npm - cedar-mcp-server - Versions diffs - 1.0.0 - Mend

cedar-mcp-server 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (215) hide show

package/.editorconfig +12 -0
package/.github/workflows/ci.yml +31 -0
package/.github/workflows/release.yml +42 -0
package/.nvmrc +1 -0
package/CHANGELOG.md +241 -0
package/CONTRIBUTING.md +83 -0
package/LICENSE +182 -0
package/README.md +1635 -0
package/SECURITY.md +37 -0
package/dist/http-server.d.ts +61 -0
package/dist/http-server.d.ts.map +1 -0
package/dist/http-server.js +194 -0
package/dist/http-server.js.map +1 -0
package/dist/index.d.ts +32 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +270 -0
package/dist/index.js.map +1 -0
package/dist/parser/policy-ast.d.ts +49 -0
package/dist/parser/policy-ast.d.ts.map +1 -0
package/dist/parser/policy-ast.js +311 -0
package/dist/parser/policy-ast.js.map +1 -0
package/dist/prompts/index.d.ts +38 -0
package/dist/prompts/index.d.ts.map +1 -0
package/dist/prompts/index.js +172 -0
package/dist/prompts/index.js.map +1 -0
package/dist/resources/ref-resolver.d.ts +23 -0
package/dist/resources/ref-resolver.d.ts.map +1 -0
package/dist/resources/ref-resolver.js +128 -0
package/dist/resources/ref-resolver.js.map +1 -0
package/dist/resources/store-manager.d.ts +64 -0
package/dist/resources/store-manager.d.ts.map +1 -0
package/dist/resources/store-manager.js +221 -0
package/dist/resources/store-manager.js.map +1 -0
package/dist/server.d.ts +18 -0
package/dist/server.d.ts.map +1 -0
package/dist/server.js +539 -0
package/dist/server.js.map +1 -0
package/dist/tools/advise/avp-rules.d.ts +49 -0
package/dist/tools/advise/avp-rules.d.ts.map +1 -0
package/dist/tools/advise/avp-rules.js +59 -0
package/dist/tools/advise/avp-rules.js.map +1 -0
package/dist/tools/advise/cedar-patterns.d.ts +24 -0
package/dist/tools/advise/cedar-patterns.d.ts.map +1 -0
package/dist/tools/advise/cedar-patterns.js +57 -0
package/dist/tools/advise/cedar-patterns.js.map +1 -0
package/dist/tools/advise/context-builder.d.ts +28 -0
package/dist/tools/advise/context-builder.d.ts.map +1 -0
package/dist/tools/advise/context-builder.js +89 -0
package/dist/tools/advise/context-builder.js.map +1 -0
package/dist/tools/advise/gotchas.d.ts +15 -0
package/dist/tools/advise/gotchas.d.ts.map +1 -0
package/dist/tools/advise/gotchas.js +83 -0
package/dist/tools/advise/gotchas.js.map +1 -0
package/dist/tools/advise.d.ts +96 -0
package/dist/tools/advise.d.ts.map +1 -0
package/dist/tools/advise.js +258 -0
package/dist/tools/advise.js.map +1 -0
package/dist/tools/authorize-batch.d.ts +35 -0
package/dist/tools/authorize-batch.d.ts.map +1 -0
package/dist/tools/authorize-batch.js +262 -0
package/dist/tools/authorize-batch.js.map +1 -0
package/dist/tools/authorize.d.ts +115 -0
package/dist/tools/authorize.d.ts.map +1 -0
package/dist/tools/authorize.js +373 -0
package/dist/tools/authorize.js.map +1 -0
package/dist/tools/check-change.d.ts +19 -0
package/dist/tools/check-change.d.ts.map +1 -0
package/dist/tools/check-change.js +91 -0
package/dist/tools/check-change.js.map +1 -0
package/dist/tools/diff-schema.d.ts +103 -0
package/dist/tools/diff-schema.d.ts.map +1 -0
package/dist/tools/diff-schema.js +379 -0
package/dist/tools/diff-schema.js.map +1 -0
package/dist/tools/diff-stores.d.ts +45 -0
package/dist/tools/diff-stores.d.ts.map +1 -0
package/dist/tools/diff-stores.js +222 -0
package/dist/tools/diff-stores.js.map +1 -0
package/dist/tools/explain.d.ts +80 -0
package/dist/tools/explain.d.ts.map +1 -0
package/dist/tools/explain.js +187 -0
package/dist/tools/explain.js.map +1 -0
package/dist/tools/format.d.ts +11 -0
package/dist/tools/format.d.ts.map +1 -0
package/dist/tools/format.js +20 -0
package/dist/tools/format.js.map +1 -0
package/dist/tools/generate-sample.d.ts +28 -0
package/dist/tools/generate-sample.d.ts.map +1 -0
package/dist/tools/generate-sample.js +568 -0
package/dist/tools/generate-sample.js.map +1 -0
package/dist/tools/link-template.d.ts +17 -0
package/dist/tools/link-template.d.ts.map +1 -0
package/dist/tools/link-template.js +78 -0
package/dist/tools/link-template.js.map +1 -0
package/dist/tools/list-template-links.d.ts +16 -0
package/dist/tools/list-template-links.d.ts.map +1 -0
package/dist/tools/list-template-links.js +22 -0
package/dist/tools/list-template-links.js.map +1 -0
package/dist/tools/list-templates.d.ts +16 -0
package/dist/tools/list-templates.d.ts.map +1 -0
package/dist/tools/list-templates.js +36 -0
package/dist/tools/list-templates.js.map +1 -0
package/dist/tools/translate.d.ts +11 -0
package/dist/tools/translate.d.ts.map +1 -0
package/dist/tools/translate.js +53 -0
package/dist/tools/translate.js.map +1 -0
package/dist/tools/validate-entities.d.ts +19 -0
package/dist/tools/validate-entities.d.ts.map +1 -0
package/dist/tools/validate-entities.js +88 -0
package/dist/tools/validate-entities.js.map +1 -0
package/dist/tools/validate-schema.d.ts +22 -0
package/dist/tools/validate-schema.d.ts.map +1 -0
package/dist/tools/validate-schema.js +89 -0
package/dist/tools/validate-schema.js.map +1 -0
package/dist/tools/validate-template.d.ts +18 -0
package/dist/tools/validate-template.d.ts.map +1 -0
package/dist/tools/validate-template.js +59 -0
package/dist/tools/validate-template.js.map +1 -0
package/dist/tools/validate.d.ts +90 -0
package/dist/tools/validate.d.ts.map +1 -0
package/dist/tools/validate.js +351 -0
package/dist/tools/validate.js.map +1 -0
package/dist/utils/format-detector.d.ts +49 -0
package/dist/utils/format-detector.d.ts.map +1 -0
package/dist/utils/format-detector.js +298 -0
package/dist/utils/format-detector.js.map +1 -0
package/examples/README.md +36 -0
package/examples/abac-multi-tenant/README.md +150 -0
package/examples/abac-multi-tenant/entities/users-and-docs.json +33 -0
package/examples/abac-multi-tenant/policies/member-read-internal.cedar +9 -0
package/examples/abac-multi-tenant/policies/owner-full-access.cedar +9 -0
package/examples/abac-multi-tenant/policies/premium-share-guard.cedar +9 -0
package/examples/abac-multi-tenant/policies/private-doc-guard.cedar +13 -0
package/examples/abac-multi-tenant/run.ts +92 -0
package/examples/abac-multi-tenant/schema.json +60 -0
package/examples/api-gateway-path-routing/README.md +154 -0
package/examples/api-gateway-path-routing/entities/users-and-roles.json +20 -0
package/examples/api-gateway-path-routing/policies/admin-full-access.cedar +6 -0
package/examples/api-gateway-path-routing/policies/developer-projects.cedar +14 -0
package/examples/api-gateway-path-routing/policies/viewer-readonly.cedar +10 -0
package/examples/api-gateway-path-routing/run.ts +108 -0
package/examples/api-gateway-path-routing/schema.json +54 -0
package/examples/rbac-document-management/README.md +167 -0
package/examples/rbac-document-management/entities/users-and-docs.json +43 -0
package/examples/rbac-document-management/policies/admin.cedar +6 -0
package/examples/rbac-document-management/policies/editor.cedar +6 -0
package/examples/rbac-document-management/policies/top-secret-forbid.cedar +13 -0
package/examples/rbac-document-management/policies/viewer.cedar +6 -0
package/examples/rbac-document-management/run.ts +87 -0
package/examples/rbac-document-management/schema.json +57 -0
package/package.json +50 -0
package/src/http-server.ts +239 -0
package/src/index.ts +294 -0
package/src/parser/policy-ast.ts +345 -0
package/src/prompts/README.md +3 -0
package/src/prompts/index.ts +217 -0
package/src/resources/ref-resolver.ts +134 -0
package/src/resources/store-manager.ts +248 -0
package/src/server.ts +711 -0
package/src/tools/advise/avp-rules.ts +70 -0
package/src/tools/advise/cedar-patterns.ts +73 -0
package/src/tools/advise/context-builder.ts +109 -0
package/src/tools/advise/gotchas.ts +92 -0
package/src/tools/advise.ts +366 -0
package/src/tools/authorize-batch.ts +345 -0
package/src/tools/authorize.ts +464 -0
package/src/tools/check-change.ts +119 -0
package/src/tools/diff-schema.ts +510 -0
package/src/tools/diff-stores.ts +298 -0
package/src/tools/explain.ts +278 -0
package/src/tools/format.ts +33 -0
package/src/tools/generate-sample.ts +665 -0
package/src/tools/link-template.ts +109 -0
package/src/tools/list-template-links.ts +41 -0
package/src/tools/list-templates.ts +55 -0
package/src/tools/translate.ts +66 -0
package/src/tools/validate-entities.ts +125 -0
package/src/tools/validate-schema.ts +128 -0
package/src/tools/validate-template.ts +72 -0
package/src/tools/validate.ts +459 -0
package/src/utils/format-detector.ts +356 -0
package/test/fixtures/docmgmt.ts +121 -0
package/test/fixtures/multitenant.ts +163 -0
package/test/index.test.ts +96 -0
package/test/integration/e2e/behavior.test.ts +359 -0
package/test/integration/e2e/edge-cases.test.ts +365 -0
package/test/integration/e2e/failure-modes.test.ts +266 -0
package/test/integration/e2e/protocol.test.ts +252 -0
package/test/integration/http-smoke.test.ts +588 -0
package/test/integration/smoke.test.ts +475 -0
package/test/prompts/prompts.test.ts +173 -0
package/test/property/properties.test.ts +234 -0
package/test/resources/ref-resolver.test.ts +186 -0
package/test/resources/store-manager.test.ts +344 -0
package/test/setup.test.ts +7 -0
package/test/tools/advise/avp-rules.test.ts +76 -0
package/test/tools/advise.test.ts +339 -0
package/test/tools/authorize-batch.test.ts +459 -0
package/test/tools/authorize.test.ts +682 -0
package/test/tools/check-change.test.ts +104 -0
package/test/tools/cross-fixture.test.ts +170 -0
package/test/tools/diff-schema.test.ts +355 -0
package/test/tools/diff-stores.test.ts +291 -0
package/test/tools/explain.test.ts +221 -0
package/test/tools/format.test.ts +33 -0
package/test/tools/generate-sample.test.ts +480 -0
package/test/tools/link-template.test.ts +90 -0
package/test/tools/list-templates.test.ts +151 -0
package/test/tools/translate.test.ts +89 -0
package/test/tools/validate-entities.test.ts +178 -0
package/test/tools/validate-schema.test.ts +86 -0
package/test/tools/validate-template.test.ts +89 -0
package/test/tools/validate.test.ts +331 -0
package/test/utils/format-detector.test.ts +518 -0
package/tsconfig.json +17 -0
package/vitest.config.ts +13 -0

package/test/tools/validate.test.ts ADDED Viewed

@@ -0,0 +1,331 @@
+import { describe, it, expect, afterEach } from "vitest";
+import { mkdtempSync, mkdirSync, writeFileSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { handleValidate } from "../../src/tools/validate.js";
+import { storeManager } from "../../src/resources/store-manager.js";
+import { POLICIES, SCHEMA_JSON } from "../fixtures/docmgmt.js";
+const SCHEMA_STR = JSON.stringify(SCHEMA_JSON);
+// Minimal Cedar schema reused for the 10d auto-discovery fixtures below.
+const DOCMGMT_SCHEMA_CEDARSCHEMA = `namespace DocMgmt {
+  entity User in [Role] = { name: String, email: String };
+  entity Role;
+  entity Document in [Folder] = { owner: String, classification: String };
+  entity Folder;
+  action READ appliesTo { principal: [User], resource: [Document], context: {} };
+  action WRITE appliesTo { principal: [User], resource: [Document], context: {} };
+  action DELETE appliesTo { principal: [User], resource: [Document], context: {} };
+}`;
+function makeAutoDiscoveryStore(name: string): string {
+  const dir = mkdtempSync(join(tmpdir(), `cedar-validate-auto-${name}-`));
+  mkdirSync(join(dir, "policies"), { recursive: true });
+  writeFileSync(join(dir, "schema.cedarschema"), DOCMGMT_SCHEMA_CEDARSCHEMA);
+  return dir;
+}
+describe("cedar_validate", () => {
+  it("returns valid for correct policies against schema", async () => {
+    const result = await handleValidate({ policies: POLICIES, schema: SCHEMA_STR });
+    expect(result.valid).toBe(true);
+    expect(result.errors).toHaveLength(0);
+    expect(result.validation_mode).toBe("syntax_and_schema");
+  });
+  it("returns invalid for a policy referencing a non-existent attribute", async () => {
+    const bad = `permit(principal, action, resource) when { resource.nonexistent == "x" };`;
+    const result = await handleValidate({ policies: bad, schema: SCHEMA_STR });
+    expect(result.valid).toBe(false);
+    expect(result.errors.length).toBeGreaterThan(0);
+    expect(result.errors[0].message).toContain("nonexistent");
+    expect(result.validation_mode).toBe("syntax_and_schema");
+  });
+  it("includes policy_count in result", async () => {
+    const result = await handleValidate({ policies: POLICIES, schema: SCHEMA_STR });
+    expect(result.policy_count).toBe(4);
+  });
+  it("accepts Cedar text schema format", async () => {
+    const cedarSchema = `
+      namespace DocMgmt {
+        entity User in [Role] = { name: String, email: String };
+        entity Role;
+        entity Document in [Folder] = { owner: String, classification: String };
+        entity Folder;
+        action READ appliesTo { principal: [User], resource: [Document], context: {} };
+        action WRITE appliesTo { principal: [User], resource: [Document], context: {} };
+        action DELETE appliesTo { principal: [User], resource: [Document], context: {} };
+      }
+    `.trim();
+    const result = await handleValidate({ policies: POLICIES, schema: cedarSchema });
+    expect(result.valid).toBe(true);
+  });
+});
+describe("cedar_validate — 10a syntax-only mode (no schema)", () => {
+  it("returns parse error with typo hint when schema is omitted and policy contains 'prinicpal'", async () => {
+    const bad = `permit (prinicpal in MyApp::Role::"admin", action, resource);`;
+    const result = await handleValidate({ policies: bad });
+    expect(result.valid).toBe(false);
+    expect(result.errors.length).toBeGreaterThan(0);
+    expect(result.errors[0]!.hint).toMatch(/Did you mean 'principal'\?/);
+    expect(result.errors[0]!.line).toBe(1);
+    expect(result.validation_mode).toBe("syntax_only");
+  });
+  it("returns valid for a correctly parsed policy when schema is omitted", async () => {
+    const ok = `permit (principal, action, resource);`;
+    const result = await handleValidate({ policies: ok });
+    expect(result.valid).toBe(true);
+    expect(result.errors).toHaveLength(0);
+    expect(result.warnings).toHaveLength(0);
+    expect(result.policy_count).toBe(1);
+    expect(result.validation_mode).toBe("syntax_only");
+  });
+});
+describe("cedar_validate — M2 line/column on parse errors", () => {
+  it("returns line and column for a parse error on a multi-line policy", async () => {
+    // `int` typo (should be `in`) sits on line 3, starting at column 10 (1-indexed)
+    const bad = `permit (
+  principal,
+  action int [DocMgmt::Action::"READ"],
+  resource
+);`;
+    const result = await handleValidate({ policies: bad, schema: SCHEMA_STR });
+    expect(result.valid).toBe(false);
+    expect(result.errors.length).toBeGreaterThan(0);
+    const err = result.errors[0]!;
+    expect(err.line).toBe(3);
+    expect(err.column).toBe(10);
+  });
+  it("returns line 1 for a single-line parse error", async () => {
+    const bad = `permint (principal, action, resource);`;  // `permint` typo on line 1
+    const result = await handleValidate({ policies: bad, schema: SCHEMA_STR });
+    expect(result.valid).toBe(false);
+    expect(result.errors[0]!.line).toBe(1);
+    expect(result.errors[0]!.column).toBeGreaterThan(0);
+  });
+  it("reports correct column when a multi-byte UTF-8 char (em-dash) appears before the error", async () => {
+    // Post-audit regression: WASM reports UTF-8 byte offsets; naive walking
+    // as JS-string char indexes drifts on multi-byte chars. The em-dash on
+    // line 1 is 3 bytes / 1 code point. The `int` typo on line 4 starts at
+    // 1-indexed column 10. A byte-counted column would report 12.
+    const bad = `// comment with em—dash
+permit (
+  principal,
+  action int [DocMgmt::Action::"READ"],
+  resource
+);`;
+    const result = await handleValidate({ policies: bad, schema: SCHEMA_STR });
+    expect(result.valid).toBe(false);
+    expect(result.errors[0]!.line).toBe(4);
+    expect(result.errors[0]!.column).toBe(10);
+  });
+});
+describe("cedar_validate — M1 hint for common typos", () => {
+  it("suggests 'in' when policy uses 'int' as a token", async () => {
+    const bad = `permit (principal, action int [DocMgmt::Action::"READ"], resource);`;
+    const result = await handleValidate({ policies: bad, schema: SCHEMA_STR });
+    expect(result.valid).toBe(false);
+    expect(result.errors[0]!.hint).toMatch(/'in'/);
+  });
+  it("suggests 'principal' when policy uses 'prinipal'", async () => {
+    const bad = `permit (prinipal, action, resource);`;
+    const result = await handleValidate({ policies: bad, schema: SCHEMA_STR });
+    expect(result.valid).toBe(false);
+    expect(result.errors[0]!.hint).toMatch(/'principal'/);
+  });
+  it("suggests 'permit' when policy uses 'permint'", async () => {
+    const bad = `permint (principal, action, resource);`;
+    const result = await handleValidate({ policies: bad, schema: SCHEMA_STR });
+    expect(result.valid).toBe(false);
+    expect(result.errors[0]!.hint).toMatch(/'permit'/);
+  });
+  it("leaves hint null for parse errors with no known typo", async () => {
+    const bad = `permit (principal, action, resource) when { xyzzy(123) };`;
+    const result = await handleValidate({ policies: bad, schema: SCHEMA_STR });
+    // The error may or may not exist depending on Cedar's grammar; if it does, hint should be null
+    if (result.errors.length > 0 && result.errors[0]!.hint !== undefined) {
+      // Only assert when there is an error to check; the point is we do not over-suggest
+      expect(result.errors[0]!.hint).toBeNull();
+    }
+  });
+});
+describe("cedar_validate — 10d auto-discovery", () => {
+  const tempDirs: string[] = [];
+  afterEach(() => {
+    // Reset the singleton store manager so per-test state never leaks. Also
+    // tear down the temp workspace directories created during the test.
+    storeManager.loadFromRoots([]);
+    while (tempDirs.length > 0) {
+      const dir = tempDirs.pop()!;
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+  it("pulls the schema from the single loaded store when input.schema is omitted", async () => {
+    const storePath = makeAutoDiscoveryStore("single");
+    tempDirs.push(storePath);
+    storeManager.loadFromRoots([{ uri: `file://${storePath}`, name: "workspace" }]);
+    const result = await handleValidate({ policies: POLICIES });
+    expect(result.valid).toBe(true);
+    expect(result.validation_mode).toBe("syntax_and_schema");
+    expect(result.auto_discovered).toEqual({ schema_from: "workspace" });
+  });
+  it("honors an explicit store parameter even when multiple stores are loaded", async () => {
+    const blue = makeAutoDiscoveryStore("blue");
+    const green = makeAutoDiscoveryStore("green");
+    tempDirs.push(blue, green);
+    storeManager.loadFromRoots([
+      { uri: `file://${blue}`, name: "blue" },
+      { uri: `file://${green}`, name: "green" },
+    ]);
+    const result = await handleValidate({ policies: POLICIES, store: "green" });
+    expect(result.valid).toBe(true);
+    expect(result.validation_mode).toBe("syntax_and_schema");
+    expect(result.auto_discovered).toEqual({ schema_from: "green" });
+  });
+  it("returns an ambiguity error when multiple stores are loaded and no store is passed", async () => {
+    const blue = makeAutoDiscoveryStore("blue");
+    const green = makeAutoDiscoveryStore("green");
+    tempDirs.push(blue, green);
+    storeManager.loadFromRoots([
+      { uri: `file://${blue}`, name: "blue" },
+      { uri: `file://${green}`, name: "green" },
+    ]);
+    const result = await handleValidate({ policies: POLICIES });
+    expect(result.valid).toBe(false);
+    expect(result.errors).toHaveLength(1);
+    expect(result.errors[0]!.message).toMatch(/Multiple stores are loaded/);
+    expect(result.errors[0]!.message).toContain("blue");
+    expect(result.errors[0]!.message).toContain("green");
+    expect(result.errors[0]!.message).toMatch(/Pass store/);
+    // Stays in syntax_only because we never picked a schema to type-check against.
+    expect(result.validation_mode).toBe("syntax_only");
+  });
+});
+describe("cedar_validate — 11c explicit validation_mode opt-in", () => {
+  const tempDirs: string[] = [];
+  afterEach(() => {
+    storeManager.loadFromRoots([]);
+    while (tempDirs.length > 0) {
+      const dir = tempDirs.pop()!;
+      rmSync(dir, { recursive: true, force: true });
+    }
+  });
+  it("validation_mode='auto' (default explicit) behaves like the existing auto-discovery path", async () => {
+    const storePath = makeAutoDiscoveryStore("workspace-auto");
+    tempDirs.push(storePath);
+    storeManager.loadFromRoots([{ uri: `file://${storePath}`, name: "workspace-auto" }]);
+    const result = await handleValidate({ policies: POLICIES, validation_mode: "auto" });
+    expect(result.valid).toBe(true);
+    expect(result.validation_mode).toBe("syntax_and_schema");
+    expect(result.auto_discovered).toEqual({ schema_from: "workspace-auto" });
+  });
+  it("validation_mode='syntax_only' forces parser-only and skips workspace auto-discovery even when a store is loaded", async () => {
+    const storePath = makeAutoDiscoveryStore("workspace-bypass");
+    tempDirs.push(storePath);
+    storeManager.loadFromRoots([{ uri: `file://${storePath}`, name: "workspace-bypass" }]);
+    const result = await handleValidate({
+      policies: `permit (principal, action, resource);`,
+      validation_mode: "syntax_only",
+    });
+    expect(result.valid).toBe(true);
+    expect(result.validation_mode).toBe("syntax_only");
+    // Critical: no auto_discovered field — the store was loaded but we explicitly bypassed it.
+    expect(result.auto_discovered).toBeUndefined();
+  });
+  it("validation_mode='syntax_only' ignores a schema passed inline (parser-only on demand)", async () => {
+    const result = await handleValidate({
+      policies: `permit (principal, action, resource);`,
+      schema: SCHEMA_STR,
+      validation_mode: "syntax_only",
+    });
+    expect(result.valid).toBe(true);
+    expect(result.validation_mode).toBe("syntax_only");
+    expect(result.auto_discovered).toBeUndefined();
+  });
+  it("validation_mode='syntax_and_schema' with an inline schema runs full type-check", async () => {
+    const result = await handleValidate({
+      policies: POLICIES,
+      schema: SCHEMA_STR,
+      validation_mode: "syntax_and_schema",
+    });
+    expect(result.valid).toBe(true);
+    expect(result.validation_mode).toBe("syntax_and_schema");
+  });
+  it("validation_mode='syntax_and_schema' resolves from the workspace when no inline schema was provided", async () => {
+    const storePath = makeAutoDiscoveryStore("workspace-explicit");
+    tempDirs.push(storePath);
+    storeManager.loadFromRoots([{ uri: `file://${storePath}`, name: "workspace-explicit" }]);
+    const result = await handleValidate({
+      policies: POLICIES,
+      validation_mode: "syntax_and_schema",
+    });
+    expect(result.valid).toBe(true);
+    expect(result.validation_mode).toBe("syntax_and_schema");
+    expect(result.auto_discovered).toEqual({ schema_from: "workspace-explicit" });
+  });
+  it("validation_mode='syntax_and_schema' with no schema available returns a clear error (not a silent fall-through to syntax_only)", async () => {
+    const result = await handleValidate({
+      policies: `permit (principal, action, resource);`,
+      validation_mode: "syntax_and_schema",
+    });
+    expect(result.valid).toBe(false);
+    expect(result.errors).toHaveLength(1);
+    expect(result.errors[0]!.message).toMatch(/syntax_and_schema/);
+    expect(result.errors[0]!.message).toMatch(/schema/);
+    // The response's validation_mode reflects what the caller asked for, not what got run.
+    expect(result.validation_mode).toBe("syntax_and_schema");
+  });
+});