node to valid Cedar condition text.
+ *
+ * This handles the full AST including AND, OR, NOT, and raw nodes —
+ * unlike `conditionToCedar()` which only handles leaf PolicyConditions.
+ *
+ * @param expr - The expression tree to render
+ * @param optionalFields - Optional set of field names that need `context has` guards
+ * @returns Cedar condition text (without the `when { ... }` wrapper)
+ */
+export function expressionToCedar(expr, optionalFields) {
+    switch (expr.kind) {
+        case 'comparison':
+        case 'contains':
+        case 'like':
+            return conditionToCedar(leafToCondition(expr), optionalFields);
+        case 'has': {
+            const field = sanitizeIdentifier(expr.field, 'field');
+            return `context has ${field}`;
+        }
+        case 'and': {
+            if (expr.children.length === 0)
+                return 'true';
+            if (expr.children.length === 1)
+                return expressionToCedar(expr.children[0], optionalFields);
+            return expr.children
+                .map(c => {
+                // Parenthesize OR children to preserve precedence
+                if (c.kind === 'or')
+                    return `(${expressionToCedar(c, optionalFields)})`;
+                return expressionToCedar(c, optionalFields);
+            })
+                .join(' && ');
+        }
+        case 'or': {
+            if (expr.children.length === 0)
+                return 'false';
+            if (expr.children.length === 1)
+                return expressionToCedar(expr.children[0], optionalFields);
+            return expr.children
+                .map(c => {
+                // Parenthesize AND children to preserve precedence
+                if (c.kind === 'and')
+                    return `(${expressionToCedar(c, optionalFields)})`;
+                return expressionToCedar(c, optionalFields);
+            })
+                .join(' || ');
+        }
+        case 'not': {
+            const inner = expressionToCedar(expr.child, optionalFields);
+            // If inner is a simple leaf, no parens needed after !
+            if (isLeaf(expr.child))
+                return `!${inner}`;
+            return `!(${inner})`;
+        }
+        case 'raw': {
+            if (isValidRawCondition(expr.text)) {
+                return expr.text;
+            }
+            return '/* invalid raw condition */';
+        }
+    }
+}
+// ---------------------------------------------------------------------------
+// extractContextFields
+// ---------------------------------------------------------------------------
+/**
+ * Extract all unique context field names referenced in a ConditionExpression tree.
+ *
+ * Used by Shield to determine which detectors to run — only detectors that
+ * produce fields referenced in active policies need to execute.
+ *
+ * @returns Sorted array of unique field names
+ */
+export function extractContextFields(expr) {
+    const fields = new Set();
+    collectFields(expr, fields);
+    return Array.from(fields).sort();
+}
+function collectFields(expr, fields) {
+    switch (expr.kind) {
+        case 'comparison':
+        case 'contains':
+        case 'like':
+        case 'has':
+            fields.add(expr.field);
+            break;
+        case 'and':
+        case 'or':
+            for (const child of expr.children) {
+                collectFields(child, fields);
+            }
+            break;
+        case 'not':
+            collectFields(expr.child, fields);
+            break;
+        case 'raw':
+            // Can't reliably extract fields from raw text
+            break;
+    }
+}

package/dist/index.d.ts

@@ -8,16 +8,21 @@ export * from './parser.js';
 export * from './errors.js';
 export * from './annotations.js';
 export * from './explain.js';
-export { GUARDRAILS_SCHEMA, GUARDRAILS_CONTEXT, OVERWATCH_SCHEMA, OVERWATCH_CONTEXT, PALISADE_SCHEMA, PALISADE_CONTEXT, } from './service-schemas.gen.js';
+export * from './condition-groups.js';
+export { GUARDRAILS_SCHEMA, GUARDRAILS_CONTEXT, OVERWATCH_SCHEMA, OVERWATCH_CONTEXT, PALISADE_SCHEMA, PALISADE_CONTEXT, SENTRY_SCHEMA, SENTRY_CONTEXT, } from './service-schemas.gen.js';
 export type { ContextAttribute, ActionContext, ServiceContext, } from './service-schemas.gen.js';
 export { GuardrailsContextKey } from './guardrails-context.gen.js';
 export { OverwatchContextKey } from './overwatch-context.gen.js';
 export { PalisadeContextKey } from './palisade-context.gen.js';
+export { SentryContextKey } from './sentry-context.gen.js';
 export { GUARDRAILS_ENTITIES, GUARDRAILS_ACTION_ENTITIES, } from './guardrails-entities.gen.js';
 export { OVERWATCH_ENTITIES, OVERWATCH_ACTION_ENTITIES, } from './overwatch-entities.gen.js';
 export { PALISADE_ENTITIES, PALISADE_ACTION_ENTITIES, } from './palisade-entities.gen.js';
+export { SENTRY_ENTITIES, SENTRY_ACTION_ENTITIES, } from './sentry-entities.gen.js';
 export type { ServiceEntityMetadata, ActionEntityMetadata } from './entity-metadata-types.gen.js';
 export { GUARDRAILS_DEFAULTS, GUARDRAILS_TEMPLATES, GUARDRAILS_CATEGORIES, GUARDRAILS_TEMPLATES_JSON, getGuardrailsDefaultsByCategory, getGuardrailsTemplatesByCategory, getGuardrailsTemplateById, } from './guardrails-defaults.gen.js';
 export type { GuardrailsCategory, GuardrailsCategoryInfo, GuardrailsDefaultPolicy, GuardrailsTemplate, } from './guardrails-defaults.gen.js';
 export { OVERWATCH_DEFAULTS, OVERWATCH_TEMPLATES, OVERWATCH_CATEGORIES, OVERWATCH_TEMPLATES_JSON, getOverwatchDefaultsByCategory, getOverwatchTemplatesByCategory, getOverwatchTemplateById, } from './overwatch-defaults.gen.js';
 export type { OverwatchCategory, OverwatchCategoryInfo, OverwatchDefaultPolicy, OverwatchTemplate, } from './overwatch-defaults.gen.js';
+export { SENTRY_DEFAULTS, SENTRY_TEMPLATES, SENTRY_CATEGORIES, SENTRY_TEMPLATES_JSON, getSentryDefaultsByCategory, getSentryTemplatesByCategory, getSentryTemplateById, } from './sentry-defaults.gen.js';
+export type { SentryCategory, SentryCategoryInfo, SentryDefaultPolicy, SentryTemplate, } from './sentry-defaults.gen.js';

package/dist/index.js

@@ -15,16 +15,21 @@ export * from './errors.js';
 export * from './annotations.js';
 // Decision explanation
 export * from './explain.js';
+// Condition groups (AST ↔ flat UI groups)
+export * from './condition-groups.js';
 // Service-specific schemas and context (inlined)
-export { GUARDRAILS_SCHEMA, GUARDRAILS_CONTEXT, OVERWATCH_SCHEMA, OVERWATCH_CONTEXT, PALISADE_SCHEMA, PALISADE_CONTEXT, } from './service-schemas.gen.js';
+export { GUARDRAILS_SCHEMA, GUARDRAILS_CONTEXT, OVERWATCH_SCHEMA, OVERWATCH_CONTEXT, PALISADE_SCHEMA, PALISADE_CONTEXT, SENTRY_SCHEMA, SENTRY_CONTEXT, } from './service-schemas.gen.js';
 // Service-specific context key enums
 export { GuardrailsContextKey } from './guardrails-context.gen.js';
 export { OverwatchContextKey } from './overwatch-context.gen.js';
 export { PalisadeContextKey } from './palisade-context.gen.js';
+export { SentryContextKey } from './sentry-context.gen.js';
 // Service-specific entity metadata (for UI - principals, resources, actions)
 export { GUARDRAILS_ENTITIES, GUARDRAILS_ACTION_ENTITIES, } from './guardrails-entities.gen.js';
 export { OVERWATCH_ENTITIES, OVERWATCH_ACTION_ENTITIES, } from './overwatch-entities.gen.js';
 export { PALISADE_ENTITIES, PALISADE_ACTION_ENTITIES, } from './palisade-entities.gen.js';
+export { SENTRY_ENTITIES, SENTRY_ACTION_ENTITIES, } from './sentry-entities.gen.js';
 // Service-specific default policies, templates, and categories
 export { GUARDRAILS_DEFAULTS, GUARDRAILS_TEMPLATES, GUARDRAILS_CATEGORIES, GUARDRAILS_TEMPLATES_JSON, getGuardrailsDefaultsByCategory, getGuardrailsTemplatesByCategory, getGuardrailsTemplateById, } from './guardrails-defaults.gen.js';
 export { OVERWATCH_DEFAULTS, OVERWATCH_TEMPLATES, OVERWATCH_CATEGORIES, OVERWATCH_TEMPLATES_JSON, getOverwatchDefaultsByCategory, getOverwatchTemplatesByCategory, getOverwatchTemplateById, } from './overwatch-defaults.gen.js';
+export { SENTRY_DEFAULTS, SENTRY_TEMPLATES, SENTRY_CATEGORIES, SENTRY_TEMPLATES_JSON, getSentryDefaultsByCategory, getSentryTemplatesByCategory, getSentryTemplateById, } from './sentry-defaults.gen.js';

package/dist/overwatch-context.gen.d.ts

@@ -41,6 +41,13 @@ export declare const OverwatchContextKey: {
     readonly SecretCount: "secret_count";
     readonly SecretTypes: "secret_types";
     readonly SequenceRisk: "sequence_risk";
+    readonly SessionCommandInjection: "session_command_injection";
+    readonly SessionInjectionDetected: "session_injection_detected";
+    readonly SessionPiiDetected: "session_pii_detected";
+    readonly SessionPiiTypes: "session_pii_types";
+    readonly SessionSecretTypes: "session_secret_types";
+    readonly SessionSecretsDetected: "session_secrets_detected";
+    readonly SessionThreatTurns: "session_threat_turns";
     readonly SexualScore: "sexual_score";
     readonly Source: "source";
     readonly SuspiciousPattern: "suspicious_pattern";

package/dist/overwatch-context.gen.js

@@ -43,6 +43,13 @@ export const OverwatchContextKey = {
     SecretCount: 'secret_count',
     SecretTypes: 'secret_types',
     SequenceRisk: 'sequence_risk',
+    SessionCommandInjection: 'session_command_injection',
+    SessionInjectionDetected: 'session_injection_detected',
+    SessionPiiDetected: 'session_pii_detected',
+    SessionPiiTypes: 'session_pii_types',
+    SessionSecretTypes: 'session_secret_types',
+    SessionSecretsDetected: 'session_secrets_detected',
+    SessionThreatTurns: 'session_threat_turns',
     SexualScore: 'sexual_score',
     Source: 'source',
     SuspiciousPattern: 'suspicious_pattern',