cedar-mcp-server 1.0.0

package/dist/tools/validate.d.ts

@@ -0,0 +1,90 @@
+export interface ValidateInput {
+    policies: string;
+    /** Optional. When omitted, validate runs in syntax-only mode (parse-only, no schema typing). */
+    schema?: string;
+    /**
+     * Optional store name to disambiguate workspace auto-discovery (10d) when
+     * multiple stores are loaded. The server.ts handler resolves this against
+     * the StoreManager and supplies `schema` before calling handleValidate; the
+     * field is carried through so handleValidate can surface ambiguity errors
+     * when callers invoke it directly without going through the MCP layer.
+     */
+    store?: string;
+    /**
+     * 11c opt-in: explicitly select the validation mode rather than letting
+     * schema presence decide it.
+     *
+     * "auto" (default): schema presence picks the mode. With a schema (inline
+     *   or auto-discovered from a single loaded store), run syntax_and_schema.
+     *   Without one, run syntax_only.
+     * "syntax_only": always parser-only. Skip workspace auto-discovery and
+     *   ignore any inline schema. Useful when the user explicitly says "I have
+     *   no schema" or wants a fast syntax sanity check.
+     * "syntax_and_schema": require a schema. If neither an inline schema nor
+     *   one resolvable from a loaded store is available, return a clear error
+     *   rather than silently dropping to syntax_only.
+     */
+    validation_mode?: "auto" | "syntax_only" | "syntax_and_schema";
+}
+export interface ValidateError {
+    policy_id: string;
+    message: string;
+    hint: string | null;
+    /** 1-indexed line of the source location, when the WASM error reports one. */
+    line?: number;
+    /** 1-indexed column of the source location, when the WASM error reports one. */
+    column?: number;
+}
+export interface ValidateResult {
+    valid: boolean;
+    errors: ValidateError[];
+    warnings: ValidateError[];
+    policy_count: number;
+    /**
+     * Discriminator that tells the caller what was actually checked.
+     * "syntax_only": parser-only run, no schema supplied. Catches parse errors
+     *   (typos, malformed scopes, bad operators) but not attribute typing or
+     *   action applicability.
+     * "syntax_and_schema": full parse + type-check against a Cedar schema.
+     */
+    validation_mode: "syntax_only" | "syntax_and_schema";
+    /**
+     * 10d workspace auto-discovery: populated when an input was sourced from a
+     * loaded MCP root rather than supplied inline. Surfaces to the caller which
+     * store ended up satisfying the missing field so the action is traceable.
+     */
+    auto_discovered?: {
+        schema_from?: string;
+    };
+}
+export declare function handleValidate(input: ValidateInput): Promise<ValidateResult>;
+/**
+ * Inputs accepted by the MCP-level validate entry point. Wider than
+ * `ValidateInput` because it also accepts the `_ref` shapes the MCP layer
+ * resolves before reaching `handleValidate`.
+ */
+export interface ValidateMcpInput {
+    policies?: string;
+    policy_ref?: string;
+    schema?: string;
+    schema_ref?: string;
+    store?: string;
+    validation_mode?: "auto" | "syntax_only" | "syntax_and_schema";
+}
+/**
+ * 10d workspace auto-discovery wrapper for `cedar_validate`. Resolves the
+ * schema from a loaded MCP root when neither `schema` nor `schema_ref` was
+ * supplied. Single-store deployments upgrade to syntax_and_schema mode;
+ * multi-store deployments require an explicit `store` parameter and return
+ * an ambiguity error otherwise.
+ */
+export declare function handleValidateMcp(input: ValidateMcpInput, resolveRef: (uri: string) => {
+    content: string;
+} | {
+    error: string;
+}): Promise<{
+    result: ValidateResult;
+} | {
+    error: string;
+}>;
+//# sourceMappingURL=validate.d.ts.map

package/dist/tools/validate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate.d.ts","sourceRoot":"","sources":["../../src/tools/validate.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,gGAAgG;IAChG,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;;;;OAMG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;;;;;;;;;;;;OAaG;IACH,eAAe,CAAC,EAAE,MAAM,GAAG,aAAa,GAAG,mBAAmB,CAAC;CAChE;AAED,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,8EAA8E;IAC9E,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,gFAAgF;IAChF,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,cAAc;IAC7B,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,aAAa,EAAE,CAAC;IACxB,QAAQ,EAAE,aAAa,EAAE,CAAC;IAC1B,YAAY,EAAE,MAAM,CAAC;IACrB;;;;;;OAMG;IACH,eAAe,EAAE,aAAa,GAAG,mBAAmB,CAAC;IACrD;;;;OAIG;IACH,eAAe,CAAC,EAAE;QAChB,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;CACH;AAoMD,wBAAsB,cAAc,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAAC,cAAc,CAAC,CA+HlF;AAID;;;;GAIG;AACH,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,eAAe,CAAC,EAAE,MAAM,GAAG,aAAa,GAAG,mBAAmB,CAAC;CAChE;AAED;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CACrC,KAAK,EAAE,gBAAgB,EACvB,UAAU,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK;IAAE,OAAO,EAAE,MAAM,CAAA;CAAE,GAAG;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,GACnE,OAAO,CAAC;IAAE,MAAM,EAAE,cAAc,CAAA;CAAE,GAAG;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC,CA2CzD"}

package/dist/tools/validate.js

@@ -0,0 +1,351 @@
+import { validate, checkParsePolicySet, policySetTextToParts } from "@cedar-policy/cedar-wasm/nodejs";
+import { storeManager } from "../resources/store-manager.js";
+/**
+ * Common Cedar typo → suggestion table. Used to populate the `hint` field on
+ * parse errors of the form "unexpected token `X`" when X is a known misspelling
+ * of a Cedar keyword. Keep small and conservative; better to leave hint null
+ * than to over-suggest. Levenshtein over the reserved keyword set is the
+ * future generalization if this table proves too narrow.
+ */
+const TYPO_HINTS = {
+    int: "in",
+    permint: "permit",
+    forbit: "forbid",
+    prinipal: "principal",
+    prinicpal: "principal",
+    prncipal: "principal",
+    resorce: "resource",
+    resoure: "resource",
+    actoin: "action",
+    acton: "action",
+    unles: "unless",
+    wen: "when",
+    Like: "like",
+    Has: "has",
+    Permit: "permit",
+    Forbid: "forbid",
+    When: "when",
+    Unless: "unless",
+};
+function parseSchema(schemaStr) {
+    try {
+        return JSON.parse(schemaStr);
+    }
+    catch {
+        // Not JSON — treat as Cedar schema text
+        return schemaStr;
+    }
+}
+function countPolicies(policiesText) {
+    const parts = policySetTextToParts(policiesText);
+    if (parts.type === "failure")
+        return 0;
+    return parts.policies.length + parts.policy_templates.length;
+}
+/**
+ * Convert a WASM-reported UTF-8 byte offset into the source text into a
+ * 1-indexed line + Unicode-code-point column. Walking the JS string as if
+ * the offset were a char index drifts whenever the source contains
+ * multi-byte UTF-8 chars (em-dashes in comments, non-ASCII identifiers
+ * in string literals). This matters in practice for any Cedar policy
+ * with non-ASCII content, including comments, before the error site.
+ *
+ * Implementation: encode the full source to bytes, slice up to the
+ * byte offset, decode back to a string, then count Unicode code points
+ * (via for-of, which iterates code points rather than UTF-16 code units).
+ */
+function offsetToLineCol(source, byteOffset) {
+    const enc = new TextEncoder();
+    const bytes = enc.encode(source);
+    if (byteOffset < 0 || byteOffset > bytes.length) {
+        return { line: 1, column: 1 };
+    }
+    const before = new TextDecoder().decode(bytes.slice(0, byteOffset));
+    let line = 1;
+    let column = 1;
+    for (const ch of before) {
+        if (ch === "\n") {
+            line++;
+            column = 1;
+        }
+        else {
+            column++;
+        }
+    }
+    return { line, column };
+}
+/**
+ * Pull the offending token out of a Cedar parse error message, if present.
+ * Cedar emits a few distinct error templates depending on where the token
+ * appears in the grammar; this matches the ones common typos produce.
+ */
+function extractOffendingToken(message) {
+    const patterns = [
+        /unexpected token `([^`]+)`/, // operator / keyword in expressions
+        /invalid variable in the policy scope: (\S+)/, // mis-typed principal / action / resource
+        /invalid policy effect: (\S+)/, // mis-typed permit / forbid
+    ];
+    for (const re of patterns) {
+        const m = message.match(re);
+        if (m)
+            return m[1];
+    }
+    return null;
+}
+/** Suggest a hint string for a known typo, or null if none applies. */
+function typoHint(message) {
+    const token = extractOffendingToken(message);
+    if (!token)
+        return null;
+    const suggestion = TYPO_HINTS[token];
+    return suggestion ? `Did you mean '${suggestion}'?` : null;
+}
+/** Best-effort source location: prefer error's own sourceLocations[0]; null if none. */
+function locationFor(err, source) {
+    const loc = err.sourceLocations?.[0];
+    if (!loc || typeof loc.start !== "number")
+        return null;
+    return offsetToLineCol(source, loc.start);
+}
+/**
+ * Resolve a Cedar schema for cedar_validate from, in order:
+ *   1. an inline `schema` string (highest priority; `from` is left undefined),
+ *   2. an explicit `store` name (read `schema.cedarschema` / `schema.json` from that loaded store; errors if read fails),
+ *   3. the workspace default when exactly one store is loaded (10d auto-discovery; falls to `none` if the store has no schema file),
+ *   4. `none` when no store is loaded at all,
+ *   5. `error` when multiple stores are loaded and no `store` was passed to disambiguate.
+ *
+ * Single source of truth for the resolution rules; called from both
+ * handleValidate (direct callers, including tests) and handleValidateMcp
+ * (after `schema_ref` resolution). Replaces two near-duplicate inline
+ * blocks from kickoff-10 (10d) that the kickoff-10 audit flagged for
+ * v1.1 cleanup.
+ */
+function resolveWorkspaceSchema(inputSchema, storeParam) {
+    if (inputSchema !== undefined)
+        return { kind: "resolved", schema: inputSchema };
+    if (storeParam) {
+        try {
+            return { kind: "resolved", schema: storeManager.readSchema(storeParam), from: storeParam };
+        }
+        catch (e) {
+            return { kind: "error", error: e instanceof Error ? e.message : String(e) };
+        }
+    }
+    const def = storeManager.getDefaultStore();
+    if (def.kind === "single") {
+        try {
+            return { kind: "resolved", schema: storeManager.readSchema(def.store.name), from: def.store.name };
+        }
+        catch {
+            // Store exists but has no schema file; caller falls through to syntax_only
+            // (or errors out in syntax_and_schema mode at the next gate).
+            return { kind: "none" };
+        }
+    }
+    if (def.kind === "ambiguous") {
+        return { kind: "error", error: `Multiple stores are loaded (${def.names.join(", ")}). Pass store: "<name>" to choose.` };
+    }
+    return { kind: "none" };
+}
+/** Parser-only validation. Used by mode="syntax_only" and by mode="auto" when no schema is resolvable. */
+function parseOnlyResult(policies) {
+    const parseAnswer = checkParsePolicySet({ staticPolicies: policies });
+    if (parseAnswer.type === "failure") {
+        return {
+            valid: false,
+            errors: parseAnswer.errors.map((e) => {
+                const loc = locationFor(e, policies);
+                const hint = typoHint(e.message) ?? e.help ?? null;
+                const base = {
+                    policy_id: "",
+                    message: e.message,
+                    hint,
+                };
+                if (loc) {
+                    base.line = loc.line;
+                    base.column = loc.column;
+                }
+                return base;
+            }),
+            warnings: [],
+            policy_count: countPolicies(policies),
+            validation_mode: "syntax_only",
+        };
+    }
+    return {
+        valid: true,
+        errors: [],
+        warnings: [],
+        policy_count: countPolicies(policies),
+        validation_mode: "syntax_only",
+    };
+}
+export async function handleValidate(input) {
+    const mode = input.validation_mode ?? "auto";
+    // 11c: explicit syntax_only short-circuits every schema path. The caller
+    // said "I have no schema" or "I want a parse-only check"; we honor that
+    // even when an inline schema is present and even when a workspace store
+    // is loaded.
+    if (mode === "syntax_only") {
+        return parseOnlyResult(input.policies);
+    }
+    // 10d workspace auto-discovery, single-sourced through resolveWorkspaceSchema.
+    // Returns inline schema verbatim, reads from `store` if named, or auto-discovers
+    // from the default workspace store. Errors out on read failure or multi-store
+    // ambiguity. mode="syntax_and_schema" turns "no schema available" into a hard
+    // error in the next gate.
+    const resolution = resolveWorkspaceSchema(input.schema, input.store);
+    if (resolution.kind === "error") {
+        return {
+            valid: false,
+            errors: [{ policy_id: "", message: resolution.error, hint: null }],
+            warnings: [],
+            policy_count: countPolicies(input.policies),
+            validation_mode: mode === "syntax_and_schema" ? "syntax_and_schema" : "syntax_only",
+        };
+    }
+    const schemaText = resolution.kind === "resolved" ? resolution.schema : undefined;
+    const schemaFrom = resolution.kind === "resolved" ? resolution.from : undefined;
+    // 11c: explicit syntax_and_schema requires a schema. After both inline and
+    // auto-discovery paths, if there is still no schema, the caller asked for a
+    // mode we cannot honor. Return a clear error rather than silently dropping
+    // to syntax_only (which is exactly the Round 4 Scenario I friction).
+    if (mode === "syntax_and_schema" && schemaText === undefined) {
+        return {
+            valid: false,
+            errors: [{
+                    policy_id: "",
+                    message: 'validation_mode "syntax_and_schema" requires a schema, but none was provided and none could be auto-discovered. Pass schema, schema_ref, or store, or use validation_mode "auto" / "syntax_only".',
+                    hint: null,
+                }],
+            warnings: [],
+            policy_count: countPolicies(input.policies),
+            validation_mode: "syntax_and_schema",
+        };
+    }
+    // Syntax-only mode: no schema supplied (mode === "auto" with no resolvable
+    // schema). Run the parser alone so the caller can sanity-check a snippet
+    // without having to construct a schema first. Maps any parse failure to
+    // the same ValidateError shape the full-validate path uses, so downstream
+    // consumers do not need a separate branch.
+    if (schemaText === undefined) {
+        return parseOnlyResult(input.policies);
+    }
+    const schema = parseSchema(schemaText);
+    // per spike-report-wasm-api.md §2: type field is WASM call health, not policy validity.
+    // Check validationErrors.length for actual validity.
+    const answer = validate({
+        schema,
+        policies: { staticPolicies: input.policies },
+    });
+    const autoDiscovered = schemaFrom ? { schema_from: schemaFrom } : undefined;
+    if (answer.type === "failure") {
+        return {
+            valid: false,
+            errors: answer.errors.map((e) => {
+                const loc = locationFor(e, input.policies);
+                const hint = typoHint(e.message) ?? e.help ?? null;
+                const base = {
+                    policy_id: "",
+                    message: e.message,
+                    hint,
+                };
+                if (loc) {
+                    base.line = loc.line;
+                    base.column = loc.column;
+                }
+                return base;
+            }),
+            warnings: [],
+            policy_count: countPolicies(input.policies),
+            validation_mode: "syntax_and_schema",
+            ...(autoDiscovered ? { auto_discovered: autoDiscovered } : {}),
+        };
+    }
+    const errors = answer.validationErrors.map((e) => {
+        const loc = locationFor(e.error, input.policies);
+        const base = {
+            policy_id: e.policyId,
+            message: e.error.message,
+            hint: typoHint(e.error.message) ?? e.error.help ?? null,
+        };
+        if (loc) {
+            base.line = loc.line;
+            base.column = loc.column;
+        }
+        return base;
+    });
+    const warnings = answer.validationWarnings.map((e) => {
+        const loc = locationFor(e.error, input.policies);
+        const base = {
+            policy_id: e.policyId,
+            message: e.error.message,
+            hint: typoHint(e.error.message) ?? e.error.help ?? null,
+        };
+        if (loc) {
+            base.line = loc.line;
+            base.column = loc.column;
+        }
+        return base;
+    });
+    return {
+        valid: errors.length === 0,
+        errors,
+        warnings,
+        policy_count: countPolicies(input.policies),
+        validation_mode: "syntax_and_schema",
+        ...(autoDiscovered ? { auto_discovered: autoDiscovered } : {}),
+    };
+}
+/**
+ * 10d workspace auto-discovery wrapper for `cedar_validate`. Resolves the
+ * schema from a loaded MCP root when neither `schema` nor `schema_ref` was
+ * supplied. Single-store deployments upgrade to syntax_and_schema mode;
+ * multi-store deployments require an explicit `store` parameter and return
+ * an ambiguity error otherwise.
+ */
+export async function handleValidateMcp(input, resolveRef) {
+    let policies = input.policies;
+    if (!policies && input.policy_ref) {
+        const resolved = resolveRef(input.policy_ref);
+        if ("error" in resolved)
+            return { error: resolved.error };
+        policies = resolved.content;
+    }
+    if (!policies)
+        return { error: "Either policies or policy_ref is required" };
+    const mode = input.validation_mode ?? "auto";
+    // 11c: explicit syntax_only short-circuits all schema work at the wrapper
+    // level too. The user said parser-only; don't read schema_ref off disk,
+    // don't auto-discover, don't error on a missing schema. Pass straight to
+    // handleValidate which knows to run parseOnlyResult.
+    if (mode === "syntax_only") {
+        const result = await handleValidate({ policies, validation_mode: "syntax_only" });
+        return { result };
+    }
+    let schema = input.schema;
+    if (!schema && input.schema_ref) {
+        const resolved = resolveRef(input.schema_ref);
+        if ("error" in resolved)
+            return { error: resolved.error };
+        schema = resolved.content;
+    }
+    // 10d workspace auto-discovery, single-sourced through resolveWorkspaceSchema.
+    // schema_ref was resolved above; if a caller used schema_ref the helper short-
+    // circuits on the inline-schema check and never touches StoreManager.
+    const resolution = resolveWorkspaceSchema(schema, input.store);
+    if (resolution.kind === "error")
+        return { error: resolution.error };
+    let autoSchemaFrom;
+    if (resolution.kind === "resolved") {
+        schema = resolution.schema;
+        autoSchemaFrom = resolution.from;
+    }
+    const result = await handleValidate({ policies, schema, validation_mode: mode });
+    if (autoSchemaFrom) {
+        result.auto_discovered = { schema_from: autoSchemaFrom };
+    }
+    return { result };
+}
+//# sourceMappingURL=validate.js.map

package/dist/tools/validate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate.js","sourceRoot":"","sources":["../../src/tools/validate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,MAAM,iCAAiC,CAAC;AAEtG,OAAO,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAgE7D;;;;;;GAMG;AACH,MAAM,UAAU,GAA2B;IACzC,GAAG,EAAE,IAAI;IACT,OAAO,EAAE,QAAQ;IACjB,MAAM,EAAE,QAAQ;IAChB,QAAQ,EAAE,WAAW;IACrB,SAAS,EAAE,WAAW;IACtB,QAAQ,EAAE,WAAW;IACrB,OAAO,EAAE,UAAU;IACnB,OAAO,EAAE,UAAU;IACnB,MAAM,EAAE,QAAQ;IAChB,KAAK,EAAE,QAAQ;IACf,KAAK,EAAE,QAAQ;IACf,GAAG,EAAE,MAAM;IACX,IAAI,EAAE,MAAM;IACZ,GAAG,EAAE,KAAK;IACV,MAAM,EAAE,QAAQ;IAChB,MAAM,EAAE,QAAQ;IAChB,IAAI,EAAE,MAAM;IACZ,MAAM,EAAE,QAAQ;CACjB,CAAC;AAEF,SAAS,WAAW,CAAC,SAAiB;IACpC,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,wCAAwC;QACxC,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,YAAoB;IACzC,MAAM,KAAK,GAAG,oBAAoB,CAAC,YAAY,CAAC,CAAC;IACjD,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS;QAAE,OAAO,CAAC,CAAC;IACvC,OAAO,KAAK,CAAC,QAAQ,CAAC,MAAM,GAAG,KAAK,CAAC,gBAAgB,CAAC,MAAM,CAAC;AAC/D,CAAC;AAED;;;;;;;;;;;GAWG;AACH,SAAS,eAAe,CAAC,MAAc,EAAE,UAAkB;IACzD,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC;IAC9B,MAAM,KAAK,GAAG,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACjC,IAAI,UAAU,GAAG,CAAC,IAAI,UAAU,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;QAChD,OAAO,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;IAChC,CAAC;IACD,MAAM,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC;IACpE,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,KAAK,MAAM,EAAE,IAAI,MAAM,EAAE,CAAC;QACxB,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;YAChB,IAAI,EAAE,CAAC;YACP,MAAM,GAAG,CAAC,CAAC;QACb,CAAC;aAAM,CAAC;YACN,MAAM,EAAE,CAAC;QACX,CAAC;IACH,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;AAC1B,CAAC;AAED;;;;GAIG;AACH,SAAS,qBAAqB,CAAC,OAAe;IAC5C,MAAM,QAAQ,GAAa;QACzB,4BAA4B,EAA2B,oCAAoC;QAC3F,6CAA6C,EAAU,0CAA0C;QACjG,8BAA8B,EAAyB,4BAA4B;KACpF,CAAC;IACF,KAAK,MAAM,EAAE,IAAI,QAAQ,EAAE,CAAC;QAC1B,MAAM,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAC5B,IAAI,CAAC;YAAE,OAAO,CAAC,CAAC,CAAC,CAAE,CAAC;IACtB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,uEAAuE;AACvE,SAAS,QAAQ,CAAC,OAAe;IAC/B,MAAM,KAAK,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;IAC7C,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,MAAM,UAAU,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;IACrC,OAAO,UAAU,CAAC,CAAC,CAAC,iBAAiB,UAAU,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;AAC7D,CAAC;AAED,wFAAwF;AACxF,SAAS,WAAW,CAAC,GAAkB,EAAE,MAAc;IACrD,MAAM,GAAG,GAAG,GAAG,CAAC,eAAe,EAAE,CAAC,CAAC,CAAC,CAAC;IACrC,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,CAAC,KAAK,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACvD,OAAO,eAAe,CAAC,MAAM,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC;AAC5C,CAAC;AAYD;;;;;;;;;;;;;GAaG;AACH,SAAS,sBAAsB,CAC7B,WAA+B,EAC/B,UAA8B;IAE9B,IAAI,WAAW,KAAK,SAAS;QAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IAChF,IAAI,UAAU,EAAE,CAAC;QACf,IAAI,CAAC;YACH,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,YAAY,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;QAC7F,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;QAC9E,CAAC;IACH,CAAC;IACD,MAAM,GAAG,GAAG,YAAY,CAAC,eAAe,EAAE,CAAC;IAC3C,IAAI,GAAG,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACrG,CAAC;QAAC,MAAM,CAAC;YACP,2EAA2E;YAC3E,8DAA8D;YAC9D,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QAC1B,CAAC;IACH,CAAC;IACD,IAAI,GAAG,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;QAC7B,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,+BAA+B,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,oCAAoC,EAAE,CAAC;IAC3H,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;AAC1B,CAAC;AAED,0GAA0G;AAC1G,SAAS,eAAe,CAAC,QAAgB;IACvC,MAAM,WAAW,GAAG,mBAAmB,CAAC,EAAE,cAAc,EAAE,QAAQ,EAAE,CAAC,CAAC;IACtE,IAAI,WAAW,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QACnC,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,WAAW,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;gBACnC,MAAM,GAAG,GAAG,WAAW,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;gBACrC,MAAM,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC;gBACnD,MAAM,IAAI,GAAkB;oBAC1B,SAAS,EAAE,EAAE;oBACb,OAAO,EAAE,CAAC,CAAC,OAAO;oBAClB,IAAI;iBACL,CAAC;gBACF,IAAI,GAAG,EAAE,CAAC;oBACR,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC;oBACrB,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC;gBAC3B,CAAC;gBACD,OAAO,IAAI,CAAC;YACd,CAAC,CAAC;YACF,QAAQ,EAAE,EAAE;YACZ,YAAY,EAAE,aAAa,CAAC,QAAQ,CAAC;YACrC,eAAe,EAAE,aAAa;SAC/B,CAAC;IACJ,CAAC;IACD,OAAO;QACL,KAAK,EAAE,IAAI;QACX,MAAM,EAAE,EAAE;QACV,QAAQ,EAAE,EAAE;QACZ,YAAY,EAAE,aAAa,CAAC,QAAQ,CAAC;QACrC,eAAe,EAAE,aAAa;KAC/B,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,KAAoB;IACvD,MAAM,IAAI,GAAG,KAAK,CAAC,eAAe,IAAI,MAAM,CAAC;IAE7C,yEAAyE;IACzE,wEAAwE;IACxE,wEAAwE;IACxE,aAAa;IACb,IAAI,IAAI,KAAK,aAAa,EAAE,CAAC;QAC3B,OAAO,eAAe,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IACzC,CAAC;IAED,+EAA+E;IAC/E,iFAAiF;IACjF,8EAA8E;IAC9E,8EAA8E;IAC9E,0BAA0B;IAC1B,MAAM,UAAU,GAAG,sBAAsB,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;IACrE,IAAI,UAAU,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAChC,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE,OAAO,EAAE,UAAU,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;YAClE,QAAQ,EAAE,EAAE;YACZ,YAAY,EAAE,aAAa,CAAC,KAAK,CAAC,QAAQ,CAAC;YAC3C,eAAe,EAAE,IAAI,KAAK,mBAAmB,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,aAAa;SACpF,CAAC;IACJ,CAAC;IACD,MAAM,UAAU,GAAuB,UAAU,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;IACtG,MAAM,UAAU,GAAuB,UAAU,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;IAEpG,2EAA2E;IAC3E,4EAA4E;IAC5E,2EAA2E;IAC3E,qEAAqE;IACrE,IAAI,IAAI,KAAK,mBAAmB,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;QAC7D,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,CAAC;oBACP,SAAS,EAAE,EAAE;oBACb,OAAO,EAAE,mMAAmM;oBAC5M,IAAI,EAAE,IAAI;iBACX,CAAC;YACF,QAAQ,EAAE,EAAE;YACZ,YAAY,EAAE,aAAa,CAAC,KAAK,CAAC,QAAQ,CAAC;YAC3C,eAAe,EAAE,mBAAmB;SACrC,CAAC;IACJ,CAAC;IAED,2EAA2E;IAC3E,yEAAyE;IACzE,wEAAwE;IACxE,0EAA0E;IAC1E,2CAA2C;IAC3C,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;QAC7B,OAAO,eAAe,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IACzC,CAAC;IAED,MAAM,MAAM,GAAG,WAAW,CAAC,UAAU,CAAC,CAAC;IAEvC,wFAAwF;IACxF,qDAAqD;IACrD,MAAM,MAAM,GAAG,QAAQ,CAAC;QACtB,MAAM;QACN,QAAQ,EAAE,EAAE,cAAc,EAAE,KAAK,CAAC,QAAQ,EAAE;KAC7C,CAAC,CAAC;IAEH,MAAM,cAAc,GAAG,UAAU,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;IAE5E,IAAI,MAAM,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;gBAC9B,MAAM,GAAG,GAAG,WAAW,CAAC,CAAC,EAAE,KAAK,CAAC,QAAQ,CAAC,CAAC;gBAC3C,MAAM,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,IAAI,IAAI,IAAI,CAAC;gBACnD,MAAM,IAAI,GAAkB;oBAC1B,SAAS,EAAE,EAAE;oBACb,OAAO,EAAE,CAAC,CAAC,OAAO;oBAClB,IAAI;iBACL,CAAC;gBACF,IAAI,GAAG,EAAE,CAAC;oBACR,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC;oBACrB,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC;gBAC3B,CAAC;gBACD,OAAO,IAAI,CAAC;YACd,CAAC,CAAC;YACF,QAAQ,EAAE,EAAE;YACZ,YAAY,EAAE,aAAa,CAAC,KAAK,CAAC,QAAQ,CAAC;YAC3C,eAAe,EAAE,mBAAmB;YACpC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,eAAe,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC/D,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAoB,MAAM,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;QAChE,MAAM,GAAG,GAAG,WAAW,CAAC,CAAC,CAAC,KAAK,EAAE,KAAK,CAAC,QAAQ,CAAC,CAAC;QACjD,MAAM,IAAI,GAAkB;YAC1B,SAAS,EAAE,CAAC,CAAC,QAAQ;YACrB,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,OAAO;YACxB,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,IAAI,IAAI,IAAI;SACxD,CAAC;QACF,IAAI,GAAG,EAAE,CAAC;YACR,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC;YACrB,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC;QAC3B,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAoB,MAAM,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;QACpE,MAAM,GAAG,GAAG,WAAW,CAAC,CAAC,CAAC,KAAK,EAAE,KAAK,CAAC,QAAQ,CAAC,CAAC;QACjD,MAAM,IAAI,GAAkB;YAC1B,SAAS,EAAE,CAAC,CAAC,QAAQ;YACrB,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,OAAO;YACxB,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,IAAI,IAAI,IAAI;SACxD,CAAC;QACF,IAAI,GAAG,EAAE,CAAC;YACR,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC;YACrB,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC;QAC3B,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC;QAC1B,MAAM;QACN,QAAQ;QACR,YAAY,EAAE,aAAa,CAAC,KAAK,CAAC,QAAQ,CAAC;QAC3C,eAAe,EAAE,mBAAmB;QACpC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,eAAe,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC/D,CAAC;AACJ,CAAC;AAkBD;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,KAAuB,EACvB,UAAoE;IAEpE,IAAI,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAC;IAC9B,IAAI,CAAC,QAAQ,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;QAClC,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAC9C,IAAI,OAAO,IAAI,QAAQ;YAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC;QAC1D,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC;IAC9B,CAAC;IACD,IAAI,CAAC,QAAQ;QAAE,OAAO,EAAE,KAAK,EAAE,2CAA2C,EAAE,CAAC;IAE7E,MAAM,IAAI,GAAG,KAAK,CAAC,eAAe,IAAI,MAAM,CAAC;IAE7C,0EAA0E;IAC1E,wEAAwE;IACxE,yEAAyE;IACzE,qDAAqD;IACrD,IAAI,IAAI,KAAK,aAAa,EAAE,CAAC;QAC3B,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,EAAE,QAAQ,EAAE,eAAe,EAAE,aAAa,EAAE,CAAC,CAAC;QAClF,OAAO,EAAE,MAAM,EAAE,CAAC;IACpB,CAAC;IAED,IAAI,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC;IAC1B,IAAI,CAAC,MAAM,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;QAChC,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAC9C,IAAI,OAAO,IAAI,QAAQ;YAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC;QAC1D,MAAM,GAAG,QAAQ,CAAC,OAAO,CAAC;IAC5B,CAAC;IAED,+EAA+E;IAC/E,+EAA+E;IAC/E,sEAAsE;IACtE,MAAM,UAAU,GAAG,sBAAsB,CAAC,MAAM,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;IAC/D,IAAI,UAAU,CAAC,IAAI,KAAK,OAAO;QAAE,OAAO,EAAE,KAAK,EAAE,UAAU,CAAC,KAAK,EAAE,CAAC;IACpE,IAAI,cAAkC,CAAC;IACvC,IAAI,UAAU,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;QACnC,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC;QAC3B,cAAc,GAAG,UAAU,CAAC,IAAI,CAAC;IACnC,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,eAAe,EAAE,IAAI,EAAE,CAAC,CAAC;IACjF,IAAI,cAAc,EAAE,CAAC;QACnB,MAAM,CAAC,eAAe,GAAG,EAAE,WAAW,EAAE,cAAc,EAAE,CAAC;IAC3D,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,CAAC;AACpB,CAAC"}

package/dist/utils/format-detector.d.ts

@@ -0,0 +1,49 @@
+/**
+ * Cedar input format detection and normalization.
+ *
+ * Three AVP SDK variants exist in the wild — all need conversion to Cedar WASM format:
+ *
+ *   Ruby SDK (snake_case):   identifier.entity_type / entity_id, string/long/boolean
+ *   Python/JS SDK (camelCase): identifier.entityType / entityId, string/long/boolean
+ *   Official API/Console (PascalCase): Identifier.EntityType / EntityId, String/Long/Boolean
+ *
+ * Cedar WASM format:
+ *   uid: { type, id }, attrs: { key: rawValue }, parents: [{ type, id }]
+ *   Entity refs in attrs: { __entity: { type, id } }
+ *   Extension types: { __extn: { fn, arg } }
+ *
+ * Detection strategy: case-insensitive key lookup handles all three casing variants
+ * in a single code path. One normalizer to rule them all.
+ *
+ * Cedar CLI format (uid.__entity wrapper): WASM accepts natively — no conversion needed.
+ *
+ * Attribute value wrapper detection rule:
+ *   Single-key object whose key (lowercased) is a known AVP type name AND whose value
+ *   is the matching primitive. Multi-key objects are Cedar Records — not touched.
+ *
+ * Limitation: a Cedar Record with exactly one field named "string"/"long"/"boolean"
+ *   would be misidentified. Adding a second field removes the ambiguity.
+ *
+ * Sources confirmed by SDK docs (2026-05-20):
+ *   Ruby: entity_type/entity_id/entity_identifier (snake_case)
+ *   Python/JS: entityType/entityId/entityIdentifier (camelCase)
+ *   Official API: EntityType/EntityId/EntityIdentifier (PascalCase)
+ */
+export type InputFormat = "cedar" | "avp" | "cedar_cli";
+export interface FormatDetectionResult {
+    format: InputFormat;
+    confidence: "high" | "medium";
+    note: string;
+}
+export interface NormalizedRef {
+    type: string;
+    id: string;
+}
+export interface NormalizedRefError {
+    error: string;
+}
+export declare function detectFormat(entities: unknown[], principal: unknown, action: unknown, resource: unknown): FormatDetectionResult;
+export declare function normalizeEntities(entities: unknown[], format: InputFormat): unknown[];
+export declare function normalizePrincipalRef(ref: unknown): NormalizedRef | NormalizedRefError;
+export declare function unwrapAvpAttributes(attrs: Record<string, unknown>): Record<string, unknown>;
+//# sourceMappingURL=format-detector.d.ts.map

package/dist/utils/format-detector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"format-detector.d.ts","sourceRoot":"","sources":["../../src/utils/format-detector.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH,MAAM,MAAM,WAAW,GAAG,OAAO,GAAG,KAAK,GAAG,WAAW,CAAC;AAExD,MAAM,WAAW,qBAAqB;IACpC,MAAM,EAAE,WAAW,CAAC;IACpB,UAAU,EAAE,MAAM,GAAG,QAAQ,CAAC;IAC9B,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,MAAM,CAAC;CACZ;AAED,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,MAAM,CAAC;CACf;AAkBD,wBAAgB,YAAY,CAC1B,QAAQ,EAAE,OAAO,EAAE,EACnB,SAAS,EAAE,OAAO,EAClB,MAAM,EAAE,OAAO,EACf,QAAQ,EAAE,OAAO,GAChB,qBAAqB,CA0CvB;AAID,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,WAAW,GAAG,OAAO,EAAE,CAGrF;AAED,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,OAAO,GAAG,aAAa,GAAG,kBAAkB,CA0CtF;AAED,wBAAgB,mBAAmB,CACjC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC7B,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAMzB"}