@highflame/policy 2.1.43 → 2.1.44

package/dist/index.d.ts

@@ -5,6 +5,7 @@ export * from './schema.gen.js';
 export * from './decision-effects.gen.js';
 export * from './aarm-annotations.gen.js';
 export * from './aarm-annotation.js';
+export * from './privilege-catalog.gen.js';
 export * from './engine.js';
 export * from './builder.js';
 export * from './parser.js';

package/dist/index.js

@@ -16,6 +16,9 @@ export * from './aarm-annotations.gen.js';
 // AARM annotation parser/validator (typed parse + fail-closed validation,
 // parity with Go's aarm_annotation.go).
 export * from './aarm-annotation.js';
+// Role -> capability privilege catalog (privilege_scope minted into
+// the trusted-service JWT; checked by role-conditioned Cedar policies).
+export * from './privilege-catalog.gen.js';
 // Non-generated modules (require Node.js)
 export * from './engine.js';
 export * from './builder.js';

package/dist/privilege-catalog.gen.d.ts

@@ -0,0 +1,17 @@
+export declare const PRIVILEGE_CATALOG_VERSION = "2026-06-08";
+/** Every role in the catalog, in declaration order. */
+export declare const PRIVILEGE_CATALOG_ROLES: readonly string[];
+/** Every product the catalog applies to, in declaration order. */
+export declare const PRIVILEGE_CATALOG_PRODUCTS: readonly string[];
+/**
+* Capabilities granted to `role` for `product`, as a fresh sorted
+* `"<product>:<action>"[]`. Returns `[]` for an unknown role or product
+* (least privilege). The returned array is a copy; callers may mutate it.
+*/
+export declare function privilegeScopeForProduct(role: string, product: string): string[];
+/**
+* Capabilities granted to `role` across every catalog product, as a fresh
+* sorted+deduped `"<product>:<action>"[]`. Returns `[]` for an unknown
+* role (least privilege). The returned array is a copy.
+*/
+export declare function privilegeScopeForRole(role: string): string[];

package/dist/privilege-catalog.gen.js

@@ -0,0 +1,97 @@
+// Code generated by highflame-policy-codegen. DO NOT EDIT.
+// Source: schemas/privilege_catalog.json
+//
+// Role -> capability privilege catalog. Maps each RBAC role to the
+// namespaced "<product>:<action>" capabilities it is provisioned to
+// drive. privilege_scope is minted into the trusted-service JWT and
+// checked by role-conditioned Cedar policies. Grants are validated
+// against each product's Cedar action schema at codegen time.
+// See adrs/0006-privilege-scope-catalog.md.
+export const PRIVILEGE_CATALOG_VERSION = '2026-06-08';
+/** Every role in the catalog, in declaration order. */
+export const PRIVILEGE_CATALOG_ROLES = [
+    'auditor',
+    'viewer',
+    'support',
+    'member',
+    'admin',
+    'partner-admin',
+    'super-admin',
+];
+/** Every product the catalog applies to, in declaration order. */
+export const PRIVILEGE_CATALOG_PRODUCTS = [
+    'guardrails',
+    'overwatch',
+    'ai_gateway',
+];
+// Role -> product -> sorted namespaced capabilities for that exact
+// (role, product). Read via privilegeScopeForProduct.
+const PRIVILEGE_SCOPE_BY_ROLE_PRODUCT = {
+    'auditor': {
+        'guardrails': ['guardrails:read_file'],
+        'overwatch': ['overwatch:read_file'],
+        'ai_gateway': ['ai_gateway:read_file'],
+    },
+    'viewer': {
+        'guardrails': ['guardrails:process_prompt', 'guardrails:read_file'],
+        'overwatch': ['overwatch:process_prompt', 'overwatch:read_file'],
+        'ai_gateway': ['ai_gateway:process_prompt', 'ai_gateway:read_file'],
+    },
+    'support': {
+        'guardrails': ['guardrails:process_prompt', 'guardrails:read_file'],
+        'overwatch': ['overwatch:process_prompt', 'overwatch:read_file'],
+        'ai_gateway': ['ai_gateway:process_prompt', 'ai_gateway:read_file'],
+    },
+    'member': {
+        'guardrails': ['guardrails:call_tool', 'guardrails:connect_server', 'guardrails:process_prompt', 'guardrails:read_file'],
+        'overwatch': ['overwatch:call_tool', 'overwatch:connect_server', 'overwatch:process_prompt', 'overwatch:read_file'],
+        'ai_gateway': ['ai_gateway:call_tool', 'ai_gateway:connect_server', 'ai_gateway:process_prompt', 'ai_gateway:read_file'],
+    },
+    'admin': {
+        'guardrails': ['guardrails:call_tool', 'guardrails:connect_server', 'guardrails:process_prompt', 'guardrails:read_file', 'guardrails:write_file'],
+        'overwatch': ['overwatch:call_tool', 'overwatch:connect_server', 'overwatch:process_prompt', 'overwatch:read_file', 'overwatch:write_file'],
+        'ai_gateway': ['ai_gateway:call_tool', 'ai_gateway:connect_server', 'ai_gateway:process_prompt', 'ai_gateway:read_file', 'ai_gateway:write_file'],
+    },
+    'partner-admin': {
+        'guardrails': ['guardrails:call_tool', 'guardrails:connect_server', 'guardrails:process_prompt', 'guardrails:read_file', 'guardrails:write_file'],
+        'overwatch': ['overwatch:call_tool', 'overwatch:connect_server', 'overwatch:process_prompt', 'overwatch:read_file', 'overwatch:write_file'],
+        'ai_gateway': ['ai_gateway:call_tool', 'ai_gateway:connect_server', 'ai_gateway:process_prompt', 'ai_gateway:read_file', 'ai_gateway:write_file'],
+    },
+    'super-admin': {
+        'guardrails': ['guardrails:call_tool', 'guardrails:connect_server', 'guardrails:process_prompt', 'guardrails:read_file', 'guardrails:write_file'],
+        'overwatch': ['overwatch:call_tool', 'overwatch:connect_server', 'overwatch:process_prompt', 'overwatch:read_file', 'overwatch:write_file'],
+        'ai_gateway': ['ai_gateway:call_tool', 'ai_gateway:connect_server', 'ai_gateway:process_prompt', 'ai_gateway:read_file', 'ai_gateway:write_file'],
+    },
+};
+// Role -> sorted+deduped union of namespaced capabilities across every
+// catalog product. Read via privilegeScopeForRole.
+const PRIVILEGE_SCOPE_BY_ROLE = {
+    'auditor': ['ai_gateway:read_file', 'guardrails:read_file', 'overwatch:read_file'],
+    'viewer': ['ai_gateway:process_prompt', 'ai_gateway:read_file', 'guardrails:process_prompt', 'guardrails:read_file', 'overwatch:process_prompt', 'overwatch:read_file'],
+    'support': ['ai_gateway:process_prompt', 'ai_gateway:read_file', 'guardrails:process_prompt', 'guardrails:read_file', 'overwatch:process_prompt', 'overwatch:read_file'],
+    'member': ['ai_gateway:call_tool', 'ai_gateway:connect_server', 'ai_gateway:process_prompt', 'ai_gateway:read_file', 'guardrails:call_tool', 'guardrails:connect_server', 'guardrails:process_prompt', 'guardrails:read_file', 'overwatch:call_tool', 'overwatch:connect_server', 'overwatch:process_prompt', 'overwatch:read_file'],
+    'admin': ['ai_gateway:call_tool', 'ai_gateway:connect_server', 'ai_gateway:process_prompt', 'ai_gateway:read_file', 'ai_gateway:write_file', 'guardrails:call_tool', 'guardrails:connect_server', 'guardrails:process_prompt', 'guardrails:read_file', 'guardrails:write_file', 'overwatch:call_tool', 'overwatch:connect_server', 'overwatch:process_prompt', 'overwatch:read_file', 'overwatch:write_file'],
+    'partner-admin': ['ai_gateway:call_tool', 'ai_gateway:connect_server', 'ai_gateway:process_prompt', 'ai_gateway:read_file', 'ai_gateway:write_file', 'guardrails:call_tool', 'guardrails:connect_server', 'guardrails:process_prompt', 'guardrails:read_file', 'guardrails:write_file', 'overwatch:call_tool', 'overwatch:connect_server', 'overwatch:process_prompt', 'overwatch:read_file', 'overwatch:write_file'],
+    'super-admin': ['ai_gateway:call_tool', 'ai_gateway:connect_server', 'ai_gateway:process_prompt', 'ai_gateway:read_file', 'ai_gateway:write_file', 'guardrails:call_tool', 'guardrails:connect_server', 'guardrails:process_prompt', 'guardrails:read_file', 'guardrails:write_file', 'overwatch:call_tool', 'overwatch:connect_server', 'overwatch:process_prompt', 'overwatch:read_file', 'overwatch:write_file'],
+};
+/**
+* Capabilities granted to `role` for `product`, as a fresh sorted
+* `"<product>:<action>"[]`. Returns `[]` for an unknown role or product
+* (least privilege). The returned array is a copy; callers may mutate it.
+*/
+export function privilegeScopeForProduct(role, product) {
+    const byProduct = PRIVILEGE_SCOPE_BY_ROLE_PRODUCT[role];
+    if (!byProduct)
+        return [];
+    const caps = byProduct[product];
+    return caps ? [...caps] : [];
+}
+/**
+* Capabilities granted to `role` across every catalog product, as a fresh
+* sorted+deduped `"<product>:<action>"[]`. Returns `[]` for an unknown
+* role (least privilege). The returned array is a copy.
+*/
+export function privilegeScopeForRole(role) {
+    const caps = PRIVILEGE_SCOPE_BY_ROLE[role];
+    return caps ? [...caps] : [];
+}

package/dist/types.d.ts

@@ -5,6 +5,7 @@ export * from './schema.gen.js';
 export * from './decision-effects.gen.js';
 export * from './aarm-annotations.gen.js';
 export * from './aarm-annotation.js';
+export * from './privilege-catalog.gen.js';
 export * from './builder.js';
 export * from './errors.js';
 export * from './annotations.js';

package/dist/types.js

@@ -18,6 +18,9 @@ export * from './aarm-annotations.gen.js';
 // AARM annotation parser/validator (browser-safe — typed parse + fail-closed
 // validation; Studio lints with the exact rules Shield runs at sync time).
 export * from './aarm-annotation.js';
+// Role -> capability privilege catalog (browser-safe — Studio surfaces
+// the default scope per role; checked by role-conditioned Cedar policies).
+export * from './privilege-catalog.gen.js';
 // PolicyBuilder - works in browser (no WASM dependency)
 export * from './builder.js';
 // Error types - works in browser (no WASM dependency)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@highflame/policy",
-  "version": "2.1.43",
+  "version": "2.1.44",
   "engines": {
     "node": ">=18"
   },