package policy

import _ "embed"

// ReferenceRego is a read-ACL Rego SKELETON bundled with zddc-server for
// external-OPA deployments. It models the read cascade ONLY and is NOT a
// semantic mirror of the InternalDecider: it does not implement per-verb
// authorization (write/create/delete/admin), WORM zones, roles, fences, or
// config-edit, so it is FAIL-CLOSED — every non-read action is denied except
// for an elevated admin (input.user.is_active_admin). The InternalDecider
// remains the production source of truth. parity_test.go (OPA as a test-only
// dependency, so the production binary stays OPA-free) checks the modelled
// read-cascade dimension only — it does NOT prove full parity.
//
// Operators running an external OPA can use this as a STARTING POINT — they
// must add the unmodelled write/WORM/role/admin semantics before relying on
// it for write authorization:
//
//	zddc-server --print-rego > /etc/opa/policies/zddc-access.rego
//
// Customizations typical for federal deployments:
//
//   - Flip the leaf-allow-overrides-parent-deny semantics so parent denies
//     are absolute (NIST AC-6 least-privilege posture). For this specific
//     case zddc-server ships a parity-tested federal-mode variant; see
//     FederalRego and `--print-rego=federal`.
//   - Add role-based access via additional input fields (input.user.roles
//     populated by the upstream proxy from SAML/OIDC claims).
//   - Add time-of-day or IP-range constraints.
//   - Emit decision logs in a SIEM-friendly format via OPA's logging
//     plugins.
//
//go:embed rego/access.rego
var ReferenceRego string

// FederalRego is the strict-least-privilege variant of ReferenceRego
// where parent denies are absolute (NIST AC-6). Drop-in for federal
// customers who need the AC-6 posture without writing Rego from
// scratch:
//
//	zddc-server --print-rego=federal > /etc/opa/policies/zddc-access.rego
//
// The internal Go evaluator does NOT implement these semantics — it
// stays on the commercial cascade. Federal-mode is reachable only by
// running OPA with this policy and pointing ZDDC_OPA_URL at it. See
// zddc/internal/policy/rego/access_federal.rego for the policy itself
// and federal_parity_test.go for the divergence-test fixtures (cases
// where federal-mode and commercial-mode disagree, asserting each gives
// the expected verdict).
//
//go:embed rego/access_federal.rego
var FederalRego string