package policy

import _ "embed"

// ReferenceRego is the canonical Rego policy bundled with zddc-server.
// It mirrors the InternalDecider's semantics exactly — every release CI
// run validates parity via parity_test.go (which imports the OPA library
// as a test-only dependency, so the production binary stays OPA-free).
//
// Operators running an external OPA can use this as the starting point
// for their own policy bundle:
//
//	zddc-server --print-rego > /etc/opa/policies/zddc-access.rego
//
// Customizations typical for federal deployments:
//
//   - Flip the leaf-allow-overrides-parent-deny semantics so parent denies
//     are absolute (NIST AC-6 least-privilege posture).
//   - Add role-based access via additional input fields (input.user.roles
//     populated by the upstream proxy from SAML/OIDC claims).
//   - Add time-of-day or IP-range constraints.
//   - Emit decision logs in a SIEM-friendly format via OPA's logging
//     plugins.
//
//go:embed rego/access.rego
var ReferenceRego string