{ "_comment": "A committed demo mission that attaches Cedar + forbid-rules alongside native checks. Exercises the full three-backend composition path end-to-end — what the paper's 'composed under a verified rule' claim actually runs on. See docs/plans/ardur-correctness-test-plan-2026-04-17.md A3.", "_note_integrity": "Cedar uses policy_inline (Cedar DSL source); forbid-rules uses data_inline (a list of rule dicts). Both require policy_sha256 = SHA-256 of that field's canonical content. The demo script (demos/three-backend-compose-demo.py) computes both at runtime, so the committed sentinel values are documentation-only and must be overwritten before the mission is handed to the proxy.", "agent_id": "sales-analyst-compose-demo", "mission": "Analyze Q1 sales; no PII; compliance-screened outbound.", "allowed_tools": ["read_file", "write_file", "send_email"], "forbidden_tools": ["delete_file"], "resource_scope": [], "allowed_side_effect_classes": ["none", "read", "internal_write", "external_send"], "max_tool_calls": 20, "max_duration_s": 600, "delegation_allowed": false, "max_delegation_depth": 0, "holder_spiffe_id": "spiffe://org-a.example/workload/sales-analyst", "additional_policies": [ { "backend": "cedar", "label": "security_team", "_policy_comment": "Security team's Cedar policy: forbid outbound email entirely. policy_sha256 must be the SHA-256 of policy_inline.", "policy_inline": "permit(principal, action, resource);\nforbid(principal, action == Action::\"send_email\", resource);", "policy_sha256": "CEDAR_SHA_RECOMPUTED_AT_RUNTIME" }, { "backend": "forbid_rules", "label": "compliance", "_policy_comment": "Compliance forbid-rules: data_inline is the list of rule dicts. policy_sha256 must be SHA-256 of canonical JSON of that list (sorted keys, compact separators).", "data_inline": [ {"id": "no_ssn", "forbid_when": {"arg_contains": ["ssn", "social security"]}}, {"id": "no_ccn", "forbid_when": {"arg_contains": ["credit card", "ccn"]}} ], "policy_sha256": "FORBID_SHA_RECOMPUTED_AT_RUNTIME" } ] }