cedar-mcp-server 1.0.0

package/dist/tools/diff-stores.js

@@ -0,0 +1,222 @@
+import { isAuthorized } from "@cedar-policy/cedar-wasm/nodejs";
+import { handleCheckChange } from "./check-change.js";
+import { handleDiffSchema } from "./diff-schema.js";
+import { normalizePrincipalRef } from "../utils/format-detector.js";
+export async function handleDiffStores(input, manager) {
+    // Validate stores exist
+    try {
+        manager.requireStore(input.blue);
+    }
+    catch (e) {
+        return errorResult(input.blue, input.green, e instanceof Error ? e.message : String(e));
+    }
+    try {
+        manager.requireStore(input.green);
+    }
+    catch (e) {
+        return errorResult(input.blue, input.green, e instanceof Error ? e.message : String(e));
+    }
+    const bluePolicies = new Map();
+    const greenPolicies = new Map();
+    for (const id of manager.listPolicies(input.blue)) {
+        bluePolicies.set(id, manager.readPolicy(input.blue, id));
+    }
+    for (const id of manager.listPolicies(input.green)) {
+        greenPolicies.set(id, manager.readPolicy(input.green, id));
+    }
+    // Structural diff
+    const policies_added = [];
+    const policies_removed = [];
+    const policies_modified = [];
+    for (const [id, content] of greenPolicies) {
+        if (!bluePolicies.has(id)) {
+            policies_added.push({ policy_id: id, content });
+        }
+    }
+    for (const [id, content] of bluePolicies) {
+        if (!greenPolicies.has(id)) {
+            policies_removed.push({ policy_id: id, content });
+        }
+        else {
+            const blueContent = content;
+            const greenContent = greenPolicies.get(id);
+            if (blueContent.trim() !== greenContent.trim()) {
+                // Reuse check-change logic for AVP immutability classification
+                const changeResult = await handleCheckChange({
+                    old_policy: blueContent,
+                    new_policy: greenContent,
+                });
+                if (changeResult.error) {
+                    // Parse error on one or both sides — report as modified with error context
+                    policies_modified.push({
+                        policy_id: id,
+                        can_update_in_place: false,
+                        changes: [],
+                        recommendation: `Could not diff policy "${id}": ${changeResult.error}`,
+                    });
+                }
+                else if (changeResult.changes.length > 0) {
+                    policies_modified.push({
+                        policy_id: id,
+                        can_update_in_place: changeResult.can_update_in_place,
+                        changes: changeResult.changes.map((c) => ({
+                            field: c.field,
+                            in_place_allowed: c.in_place_allowed,
+                            reason: c.reason,
+                        })),
+                        recommendation: changeResult.recommendation,
+                    });
+                }
+                // If changes.length === 0 and no error: policies differ in text but not semantically
+                // (formatting change). Treat as unchanged — no entry in policies_modified.
+            }
+        }
+    }
+    // Schema diff — structured via handleDiffSchema
+    let schema_diff;
+    try {
+        const blueSchema = manager.readSchema(input.blue);
+        const greenSchema = manager.readSchema(input.green);
+        schema_diff = await handleDiffSchema({ blue: blueSchema, green: greenSchema });
+    }
+    catch (e) {
+        schema_diff = emptySchemaDiff(`Schema comparison failed: ${e instanceof Error ? e.message : String(e)}`);
+    }
+    // Behavioral diff (optional)
+    let behavioral_diff;
+    if (input.behavioral_test_requests) {
+        behavioral_diff = await runBehavioralDiff(input.blue, input.green, input.behavioral_test_requests, manager);
+    }
+    // Summary
+    const totalChanges = policies_added.length + policies_removed.length + policies_modified.length;
+    const requiresRecreate = policies_modified.filter((p) => !p.can_update_in_place).length;
+    const driftCount = behavioral_diff?.filter((d) => d.drifted).length ?? 0;
+    const schema_changed = hasSchemaChanges(schema_diff);
+    const schemaBreaking = schema_diff.risk_level === "breaking";
+    let summary;
+    if (totalChanges === 0 && !schema_changed) {
+        summary = "No changes detected between blue and green stores.";
+    }
+    else {
+        const parts = [];
+        if (policies_added.length)
+            parts.push(`${policies_added.length} added`);
+        if (policies_removed.length)
+            parts.push(`${policies_removed.length} removed`);
+        if (policies_modified.length) {
+            parts.push(`${policies_modified.length} modified`);
+            if (requiresRecreate)
+                parts.push(`(${requiresRecreate} require delete-recreate in AVP)`);
+        }
+        if (schema_changed) {
+            parts.push(schemaBreaking ? "schema changed (BREAKING)" : "schema changed");
+        }
+        if (driftCount)
+            parts.push(`${driftCount} authorization decision(s) would change`);
+        summary = `Policy diff: ${parts.join(", ")}.`;
+    }
+    return {
+        blue: input.blue,
+        green: input.green,
+        policies_added,
+        policies_removed,
+        policies_modified,
+        schema_diff,
+        ...(behavioral_diff !== undefined ? { behavioral_diff } : {}),
+        summary,
+    };
+}
+function hasSchemaChanges(d) {
+    return (d.namespaces_added.length > 0 ||
+        d.namespaces_removed.length > 0 ||
+        d.entity_types.added.length > 0 ||
+        d.entity_types.removed.length > 0 ||
+        d.entity_types.modified.length > 0 ||
+        d.actions.added.length > 0 ||
+        d.actions.removed.length > 0 ||
+        d.actions.modified.length > 0 ||
+        d.common_types.added.length > 0 ||
+        d.common_types.removed.length > 0 ||
+        d.common_types.modified.length > 0);
+}
+function emptySchemaDiff(error) {
+    return {
+        namespaces_added: [],
+        namespaces_removed: [],
+        entity_types: { added: [], removed: [], modified: [] },
+        actions: { added: [], removed: [], modified: [] },
+        common_types: { added: [], removed: [], modified: [] },
+        summary: "",
+        risk_level: "safe",
+        ...(error ? { error } : {}),
+    };
+}
+async function runBehavioralDiff(blue, green, requestsJson, manager) {
+    let requests;
+    try {
+        requests = JSON.parse(requestsJson);
+        if (!Array.isArray(requests))
+            return [{ principal: "", action: "", resource: "", blue_decision: "Deny", green_decision: "Deny", drifted: false }];
+    }
+    catch {
+        return [];
+    }
+    const bluePolicies = manager.readAllPolicies(blue);
+    const greenPolicies = manager.readAllPolicies(green);
+    const entries = [];
+    for (const req of requests) {
+        const principalRef = normalizePrincipalRef(req.principal);
+        const actionRef = normalizePrincipalRef(req.action);
+        const resourceRef = normalizePrincipalRef(req.resource);
+        const refError = ("error" in principalRef ? principalRef.error : null) ??
+            ("error" in actionRef ? actionRef.error : null) ??
+            ("error" in resourceRef ? resourceRef.error : null);
+        const principalStr = typeof req.principal === "string" ? req.principal : JSON.stringify(req.principal);
+        const actionStr = typeof req.action === "string" ? req.action : JSON.stringify(req.action);
+        const resourceStr = typeof req.resource === "string" ? req.resource : JSON.stringify(req.resource);
+        if (refError) {
+            entries.push({ principal: principalStr, action: actionStr, resource: resourceStr, blue_decision: "Error", green_decision: "Error", drifted: false, error: refError });
+            continue;
+        }
+        let entities;
+        try {
+            entities = JSON.parse(req.entities);
+        }
+        catch {
+            entries.push({ principal: principalStr, action: actionStr, resource: resourceStr, blue_decision: "Error", green_decision: "Error", drifted: false, error: "Invalid entities JSON" });
+            continue;
+        }
+        // After the refError guard above, refs are guaranteed to be NormalizedRef (no error field)
+        const safeP = principalRef;
+        const safeA = actionRef;
+        const safeR = resourceRef;
+        const context = {};
+        const callBase = { principal: safeP, action: safeA, resource: safeR, context, entities };
+        const blueAnswer = isAuthorized({ ...callBase, policies: { staticPolicies: bluePolicies } });
+        const greenAnswer = isAuthorized({ ...callBase, policies: { staticPolicies: greenPolicies } });
+        const blueDecision = blueAnswer.type === "success" && blueAnswer.response.decision === "allow" ? "Allow" : "Deny";
+        const greenDecision = greenAnswer.type === "success" && greenAnswer.response.decision === "allow" ? "Allow" : "Deny";
+        entries.push({
+            principal: principalStr,
+            action: actionStr,
+            resource: resourceStr,
+            blue_decision: blueDecision,
+            green_decision: greenDecision,
+            drifted: blueDecision !== greenDecision,
+        });
+    }
+    return entries;
+}
+function errorResult(blue, green, error) {
+    return {
+        blue,
+        green,
+        policies_added: [],
+        policies_removed: [],
+        policies_modified: [],
+        schema_diff: emptySchemaDiff(),
+        summary: "",
+        error,
+    };
+}
+//# sourceMappingURL=diff-stores.js.map

package/dist/tools/diff-stores.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"diff-stores.js","sourceRoot":"","sources":["../../src/tools/diff-stores.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,iCAAiC,CAAC;AAE/D,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACtD,OAAO,EAAE,gBAAgB,EAAmB,MAAM,kBAAkB,CAAC;AACrE,OAAO,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAC;AAsCpE,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,KAAsB,EACtB,OAAqB;IAErB,wBAAwB;IACxB,IAAI,CAAC;QACH,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACnC,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,WAAW,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IAC1F,CAAC;IACD,IAAI,CAAC;QACH,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,WAAW,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IAC1F,CAAC;IAED,MAAM,YAAY,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC/C,MAAM,aAAa,GAAG,IAAI,GAAG,EAAkB,CAAC;IAEhD,KAAK,MAAM,EAAE,IAAI,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QAClD,YAAY,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC;IAC3D,CAAC;IACD,KAAK,MAAM,EAAE,IAAI,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;QACnD,aAAa,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC;IAC7D,CAAC;IAED,kBAAkB;IAClB,MAAM,cAAc,GAAuC,EAAE,CAAC;IAC9D,MAAM,gBAAgB,GAAyC,EAAE,CAAC;IAClE,MAAM,iBAAiB,GAAuB,EAAE,CAAC;IAEjD,KAAK,MAAM,CAAC,EAAE,EAAE,OAAO,CAAC,IAAI,aAAa,EAAE,CAAC;QAC1C,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;YAC1B,cAAc,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;QAClD,CAAC;IACH,CAAC;IAED,KAAK,MAAM,CAAC,EAAE,EAAE,OAAO,CAAC,IAAI,YAAY,EAAE,CAAC;QACzC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;YAC3B,gBAAgB,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;QACpD,CAAC;aAAM,CAAC;YACN,MAAM,WAAW,GAAG,OAAO,CAAC;YAC5B,MAAM,YAAY,GAAG,aAAa,CAAC,GAAG,CAAC,EAAE,CAAE,CAAC;YAC5C,IAAI,WAAW,CAAC,IAAI,EAAE,KAAK,YAAY,CAAC,IAAI,EAAE,EAAE,CAAC;gBAC/C,+DAA+D;gBAC/D,MAAM,YAAY,GAAG,MAAM,iBAAiB,CAAC;oBAC3C,UAAU,EAAE,WAAW;oBACvB,UAAU,EAAE,YAAY;iBACzB,CAAC,CAAC;gBACH,IAAI,YAAY,CAAC,KAAK,EAAE,CAAC;oBACvB,2EAA2E;oBAC3E,iBAAiB,CAAC,IAAI,CAAC;wBACrB,SAAS,EAAE,EAAE;wBACb,mBAAmB,EAAE,KAAK;wBAC1B,OAAO,EAAE,EAAE;wBACX,cAAc,EAAE,0BAA0B,EAAE,MAAM,YAAY,CAAC,KAAK,EAAE;qBACvE,CAAC,CAAC;gBACL,CAAC;qBAAM,IAAI,YAAY,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC3C,iBAAiB,CAAC,IAAI,CAAC;wBACrB,SAAS,EAAE,EAAE;wBACb,mBAAmB,EAAE,YAAY,CAAC,mBAAmB;wBACrD,OAAO,EAAE,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;4BACxC,KAAK,EAAE,CAAC,CAAC,KAAK;4BACd,gBAAgB,EAAE,CAAC,CAAC,gBAAgB;4BACpC,MAAM,EAAE,CAAC,CAAC,MAAM;yBACjB,CAAC,CAAC;wBACH,cAAc,EAAE,YAAY,CAAC,cAAc;qBAC5C,CAAC,CAAC;gBACL,CAAC;gBACD,qFAAqF;gBACrF,2EAA2E;YAC7E,CAAC;QACH,CAAC;IACH,CAAC;IAED,gDAAgD;IAChD,IAAI,WAAuB,CAAC;IAC5B,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAClD,MAAM,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QACpD,WAAW,GAAG,MAAM,gBAAgB,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;IACjF,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,WAAW,GAAG,eAAe,CAAC,6BAA6B,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAC3G,CAAC;IAED,6BAA6B;IAC7B,IAAI,eAAmD,CAAC;IACxD,IAAI,KAAK,CAAC,wBAAwB,EAAE,CAAC;QACnC,eAAe,GAAG,MAAM,iBAAiB,CACvC,KAAK,CAAC,IAAI,EACV,KAAK,CAAC,KAAK,EACX,KAAK,CAAC,wBAAwB,EAC9B,OAAO,CACR,CAAC;IACJ,CAAC;IAED,UAAU;IACV,MAAM,YAAY,GAChB,cAAc,CAAC,MAAM,GAAG,gBAAgB,CAAC,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC;IAC7E,MAAM,gBAAgB,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,MAAM,CAAC;IACxF,MAAM,UAAU,GAAG,eAAe,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC;IACzE,MAAM,cAAc,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAC;IACrD,MAAM,cAAc,GAAG,WAAW,CAAC,UAAU,KAAK,UAAU,CAAC;IAE7D,IAAI,OAAe,CAAC;IACpB,IAAI,YAAY,KAAK,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;QAC1C,OAAO,GAAG,oDAAoD,CAAC;IACjE,CAAC;SAAM,CAAC;QACN,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,IAAI,cAAc,CAAC,MAAM;YAAE,KAAK,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC,MAAM,QAAQ,CAAC,CAAC;QACxE,IAAI,gBAAgB,CAAC,MAAM;YAAE,KAAK,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,MAAM,UAAU,CAAC,CAAC;QAC9E,IAAI,iBAAiB,CAAC,MAAM,EAAE,CAAC;YAC7B,KAAK,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,MAAM,WAAW,CAAC,CAAC;YACnD,IAAI,gBAAgB;gBAAE,KAAK,CAAC,IAAI,CAAC,IAAI,gBAAgB,kCAAkC,CAAC,CAAC;QAC3F,CAAC;QACD,IAAI,cAAc,EAAE,CAAC;YACnB,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,2BAA2B,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC;QAC9E,CAAC;QACD,IAAI,UAAU;YAAE,KAAK,CAAC,IAAI,CAAC,GAAG,UAAU,yCAAyC,CAAC,CAAC;QACnF,OAAO,GAAG,gBAAgB,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;IAChD,CAAC;IAED,OAAO;QACL,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,cAAc;QACd,gBAAgB;QAChB,iBAAiB;QACjB,WAAW;QACX,GAAG,CAAC,eAAe,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,eAAe,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC7D,OAAO;KACR,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CAAC,CAAa;IACrC,OAAO,CACL,CAAC,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC;QAC7B,CAAC,CAAC,kBAAkB,CAAC,MAAM,GAAG,CAAC;QAC/B,CAAC,CAAC,YAAY,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC;QAC/B,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC;QACjC,CAAC,CAAC,YAAY,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC;QAClC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC;QAC1B,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC;QAC5B,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC;QAC7B,CAAC,CAAC,YAAY,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC;QAC/B,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC;QACjC,CAAC,CAAC,YAAY,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CACnC,CAAC;AACJ,CAAC;AAED,SAAS,eAAe,CAAC,KAAc;IACrC,OAAO;QACL,gBAAgB,EAAE,EAAE;QACpB,kBAAkB,EAAE,EAAE;QACtB,YAAY,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE;QACtD,OAAO,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE;QACjD,YAAY,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE;QACtD,OAAO,EAAE,EAAE;QACX,UAAU,EAAE,MAAM;QAClB,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC5B,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,iBAAiB,CAC9B,IAAY,EACZ,KAAa,EACb,YAAoB,EACpB,OAAqB;IAErB,IAAI,QAMF,CAAC;IACH,IAAI,CAAC;QACH,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;QACpC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC;YAAE,OAAO,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,aAAa,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;IACpJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,YAAY,GAAG,OAAO,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;IACnD,MAAM,aAAa,GAAG,OAAO,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAErD,MAAM,OAAO,GAA2B,EAAE,CAAC;IAE3C,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,MAAM,YAAY,GAAG,qBAAqB,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC1D,MAAM,SAAS,GAAG,qBAAqB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACpD,MAAM,WAAW,GAAG,qBAAqB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAExD,MAAM,QAAQ,GACZ,CAAC,OAAO,IAAI,YAAY,CAAC,CAAC,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;YACrD,CAAC,OAAO,IAAI,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;YAC/C,CAAC,OAAO,IAAI,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QAEtD,MAAM,YAAY,GAAG,OAAO,GAAG,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACvG,MAAM,SAAS,GAAG,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC3F,MAAM,WAAW,GAAG,OAAO,GAAG,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAEnG,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,WAAW,EAAE,aAAa,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;YACtK,SAAS;QACX,CAAC;QAED,IAAI,QAAkB,CAAC;QACvB,IAAI,CAAC;YACH,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACtC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,WAAW,EAAE,aAAa,EAAE,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;YACrL,SAAS;QACX,CAAC;QAED,2FAA2F;QAC3F,MAAM,KAAK,GAAG,YAA4C,CAAC;QAC3D,MAAM,KAAK,GAAG,SAAyC,CAAC;QACxD,MAAM,KAAK,GAAG,WAA2C,CAAC;QAC1D,MAAM,OAAO,GAAG,EAAE,CAAC;QACnB,MAAM,QAAQ,GAAG,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC;QAEzF,MAAM,UAAU,GAAG,YAAY,CAAC,EAAE,GAAG,QAAQ,EAAE,QAAQ,EAAE,EAAE,cAAc,EAAE,YAAY,EAAE,EAAE,CAAC,CAAC;QAC7F,MAAM,WAAW,GAAG,YAAY,CAAC,EAAE,GAAG,QAAQ,EAAE,QAAQ,EAAE,EAAE,cAAc,EAAE,aAAa,EAAE,EAAE,CAAC,CAAC;QAE/F,MAAM,YAAY,GAChB,UAAU,CAAC,IAAI,KAAK,SAAS,IAAI,UAAU,CAAC,QAAQ,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC;QAC/F,MAAM,aAAa,GACjB,WAAW,CAAC,IAAI,KAAK,SAAS,IAAI,WAAW,CAAC,QAAQ,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC;QAEjG,OAAO,CAAC,IAAI,CAAC;YACX,SAAS,EAAE,YAAY;YACvB,MAAM,EAAE,SAAS;YACjB,QAAQ,EAAE,WAAW;YACrB,aAAa,EAAE,YAAY;YAC3B,cAAc,EAAE,aAAa;YAC7B,OAAO,EAAE,YAAY,KAAK,aAAa;SACxC,CAAC,CAAC;IACL,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,WAAW,CAAC,IAAY,EAAE,KAAa,EAAE,KAAa;IAC7D,OAAO;QACL,IAAI;QACJ,KAAK;QACL,cAAc,EAAE,EAAE;QAClB,gBAAgB,EAAE,EAAE;QACpB,iBAAiB,EAAE,EAAE;QACrB,WAAW,EAAE,eAAe,EAAE;QAC9B,OAAO,EAAE,EAAE;QACX,KAAK;KACN,CAAC;AACJ,CAAC"}

package/dist/tools/explain.d.ts

@@ -0,0 +1,80 @@
+export interface ExplainInput {
+    policy: string;
+    schema?: string;
+}
+export interface ScopeDescription {
+    scope: string;
+    description: string;
+}
+export interface ConditionDescription {
+    kind: "when" | "unless";
+    text: string;
+}
+export interface ExplainResult {
+    effect: "permit" | "forbid";
+    principal: ScopeDescription;
+    action: ScopeDescription;
+    resource: ScopeDescription;
+    conditions: ConditionDescription[];
+    summary: string;
+    patterns_detected: string[];
+    error?: string;
+    /**
+     * 10d workspace auto-discovery: populated by the server.ts MCP handler when
+     * the schema was resolved from a loaded MCP root rather than supplied inline.
+     * On ExplainManyResult the field appears on the top-level result so a single
+     * auto-discovery decision applies to the whole policy set.
+     */
+    auto_discovered?: {
+        schema_from?: string;
+    };
+}
+export declare function handleExplain(input: ExplainInput): Promise<ExplainResult>;
+export interface ExplainManyResult {
+    policy_count: number;
+    policies: Array<ExplainResult & {
+        index: number;
+    }>;
+    /**
+     * 10d workspace auto-discovery: see ExplainResult.auto_discovered. On the
+     * many-result the field lives at the top level so the auto-discovered schema
+     * is reported once rather than duplicated on every policy entry.
+     */
+    auto_discovered?: {
+        schema_from?: string;
+    };
+}
+/**
+ * Explains a Cedar policy set (one or more policies).
+ * Uses policySetTextToParts to split, then explains each individually.
+ * Falls back to single-policy handling when there is exactly one policy.
+ */
+export declare function handleExplainMany(input: ExplainInput): Promise<ExplainManyResult | ExplainResult>;
+/**
+ * Inputs accepted by the MCP-level explain entry point. Wider than
+ * `ExplainInput` because it also accepts the `_ref` shape the MCP layer
+ * resolves before reaching `handleExplainMany`.
+ */
+export interface ExplainMcpInput {
+    policy: string;
+    schema?: string;
+    schema_ref?: string;
+    store?: string;
+}
+/**
+ * 10d workspace auto-discovery wrapper for `cedar_explain`. Resolves the
+ * schema from a loaded MCP root when neither `schema` nor `schema_ref` was
+ * supplied. The schema is optional for explain, so single-store deployments
+ * with no schema file just delegate to the parser without one. Multi-store
+ * deployments with no explicit `store` parameter return an ambiguity error.
+ */
+export declare function handleExplainMcp(input: ExplainMcpInput, resolveRef: (uri: string) => {
+    content: string;
+} | {
+    error: string;
+}): Promise<{
+    result: ExplainResult | ExplainManyResult;
+} | {
+    error: string;
+}>;
+//# sourceMappingURL=explain.d.ts.map

package/dist/tools/explain.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"explain.d.ts","sourceRoot":"","sources":["../../src/tools/explain.ts"],"names":[],"mappings":"AAWA,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE,MAAM,GAAG,QAAQ,CAAC;IACxB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,QAAQ,GAAG,QAAQ,CAAC;IAC5B,SAAS,EAAE,gBAAgB,CAAC;IAC5B,MAAM,EAAE,gBAAgB,CAAC;IACzB,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,UAAU,EAAE,oBAAoB,EAAE,CAAC;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;;;;OAKG;IACH,eAAe,CAAC,EAAE;QAChB,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;CACH;AAoDD,wBAAsB,aAAa,CAAC,KAAK,EAAE,YAAY,GAAG,OAAO,CAAC,aAAa,CAAC,CA4E/E;AAID,MAAM,WAAW,iBAAiB;IAChC,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,KAAK,CAAC,aAAa,GAAG;QAAE,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACnD;;;;OAIG;IACH,eAAe,CAAC,EAAE;QAChB,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;CACH;AAED;;;;GAIG;AACH,wBAAsB,iBAAiB,CAAC,KAAK,EAAE,YAAY,GAAG,OAAO,CAAC,iBAAiB,GAAG,aAAa,CAAC,CAoBvG;AAID;;;;GAIG;AACH,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;GAMG;AACH,wBAAsB,gBAAgB,CACpC,KAAK,EAAE,eAAe,EACtB,UAAU,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK;IAAE,OAAO,EAAE,MAAM,CAAA;CAAE,GAAG;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,GACnE,OAAO,CAAC;IAAE,MAAM,EAAE,aAAa,GAAG,iBAAiB,CAAA;CAAE,GAAG;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC,CAqC5E"}

package/dist/tools/explain.js

@@ -0,0 +1,187 @@
+import { policyToJson, templateToJson, policySetTextToParts } from "@cedar-policy/cedar-wasm/nodejs";
+import { describePrincipal, describeAction, describeResource, describeCondition, detectPatterns, } from "../parser/policy-ast.js";
+import { storeManager } from "../resources/store-manager.js";
+function parsePolicyJson(policyText) {
+    const result = policyToJson(policyText);
+    if (result.type === "success")
+        return result.json;
+    const errors = result.errors.map((e) => e.message).join("; ");
+    // Fall back to templateToJson if the error is about template slots
+    if (errors.includes("template") || errors.includes("slot")) {
+        const templateResult = templateToJson(policyText);
+        if (templateResult.type === "success")
+            return templateResult.json;
+        throw new Error(templateResult.errors.map((e) => e.message).join("; "));
+    }
+    throw new Error(errors);
+}
+function buildSummary(json, principalDesc, actionDesc, resourceDesc, conditions, isTemplate) {
+    const effect = json.effect === "permit" ? "PERMITS" : "FORBIDS";
+    const base = `${effect} ${principalDesc} to perform ${actionDesc} on ${resourceDesc}`;
+    if (isTemplate) {
+        const slots = [
+            json.principal.op === "==" && "slot" in json.principal ? `?principal` : null,
+            json.resource.op === "==" && "slot" in json.resource ? `?resource` : null,
+        ].filter(Boolean);
+        return `TEMPLATE POLICY: ${base}. Template slots: ${slots.join(", ")}.`;
+    }
+    if (conditions.length === 0)
+        return `${base}.`;
+    const whenClauses = conditions
+        .filter((c) => c.kind === "when")
+        .map((c) => c.text.replace(/^WHEN /, ""));
+    const unlessClauses = conditions
+        .filter((c) => c.kind === "unless")
+        .map((c) => c.text.replace(/^UNLESS /, ""));
+    let summary = base;
+    if (whenClauses.length > 0)
+        summary += `, when: ${whenClauses.join("; ")}`;
+    if (unlessClauses.length > 0)
+        summary += `, unless: ${unlessClauses.join("; ")}`;
+    return summary + ".";
+}
+export async function handleExplain(input) {
+    let json;
+    let isTemplate = false;
+    try {
+        const raw = policyToJson(input.policy);
+        if (raw.type === "failure") {
+            const errors = raw.errors.map((e) => e.message).join("; ");
+            if (errors.includes("template") || errors.includes("slot")) {
+                const templateResult = templateToJson(input.policy);
+                if (templateResult.type === "failure") {
+                    return {
+                        effect: "permit",
+                        principal: { scope: "unknown", description: "unknown" },
+                        action: { scope: "unknown", description: "unknown" },
+                        resource: { scope: "unknown", description: "unknown" },
+                        conditions: [],
+                        summary: "Failed to parse policy.",
+                        patterns_detected: [],
+                        error: templateResult.errors.map((e) => e.message).join("; "),
+                    };
+                }
+                json = templateResult.json;
+                isTemplate = true;
+            }
+            else {
+                return {
+                    effect: "permit",
+                    principal: { scope: "unknown", description: "unknown" },
+                    action: { scope: "unknown", description: "unknown" },
+                    resource: { scope: "unknown", description: "unknown" },
+                    conditions: [],
+                    summary: "Failed to parse policy.",
+                    patterns_detected: [],
+                    error: errors,
+                };
+            }
+        }
+        else {
+            json = raw.json;
+        }
+    }
+    catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        return {
+            effect: "permit",
+            principal: { scope: "unknown", description: "unknown" },
+            action: { scope: "unknown", description: "unknown" },
+            resource: { scope: "unknown", description: "unknown" },
+            conditions: [],
+            summary: "Failed to parse policy.",
+            patterns_detected: [],
+            error: msg,
+        };
+    }
+    const principalDesc = describePrincipal(json.principal);
+    const actionDesc = describeAction(json.action);
+    const resourceDesc = describeResource(json.resource);
+    const conditions = json.conditions.map((c) => ({
+        kind: c.kind,
+        text: describeCondition(c),
+    }));
+    const patterns = detectPatterns(json);
+    if (isTemplate && !patterns.includes("template_policy"))
+        patterns.unshift("template_policy");
+    const summary = buildSummary(json, principalDesc, actionDesc, resourceDesc, conditions, isTemplate);
+    return {
+        effect: json.effect,
+        principal: { scope: json.principal.op, description: principalDesc },
+        action: { scope: json.action.op, description: actionDesc },
+        resource: { scope: json.resource.op, description: resourceDesc },
+        conditions,
+        summary,
+        patterns_detected: patterns,
+    };
+}
+/**
+ * Explains a Cedar policy set (one or more policies).
+ * Uses policySetTextToParts to split, then explains each individually.
+ * Falls back to single-policy handling when there is exactly one policy.
+ */
+export async function handleExplainMany(input) {
+    const parts = policySetTextToParts(input.policy);
+    // Single policy or unparseable — fall through to single-policy handler
+    if (parts.type === "failure" || (parts.policies.length + parts.policy_templates.length) <= 1) {
+        return handleExplain(input);
+    }
+    const allPolicies = [...parts.policies, ...parts.policy_templates];
+    const results = await Promise.all(allPolicies.map(async (policyText, i) => {
+        const result = await handleExplain({ policy: policyText, schema: input.schema });
+        return { ...result, index: i };
+    }));
+    return {
+        policy_count: allPolicies.length,
+        policies: results,
+    };
+}
+/**
+ * 10d workspace auto-discovery wrapper for `cedar_explain`. Resolves the
+ * schema from a loaded MCP root when neither `schema` nor `schema_ref` was
+ * supplied. The schema is optional for explain, so single-store deployments
+ * with no schema file just delegate to the parser without one. Multi-store
+ * deployments with no explicit `store` parameter return an ambiguity error.
+ */
+export async function handleExplainMcp(input, resolveRef) {
+    let schema = input.schema;
+    if (!schema && input.schema_ref) {
+        const resolved = resolveRef(input.schema_ref);
+        if ("error" in resolved)
+            return { error: resolved.error };
+        schema = resolved.content;
+    }
+    let autoSchemaFrom;
+    if (!schema && !input.schema_ref) {
+        if (input.store) {
+            try {
+                schema = storeManager.readSchema(input.store);
+                autoSchemaFrom = input.store;
+            }
+            catch (e) {
+                return { error: e instanceof Error ? e.message : String(e) };
+            }
+        }
+        else {
+            const def = storeManager.getDefaultStore();
+            if (def.kind === "single") {
+                try {
+                    schema = storeManager.readSchema(def.store.name);
+                    autoSchemaFrom = def.store.name;
+                }
+                catch {
+                    // Store has no schema file; explain runs without a schema.
+                }
+            }
+            else if (def.kind === "ambiguous") {
+                return { error: `Multiple stores are loaded (${def.names.join(", ")}). Pass store: "<name>" to choose.` };
+            }
+        }
+    }
+    const result = await handleExplainMany({ policy: input.policy, schema });
+    if (autoSchemaFrom) {
+        result.auto_discovered = { schema_from: autoSchemaFrom };
+    }
+    return { result };
+}
+//# sourceMappingURL=explain.js.map

package/dist/tools/explain.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"explain.js","sourceRoot":"","sources":["../../src/tools/explain.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,oBAAoB,EAAE,MAAM,iCAAiC,CAAC;AACrG,OAAO,EACL,iBAAiB,EACjB,cAAc,EACd,gBAAgB,EAChB,iBAAiB,EACjB,cAAc,GACf,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAqC7D,SAAS,eAAe,CAAC,UAAkB;IACzC,MAAM,MAAM,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC;IACxC,IAAI,MAAM,CAAC,IAAI,KAAK,SAAS;QAAE,OAAO,MAAM,CAAC,IAAI,CAAC;IAElD,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAE9D,mEAAmE;IACnE,IAAI,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3D,MAAM,cAAc,GAAG,cAAc,CAAC,UAAU,CAAC,CAAC;QAClD,IAAI,cAAc,CAAC,IAAI,KAAK,SAAS;YAAE,OAAO,cAAc,CAAC,IAA6B,CAAC;QAC3F,MAAM,IAAI,KAAK,CAAC,cAAc,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IAC1E,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC,CAAC;AAC1B,CAAC;AAED,SAAS,YAAY,CACnB,IAAgB,EAChB,aAAqB,EACrB,UAAkB,EAClB,YAAoB,EACpB,UAAkC,EAClC,UAAmB;IAEnB,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;IAChE,MAAM,IAAI,GAAG,GAAG,MAAM,IAAI,aAAa,eAAe,UAAU,OAAO,YAAY,EAAE,CAAC;IAEtF,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,KAAK,GAAG;YACZ,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,IAAI,IAAI,MAAM,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI;YAC5E,IAAI,CAAC,QAAQ,CAAC,EAAE,KAAK,IAAI,IAAI,MAAM,IAAI,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI;SAC1E,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAClB,OAAO,oBAAoB,IAAI,qBAAqB,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;IAC1E,CAAC;IAED,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,GAAG,IAAI,GAAG,CAAC;IAE/C,MAAM,WAAW,GAAG,UAAU;SAC3B,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC;SAChC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,CAAC;IAC5C,MAAM,aAAa,GAAG,UAAU;SAC7B,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC;SAClC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC,CAAC;IAE9C,IAAI,OAAO,GAAG,IAAI,CAAC;IACnB,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,WAAW,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;IAC3E,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,aAAa,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;IACjF,OAAO,OAAO,GAAG,GAAG,CAAC;AACvB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,KAAmB;IACrD,IAAI,IAAgB,CAAC;IACrB,IAAI,UAAU,GAAG,KAAK,CAAC;IAEvB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,YAAY,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACvC,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAC3B,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC3D,IAAI,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC3D,MAAM,cAAc,GAAG,cAAc,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;gBACpD,IAAI,cAAc,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;oBACtC,OAAO;wBACL,MAAM,EAAE,QAAQ;wBAChB,SAAS,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,SAAS,EAAE;wBACvD,MAAM,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,SAAS,EAAE;wBACpD,QAAQ,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,SAAS,EAAE;wBACtD,UAAU,EAAE,EAAE;wBACd,OAAO,EAAE,yBAAyB;wBAClC,iBAAiB,EAAE,EAAE;wBACrB,KAAK,EAAE,cAAc,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;qBAC9D,CAAC;gBACJ,CAAC;gBACD,IAAI,GAAG,cAAc,CAAC,IAA6B,CAAC;gBACpD,UAAU,GAAG,IAAI,CAAC;YACpB,CAAC;iBAAM,CAAC;gBACN,OAAO;oBACL,MAAM,EAAE,QAAQ;oBAChB,SAAS,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,SAAS,EAAE;oBACvD,MAAM,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,SAAS,EAAE;oBACpD,QAAQ,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,SAAS,EAAE;oBACtD,UAAU,EAAE,EAAE;oBACd,OAAO,EAAE,yBAAyB;oBAClC,iBAAiB,EAAE,EAAE;oBACrB,KAAK,EAAE,MAAM;iBACd,CAAC;YACJ,CAAC;QACH,CAAC;aAAM,CAAC;YACN,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC;QAClB,CAAC;IACH,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,GAAG,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACvD,OAAO;YACL,MAAM,EAAE,QAAQ;YAChB,SAAS,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,SAAS,EAAE;YACvD,MAAM,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,SAAS,EAAE;YACpD,QAAQ,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,SAAS,EAAE;YACtD,UAAU,EAAE,EAAE;YACd,OAAO,EAAE,yBAAyB;YAClC,iBAAiB,EAAE,EAAE;YACrB,KAAK,EAAE,GAAG;SACX,CAAC;IACJ,CAAC;IAED,MAAM,aAAa,GAAG,iBAAiB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACxD,MAAM,UAAU,GAAG,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC/C,MAAM,YAAY,GAAG,gBAAgB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAErD,MAAM,UAAU,GAA2B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACrE,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,IAAI,EAAE,iBAAiB,CAAC,CAAC,CAAC;KAC3B,CAAC,CAAC,CAAC;IAEJ,MAAM,QAAQ,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;IACtC,IAAI,UAAU,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,iBAAiB,CAAC;QAAE,QAAQ,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;IAE7F,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,EAAE,aAAa,EAAE,UAAU,EAAE,YAAY,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC;IAEpG,OAAO;QACL,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,SAAS,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,WAAW,EAAE,aAAa,EAAE;QACnE,MAAM,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,WAAW,EAAE,UAAU,EAAE;QAC1D,QAAQ,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,WAAW,EAAE,YAAY,EAAE;QAChE,UAAU;QACV,OAAO;QACP,iBAAiB,EAAE,QAAQ;KAC5B,CAAC;AACJ,CAAC;AAiBD;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,KAAmB;IACzD,MAAM,KAAK,GAAG,oBAAoB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAEjD,uEAAuE;IACvE,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,GAAG,KAAK,CAAC,gBAAgB,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7F,OAAO,aAAa,CAAC,KAAK,CAAC,CAAC;IAC9B,CAAC;IAED,MAAM,WAAW,GAAG,CAAC,GAAG,KAAK,CAAC,QAAQ,EAAE,GAAG,KAAK,CAAC,gBAAgB,CAAC,CAAC;IACnE,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAC/B,WAAW,CAAC,GAAG,CAAC,KAAK,EAAE,UAAU,EAAE,CAAC,EAAE,EAAE;QACtC,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;QACjF,OAAO,EAAE,GAAG,MAAM,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;IACjC,CAAC,CAAC,CACH,CAAC;IAEF,OAAO;QACL,YAAY,EAAE,WAAW,CAAC,MAAM;QAChC,QAAQ,EAAE,OAAO;KAClB,CAAC;AACJ,CAAC;AAgBD;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,KAAsB,EACtB,UAAoE;IAEpE,IAAI,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC;IAC1B,IAAI,CAAC,MAAM,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;QAChC,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAC9C,IAAI,OAAO,IAAI,QAAQ;YAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC;QAC1D,MAAM,GAAG,QAAQ,CAAC,OAAO,CAAC;IAC5B,CAAC;IAED,IAAI,cAAkC,CAAC;IACvC,IAAI,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;QACjC,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC;gBACH,MAAM,GAAG,YAAY,CAAC,UAAU,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;gBAC9C,cAAc,GAAG,KAAK,CAAC,KAAK,CAAC;YAC/B,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,OAAO,EAAE,KAAK,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;YAC/D,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,GAAG,GAAG,YAAY,CAAC,eAAe,EAAE,CAAC;YAC3C,IAAI,GAAG,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC1B,IAAI,CAAC;oBACH,MAAM,GAAG,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;oBACjD,cAAc,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC;gBAClC,CAAC;gBAAC,MAAM,CAAC;oBACP,2DAA2D;gBAC7D,CAAC;YACH,CAAC;iBAAM,IAAI,GAAG,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;gBACpC,OAAO,EAAE,KAAK,EAAE,+BAA+B,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,oCAAoC,EAAE,CAAC;YAC5G,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IACzE,IAAI,cAAc,EAAE,CAAC;QACnB,MAAM,CAAC,eAAe,GAAG,EAAE,WAAW,EAAE,cAAc,EAAE,CAAC;IAC3D,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,CAAC;AACpB,CAAC"}

package/dist/tools/format.d.ts

@@ -0,0 +1,11 @@
+export interface FormatInput {
+    policies: string;
+    line_width?: number;
+    indent_width?: number;
+}
+export interface FormatResult {
+    formatted: string | null;
+    error: string | null;
+}
+export declare function handleFormat(input: FormatInput): Promise<FormatResult>;
+//# sourceMappingURL=format.d.ts.map

package/dist/tools/format.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"format.d.ts","sourceRoot":"","sources":["../../src/tools/format.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAED,wBAAsB,YAAY,CAAC,KAAK,EAAE,WAAW,GAAG,OAAO,CAAC,YAAY,CAAC,CAmB5E"}

package/dist/tools/format.js

@@ -0,0 +1,20 @@
+import { formatPolicies } from "@cedar-policy/cedar-wasm/nodejs";
+export async function handleFormat(input) {
+    // per spike-report-wasm-api.md §3: formatPolicies takes FormattingCall object, not raw string
+    const answer = formatPolicies({
+        policyText: input.policies,
+        ...(input.line_width !== undefined ? { lineWidth: input.line_width } : {}),
+        ...(input.indent_width !== undefined ? { indentWidth: input.indent_width } : {}),
+    });
+    if (answer.type === "failure") {
+        return {
+            formatted: null,
+            error: answer.errors.map((e) => e.message).join("; "),
+        };
+    }
+    return {
+        formatted: answer.formatted_policy,
+        error: null,
+    };
+}
+//# sourceMappingURL=format.js.map

package/dist/tools/format.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"format.js","sourceRoot":"","sources":["../../src/tools/format.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,iCAAiC,CAAC;AAajE,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,KAAkB;IACnD,8FAA8F;IAC9F,MAAM,MAAM,GAAG,cAAc,CAAC;QAC5B,UAAU,EAAE,KAAK,CAAC,QAAQ;QAC1B,GAAG,CAAC,KAAK,CAAC,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,KAAK,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1E,GAAG,CAAC,KAAK,CAAC,YAAY,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,KAAK,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACjF,CAAC,CAAC;IAEH,IAAI,MAAM,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC9B,OAAO;YACL,SAAS,EAAE,IAAI;YACf,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;SACtD,CAAC;IACJ,CAAC;IAED,OAAO;QACL,SAAS,EAAE,MAAM,CAAC,gBAAgB;QAClC,KAAK,EAAE,IAAI;KACZ,CAAC;AACJ,CAAC"}

package/dist/tools/generate-sample.d.ts

@@ -0,0 +1,28 @@
+export interface GenerateSampleInput {
+    policy: string;
+    schema: string;
+    target_decision: "allow" | "deny";
+}
+export interface EntityPayload {
+    uid: {
+        type: string;
+        id: string;
+    };
+    attrs: Record<string, unknown>;
+    parents: Array<{
+        type: string;
+        id: string;
+    }>;
+}
+export interface GenerateSampleResult {
+    principal: string;
+    action: string;
+    resource: string;
+    entities: EntityPayload[];
+    explanation: string;
+    decision?: "Allow" | "Deny";
+    ready_to_test?: boolean;
+    error?: string;
+}
+export declare function handleGenerateSample(input: GenerateSampleInput): Promise<GenerateSampleResult>;
+//# sourceMappingURL=generate-sample.d.ts.map

package/dist/tools/generate-sample.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"generate-sample.d.ts","sourceRoot":"","sources":["../../src/tools/generate-sample.ts"],"names":[],"mappings":"AAYA,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,EAAE,OAAO,GAAG,MAAM,CAAC;CACnC;AAED,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC;IAClC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/B,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAC9C;AAED,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,aAAa,EAAE,CAAC;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,OAAO,GAAG,MAAM,CAAC;IAC5B,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAifD,wBAAsB,oBAAoB,CAAC,KAAK,EAAE,mBAAmB,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAsIpG"}