cedar-mcp-server 1.0.0

package/src/index.ts

@@ -0,0 +1,294 @@
+#!/usr/bin/env node
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { RootsListChangedNotificationSchema } from "@modelcontextprotocol/sdk/types.js";
+import { existsSync } from "node:fs";
+import { join, basename } from "node:path";
+import { createServer } from "./server.js";
+import { storeManager } from "./resources/store-manager.js";
+import { startHttpServer } from "./http-server.js";
+
+/**
+ * A directory "looks like a Cedar workspace" if it has at least one of:
+ *   - schema.cedarschema  (preferred)
+ *   - schema.json         (fallback)
+ *   - policies/           (per-file policies layout)
+ *
+ * This is the same convention StoreManager uses to read a loaded root.
+ */
+function looksLikeCedarWorkspace(path: string): boolean {
+  return (
+    existsSync(join(path, "schema.cedarschema")) ||
+    existsSync(join(path, "schema.json")) ||
+    existsSync(join(path, "policies"))
+  );
+}
+
+/**
+ * Synchronously populate StoreManager with the cwd-fallback store, if the
+ * cwd looks like a Cedar workspace. Returns the loaded root descriptor when
+ * a store was loaded, or null otherwise.
+ *
+ * Round 5 dogfood (Scenario E) found that emitting `notifications/resources/list_changed`
+ * AFTER an async cwd-fallback (kickoff-11 11a) was insufficient: Claude Code's
+ * `listMcpResources` does not honor `list_changed` for cache invalidation, so a
+ * client that snapshots `resources/list` once on the initialize response stays
+ * stuck on the empty pre-fallback snapshot regardless of any later notification.
+ *
+ * The fix is structural: populate StoreManager BEFORE the transport accepts
+ * any client requests. `process.cwd()` is available at startup; there is no
+ * need to wait for the transport. By the time the client can send any
+ * request, the store already exists.
+ *
+ * Security: rejects filesystem-root cwds (`/`) and any cwd whose basename is
+ * empty after normalization. Without this guard, the cwd-fallback would push
+ * an empty-path root into StoreManager, and the per-store path sandbox
+ * (`isPathAllowed`, which uses `startsWith(store.path)`) would return true
+ * for every filesystem path. StoreManager.loadFromRoots also refuses
+ * empty-path roots as a second layer of defense, but rejecting here keeps
+ * the cwd-fallback's intent narrow (workspace-shaped cwds only).
+ *
+ * Exported so unit tests can exercise it without spawning a stdio process.
+ */
+export function populateCwdFallback(cwd: string): { uri: string; name: string } | null {
+  if (cwd === "/" || basename(cwd).length === 0) return null;
+  if (!looksLikeCedarWorkspace(cwd)) return null;
+  const cwdRoot = { uri: `file://${cwd}`, name: basename(cwd) };
+  storeManager.loadFromRoots([cwdRoot]);
+  return cwdRoot;
+}
+
+interface ParsedArgs {
+  mode: "stdio" | "http" | "help";
+  port?: number;
+  host?: string;
+  roots: Array<{ name: string; path: string }>;
+  error?: string;
+}
+
+function parseArgs(argv: string[]): ParsedArgs {
+  const args = argv.slice(2);
+  const out: ParsedArgs = { mode: "stdio", roots: [] };
+
+  for (let i = 0; i < args.length; i++) {
+    const a = args[i]!;
+    if (a === "--help" || a === "-h") {
+      return { mode: "help", roots: [] };
+    } else if (a === "--http") {
+      const portArg = args[i + 1];
+      if (!portArg || portArg.startsWith("--")) {
+        return { mode: "help", roots: [], error: "--http requires a port number (e.g. --http 3000)" };
+      }
+      const port = Number(portArg);
+      if (!Number.isInteger(port) || port < 1 || port > 65535) {
+        return { mode: "help", roots: [], error: `--http port must be an integer between 1 and 65535 (got '${portArg}')` };
+      }
+      out.mode = "http";
+      out.port = port;
+      i++;
+    } else if (a === "--host") {
+      const hostArg = args[i + 1];
+      if (!hostArg || hostArg.startsWith("--")) {
+        return { mode: "help", roots: [], error: "--host requires a hostname (e.g. --host 0.0.0.0)" };
+      }
+      out.host = hostArg;
+      i++;
+    } else if (a === "--root") {
+      const rootArg = args[i + 1];
+      if (!rootArg || rootArg.startsWith("--")) {
+        return { mode: "help", roots: [], error: "--root requires a name=path value (e.g. --root production=/etc/cedar/prod)" };
+      }
+      const eq = rootArg.indexOf("=");
+      if (eq <= 0 || eq === rootArg.length - 1) {
+        return { mode: "help", roots: [], error: `--root must be name=path (got '${rootArg}')` };
+      }
+      const name = rootArg.slice(0, eq);
+      const path = rootArg.slice(eq + 1);
+      out.roots.push({ name, path });
+      i++;
+    } else {
+      return { mode: "help", roots: [], error: `Unknown argument: ${a}` };
+    }
+  }
+
+  if (out.mode === "stdio" && out.roots.length > 0) {
+    return { mode: "help", roots: [], error: "--root flags are only used with --http mode; in stdio mode roots come from the MCP client" };
+  }
+
+  return out;
+}
+
+function printUsage(error?: string): void {
+  if (error) {
+    // eslint-disable-next-line no-console
+    console.error(`Error: ${error}\n`);
+  }
+  // eslint-disable-next-line no-console
+  console.error(
+    `cedar-mcp-server — MCP server for Cedar policy language
+
+Usage:
+  cedar-mcp-server                              Start in stdio mode (default; for npx/Claude Code)
+  cedar-mcp-server --http <port> [options]      Start in Streamable HTTP mode for shared team deployment
+
+HTTP options:
+  --http <port>            Listen port (1-65535)
+  --host <host>            Bind host (default: 127.0.0.1; use 0.0.0.0 for non-localhost; you handle auth via reverse proxy)
+  --root <name>=<path>     Repeatable; deployer-configured policy store ("production=/etc/cedar/prod")
+
+Notes:
+  - Stdio mode: roots are negotiated with the MCP client via listRoots(); --root flags are not allowed.
+  - HTTP mode: stateful Streamable HTTP transport with session IDs. ALL clients share the same roots and policy stores (deployment model: one server per policy-store set). For per-tenant isolation, run multiple processes.
+  - HTTP mode default-binds to localhost with DNS-rebinding protection. Non-localhost binding is on you to secure (reverse proxy + auth).
+
+Examples:
+  cedar-mcp-server
+  cedar-mcp-server --http 3000 --root production=/etc/cedar/production --root staging=/etc/cedar/staging
+  cedar-mcp-server --http 3000 --host 0.0.0.0 --root prod=/etc/cedar/prod
+`
+  );
+}
+
+/**
+ * Reconcile StoreManager state with whatever the MCP client advertises via
+ * `listRoots()`. Called from `oninitialized` AND on every
+ * `notifications/roots/list_changed` from the client.
+ *
+ * Precedence rules:
+ *  - Client-advertised roots REPLACE any sync-loaded cwd-fallback. A client
+ *    that explicitly advertises roots is stating authoritative intent; the
+ *    cwd-fallback was an "if you didn't tell me anything" default.
+ *  - Client returns ZERO roots (or doesn't support listRoots): preserve the
+ *    sync-loaded cwd-fallback. We do NOT call `loadFromRoots([])` here
+ *    because StoreManager.loadFromRoots clears the store as its first step,
+ *    which would wipe the cwd-fallback populated synchronously at startup.
+ *
+ * `sendResourceListChanged` always fires at the end: cache-aware clients use
+ * it to refetch when the store membership changes. Idempotent if nothing
+ * actually changed.
+ */
+async function loadRootsStdio(server: Awaited<ReturnType<typeof createServer>>) {
+  let clientRoots: Array<{ uri: string; name?: string }> = [];
+  let clientSupportsRoots = true;
+  try {
+    const result = await server.server.listRoots();
+    clientRoots = result.roots;
+  } catch {
+    clientSupportsRoots = false;
+  }
+
+  // Reconcile StoreManager state from the current (clientRoots, cwd) tuple.
+  // Stateless re-derivation: each call to loadRootsStdio computes the right
+  // state from scratch rather than mutating the previous state. This matters
+  // when a client advertised roots earlier and then retracts them via
+  // `roots/list_changed`; without re-derivation the stale advertised roots
+  // would leak forward instead of falling back to cwd.
+  if (clientRoots.length > 0) {
+    storeManager.loadFromRoots(clientRoots);
+    console.error(`[cedar-mcp-server] Loaded ${clientRoots.length} root(s) from MCP client: ${clientRoots.map((r) => r.uri).join(", ")} (replaces any sync-loaded cwd-fallback).`);
+  } else {
+    const fallback = populateCwdFallback(process.cwd());
+    if (fallback) {
+      console.error(`[cedar-mcp-server] MCP client advertised 0 roots; using cwd-fallback store "${fallback.name}" (re-derived).`);
+    } else {
+      storeManager.loadFromRoots([]);
+      if (clientSupportsRoots) {
+        console.error("[cedar-mcp-server] MCP client returned 0 roots and cwd does not look like a Cedar workspace (no schema.cedarschema, schema.json, or policies/ dir). Cedar tools will require inline inputs.");
+      } else {
+        console.error("[cedar-mcp-server] MCP client does not support roots/list and cwd does not look like a Cedar workspace. Cedar tools will require inline inputs.");
+      }
+    }
+  }
+
+  // kickoff-11 11a notification: cache-aware clients refetch on this. The
+  // synchronous cwd-fallback from runStdio means the FIRST resources/list
+  // already sees the populated store (this is the Round 5 fix), so this
+  // notification is most useful for the late-arriving-roots case (client
+  // sends roots/list_changed mid-session, swapping the store set). McpServer
+  // makes it a no-op when not connected, so it's safe to call from any path.
+  server.sendResourceListChanged();
+}
+
+async function runStdio(): Promise<void> {
+  const server = createServer();
+
+  // Round 5 fix: populate StoreManager BEFORE the transport accepts any
+  // client requests. The previous shape (cwd-fallback inside `oninitialized`
+  // → kickoff-11 sendResourceListChanged) was contract-correct against the
+  // MCP spec but did not hold against Claude Code, which snapshots
+  // resources/list once on the initialize response and does not honor
+  // list_changed for the `listMcpResources` cache. Synchronous population
+  // before connect closes the window entirely.
+  //
+  // Edge case (kickoff-10 audit Probe C): if process.cwd() is the
+  // cedar-mcp-server repo itself, it currently has none of schema.cedarschema,
+  // schema.json, or policies/ — looksLikeCedarWorkspace returns false. If a
+  // future commit adds a top-level policies/ directory (for examples or
+  // similar) the fallback would self-load. Flag in CHANGELOG if that
+  // ever happens.
+  const loaded = populateCwdFallback(process.cwd());
+  if (loaded) {
+    console.error(`[cedar-mcp-server] Synchronously auto-loaded cwd as workspace store: "${loaded.name}" (${loaded.uri}). StoreManager populated before transport accepts requests.`);
+  }
+
+  const transport = new StdioServerTransport();
+  await server.connect(transport);
+
+  server.server.oninitialized = async () => {
+    await loadRootsStdio(server);
+  };
+
+  server.server.setNotificationHandler(
+    RootsListChangedNotificationSchema,
+    async () => {
+      await loadRootsStdio(server);
+    }
+  );
+
+  process.on("SIGINT", async () => {
+    await server.close();
+    process.exit(0);
+  });
+
+  process.on("SIGTERM", async () => {
+    await server.close();
+    process.exit(0);
+  });
+}
+
+async function runHttp(parsed: ParsedArgs): Promise<void> {
+  const running = await startHttpServer({
+    port: parsed.port!,
+    host: parsed.host,
+    roots: parsed.roots,
+  });
+
+  const shutdown = async () => {
+    try {
+      await running.close();
+    } finally {
+      process.exit(0);
+    }
+  };
+
+  process.on("SIGINT", shutdown);
+  process.on("SIGTERM", shutdown);
+}
+
+async function main(): Promise<void> {
+  const parsed = parseArgs(process.argv);
+  if (parsed.mode === "help") {
+    printUsage(parsed.error);
+    process.exit(parsed.error ? 1 : 0);
+  }
+  if (parsed.mode === "http") {
+    await runHttp(parsed);
+  } else {
+    await runStdio();
+  }
+}
+
+main().catch((err) => {
+  // eslint-disable-next-line no-console
+  console.error("Fatal error:", err);
+  process.exit(1);
+});

package/src/parser/policy-ast.ts

@@ -0,0 +1,345 @@
+/**
+ * Shared utilities for walking the PolicyJson AST returned by policyToJson / templateToJson.
+ *
+ * AST shape proven in spike (2026-05-19):
+ *   - principal/action/resource: { op: "All" | "==" | "in", entity?, entities?, slot? }
+ *   - "in" with single entity  → entity key (singular)
+ *   - "in" with multiple       → entities key (plural)
+ *   - conditions: [{ kind: "when"|"unless", body: ExprTree }]
+ *   - ExprTree: operator-as-key encoding ("==", "&&", "||", "has", ".", "Var", "Value")
+ *   - Entity literals in scope: { type, id }
+ *   - Entity literals in conditions: { "Value": { "__entity": { type, id } } }
+ *
+ * like operator shape (proven in spike 2026-05-20):
+ *   - { "like": { "left": Expr, "pattern": PatternElem[] } }
+ *   - PatternElem = "Wildcard" | { Literal: string }
+ *   - CRITICAL: pattern is CHARACTER-LEVEL — "/api/v1/*" produces one {Literal} per char,
+ *     not one {Literal: "/api/v1/"} node. Reconstruct by joining all Literal chars,
+ *     substituting "Wildcard" positions with the desired value.
+ *   - Negated like: { "!": { "arg": { "like": { ... } } } }
+ *   - Cedar wildcard matches any char sequence INCLUDING "/". Depth-limiting works via TWO wildcards:
+ *     "like X/WILDCARD" matches any depth; "like X/WILDCARD/WILDCARD" also matches — negation limits to one segment.
+ */
+
+import type { PolicyJson, Clause, Expr } from "@cedar-policy/cedar-wasm/nodejs";
+
+// ─── Scope description ───────────────────────────────────────────────────────
+
+export function describePrincipal(principal: PolicyJson["principal"]): string {
+  // Check for slot first — applies to both "==" and "in" ops in templates
+  if ("slot" in principal) {
+    const slot = (principal as Record<string, unknown>)["slot"] as string;
+    return `principal bound to slot ${slot}`;
+  }
+  switch (principal.op) {
+    case "All":
+      return "any principal";
+    case "==": {
+      const e = "entity" in principal ? principal.entity : null;
+      if (e && "type" in e) return `exactly ${e.type}::"${e.id}"`;
+      return "exactly (unknown)";
+    }
+    case "in": {
+      const entities = resolveInEntities(principal);
+      if (entities.length === 1) return `principal in ${formatEntity(entities[0]!)}`;
+      return `principal in [${entities.map(formatEntity).join(", ")}]`;
+    }
+    default:
+      return "principal (unknown constraint)";
+  }
+}
+
+export function describeAction(action: PolicyJson["action"]): string {
+  switch (action.op) {
+    case "All":
+      return "any action";
+    case "==": {
+      const e = "entity" in action ? action.entity : null;
+      if (e && "type" in e) return `action ${formatEntity(e)}`;
+      return "exactly (unknown action)";
+    }
+    case "in": {
+      const entities = resolveInEntities(action);
+      if (entities.length === 1) return `action in ${formatEntity(entities[0]!)}`;
+      return `action in [${entities.map(formatEntity).join(", ")}]`;
+    }
+    default:
+      return "action (unknown constraint)";
+  }
+}
+
+export function describeResource(resource: PolicyJson["resource"]): string {
+  switch (resource.op) {
+    case "All":
+      return "any resource";
+    case "==": {
+      const e = "entity" in resource ? resource.entity : null;
+      const s = "slot" in resource ? resource.slot : null;
+      if (s) return `resource bound to slot ${s}`;
+      if (e && "type" in e) return `exactly ${e.type}::"${e.id}"`;
+      return "exactly (unknown)";
+    }
+    case "in": {
+      const entities = resolveInEntities(resource);
+      if (entities.length === 1) return `resource in ${formatEntity(entities[0]!)}`;
+      return `resource in [${entities.map(formatEntity).join(", ")}]`;
+    }
+    default:
+      return "resource (unknown constraint)";
+  }
+}
+
+// ─── Condition rendering ──────────────────────────────────────────────────────
+
+export function describeCondition(clause: Clause): string {
+  const kindLabel = clause.kind === "when" ? "WHEN" : "UNLESS";
+  const bodyDesc = describeExpr(clause.body);
+  return `${kindLabel} ${bodyDesc}`;
+}
+
+function describeExpr(expr: Expr): string {
+  if (typeof expr !== "object" || expr === null) return String(expr);
+
+  // Var node: { "Var": "principal" | "action" | "resource" | "context" }
+  if ("Var" in expr) return String((expr as Record<string, unknown>)["Var"]);
+
+  // Value node: { "Value": <cedar-value> }
+  if ("Value" in expr) return formatValue((expr as Record<string, unknown>)["Value"]);
+
+  // Attribute access: { ".": { left, attr } }
+  if ("." in expr) {
+    const node = (expr as Record<string, unknown>)["."] as { left: Expr; attr: string };
+    return `${describeExpr(node.left)}.${node.attr}`;
+  }
+
+  // Equality: { "==": { left, right } }
+  if ("==" in expr) {
+    const node = (expr as Record<string, unknown>)["=="] as { left: Expr; right: Expr };
+    return `${describeExpr(node.left)} == ${describeExpr(node.right)}`;
+  }
+
+  // Inequality
+  if ("!=" in expr) {
+    const node = (expr as Record<string, unknown>)["!="] as { left: Expr; right: Expr };
+    return `${describeExpr(node.left)} != ${describeExpr(node.right)}`;
+  }
+
+  // Logical AND: { "&&": { left, right } }
+  if ("&&" in expr) {
+    const node = (expr as Record<string, unknown>)["&&"] as { left: Expr; right: Expr };
+    return `${describeExpr(node.left)} AND ${describeExpr(node.right)}`;
+  }
+
+  // Logical OR: { "||": { left, right } }
+  if ("||" in expr) {
+    const node = (expr as Record<string, unknown>)["||"] as { left: Expr; right: Expr };
+    return `(${describeExpr(node.left)} OR ${describeExpr(node.right)})`;
+  }
+
+  // Has (optional attribute check): { "has": { left, attr } }
+  if ("has" in expr) {
+    const node = (expr as Record<string, unknown>)["has"] as { left: Expr; attr: string };
+    return `${describeExpr(node.left)} has '${node.attr}'`;
+  }
+
+  // In (membership): { "in": { left, right } }
+  if ("in" in expr) {
+    const node = (expr as Record<string, unknown>)["in"] as { left: Expr; right: Expr };
+    return `${describeExpr(node.left)} in ${describeExpr(node.right)}`;
+  }
+
+  // Set literal: { "Set": Expr[] }
+  if ("Set" in expr) {
+    const items = (expr as Record<string, unknown>)["Set"] as Expr[];
+    return `[${items.map(describeExpr).join(", ")}]`;
+  }
+
+  // Negation: { "!": { arg } }
+  if ("!" in expr) {
+    const node = (expr as Record<string, unknown>)["!"] as { arg: Expr };
+    return `NOT(${describeExpr(node.arg)})`;
+  }
+
+  // like: { "like": { left: Expr, pattern: PatternElem[] } }
+  // Reconstruct pattern with * for wildcards so it reads as Cedar syntax
+  if ("like" in expr) {
+    const node = (expr as Record<string, unknown>)["like"] as { left: Expr; pattern: PatternElem[] };
+    const patternStr = patternToString(node.pattern, "*");
+    return `${describeExpr(node.left)} like "${patternStr}"`;
+  }
+
+  // contains() call appears as an ExtFuncCall: { "contains": [left, right] }
+  // ExtFuncCall is {} & Record<string, Expr[]> — operator is the key, value is args array
+  const keys = Object.keys(expr);
+  if (keys.length === 1 && Array.isArray((expr as Record<string, unknown>)[keys[0]!])) {
+    const fn = keys[0]!;
+    const args = (expr as Record<string, unknown>)[fn] as Expr[];
+    return `${describeExpr(args[0]!)}.${fn}(${args.slice(1).map(describeExpr).join(", ")})`;
+  }
+
+  return "complex condition";
+}
+
+// ─── Pattern detection ────────────────────────────────────────────────────────
+
+export function detectPatterns(json: PolicyJson): string[] {
+  const patterns: string[] = [];
+
+  if (json.effect === "forbid") patterns.push("forbid_policy");
+
+  // Principal scope patterns
+  const principalHasSlot = "slot" in json.principal;
+  if (principalHasSlot) {
+    patterns.push("template_policy", "slot_principal");
+  } else if (json.principal.op === "in") {
+    patterns.push("role_based_access");
+  }
+  if (json.principal.op === "All") patterns.push("any_principal");
+
+  // Action scope patterns
+  if (json.action.op === "All") patterns.push("unrestricted_action");
+
+  // Resource scope patterns
+  if (json.resource.op === "All") patterns.push("unrestricted_resource");
+  if (json.resource.op === "==" && "slot" in json.resource) {
+    if (!patterns.includes("template_policy")) patterns.push("template_policy");
+    patterns.push("slot_resource");
+  }
+
+  // Condition patterns
+  const allConditionText = json.conditions.map((c) => JSON.stringify(c)).join(" ");
+
+  if (json.conditions.some((c) => c.kind === "unless")) patterns.push("role_exemption");
+  if (allConditionText.includes('"has"')) patterns.push("optional_attribute_guard");
+  if (allConditionText.includes("contains")) patterns.push("attribute_containment_check");
+
+  // Name-based identity: principal.name == "..."
+  if (allConditionText.includes('"name"') && allConditionText.includes('"Var":"principal"')) {
+    patterns.push("name_based_identity");
+  }
+
+  // Attribute-based conditions (when clause present and non-trivial)
+  if (json.conditions.length > 0 && !patterns.includes("role_exemption")) {
+    patterns.push("attribute_condition");
+  }
+
+  return [...new Set(patterns)];
+}
+
+// ─── Helpers ──────────────────────────────────────────────────────────────────
+
+/** Handles the entity vs entities asymmetry from policyToJson */
+function resolveInEntities(
+  constraint: Record<string, unknown>
+): Array<{ type: string; id: string }> {
+  if ("entities" in constraint && Array.isArray(constraint["entities"])) {
+    return constraint["entities"] as Array<{ type: string; id: string }>;
+  }
+  if ("entity" in constraint && constraint["entity"]) {
+    return [constraint["entity"] as { type: string; id: string }];
+  }
+  return [];
+}
+
+function formatEntity(e: { type: string; id: string } | unknown): string {
+  if (e && typeof e === "object" && "type" in e && "id" in e) {
+    const entity = e as { type: string; id: string };
+    return `${entity.type}::"${entity.id}"`;
+  }
+  return JSON.stringify(e);
+}
+
+// ─── like operator utilities ──────────────────────────────────────────────────
+
+export type PatternElem = "Wildcard" | { Literal: string };
+
+export interface LikeConstraint {
+  variable: "principal" | "resource" | "context";
+  attr: string;
+  pattern: PatternElem[];
+  negated: boolean;
+}
+
+/**
+ * Reconstructs a string from a PatternElem array.
+ * Each Wildcard is replaced by wildcardValue.
+ * Pattern is character-level (one Literal node per char) — join them all.
+ */
+export function patternToString(pattern: PatternElem[], wildcardValue: string): string {
+  return pattern
+    .map((e) => (e === "Wildcard" ? wildcardValue : (e as { Literal: string }).Literal))
+    .join("");
+}
+
+/**
+ * Walks condition bodies and extracts all `like` constraints (positive and negated).
+ * Returns constraints keyed by variable.attr so callers can decide which to use.
+ */
+export function extractLikeConstraints(conditions: PolicyJson["conditions"]): LikeConstraint[] {
+  const result: LikeConstraint[] = [];
+  for (const clause of conditions) {
+    walkLikeExpr(clause.body, false, result);
+  }
+  return result;
+}
+
+function walkLikeExpr(expr: unknown, insideNot: boolean, acc: LikeConstraint[]): void {
+  if (typeof expr !== "object" || expr === null) return;
+  const e = expr as Record<string, unknown>;
+
+  if ("&&" in e || "||" in e) {
+    const key = "&&" in e ? "&&" : "||";
+    const node = e[key] as { left: unknown; right: unknown };
+    walkLikeExpr(node.left, insideNot, acc);
+    walkLikeExpr(node.right, insideNot, acc);
+    return;
+  }
+
+  if ("!" in e) {
+    const node = e["!"] as { arg: unknown };
+    walkLikeExpr(node.arg, !insideNot, acc);
+    return;
+  }
+
+  if ("like" in e) {
+    const node = e["like"] as { left: unknown; pattern: PatternElem[] };
+    const attrAccess = extractAttrFromLike(node.left);
+    if (attrAccess) {
+      acc.push({
+        variable: attrAccess.variable,
+        attr: attrAccess.attr,
+        pattern: node.pattern,
+        negated: insideNot,
+      });
+    }
+    return;
+  }
+}
+
+function extractAttrFromLike(
+  expr: unknown
+): { variable: "principal" | "resource" | "context"; attr: string } | null {
+  if (typeof expr !== "object" || expr === null) return null;
+  const e = expr as Record<string, unknown>;
+  if ("." in e) {
+    const node = e["."] as { left: unknown; attr: string };
+    const v = (node.left as Record<string, unknown>)?.["Var"];
+    if (v === "principal" || v === "resource" || v === "context") {
+      return { variable: v as "principal" | "resource" | "context", attr: node.attr };
+    }
+  }
+  return null;
+}
+
+function formatValue(v: unknown): string {
+  if (v === null) return "null";
+  if (typeof v === "string") return `"${v}"`;
+  if (typeof v === "boolean" || typeof v === "number") return String(v);
+  // Entity literal inside condition body: { __entity: { type, id } }
+  if (typeof v === "object" && v !== null && "__entity" in v) {
+    const entity = (v as Record<string, unknown>)["__entity"] as { type: string; id: string };
+    return formatEntity(entity);
+  }
+  if (Array.isArray(v)) return `[${v.map(formatValue).join(", ")}]`;
+  return JSON.stringify(v);
+}

package/src/prompts/README.md

@@ -0,0 +1,3 @@
+## Adding new MCP Prompts
+
+Each prompt is defined as a `PromptDefinition` entry in `src/prompts/index.ts` and appended to the `PROMPT_DEFINITIONS` array. The entry supplies a name, a description, a Zod raw shape (`argsSchema`) for argument validation, and a `handler` that returns a `GetPromptResult` (a `messages` array). Registration in `src/server.ts` is a single loop: `for (const p of PROMPT_DEFINITIONS) server.prompt(p.name, p.description, p.argsSchema, p.handler);`. Prompt text must follow the project brand-voice rules: no em-dashes, no banned phrases, plain factual language.