feat(cel-proto-parser): add policy and RLS template fixtures, fix converter

- Add policy.txt with 34 OPA-ish policy expressions (Kubernetes admission control patterns)
- Add rls-templates.txt with 17 RLS policy template expressions (direct_owner, membership, etc.)
- Fix converter to handle index access operator '[]' (was only handling 'index')
- Fix converter to handle unary negation '!_' with single node args (not array)
- Note: @marcbachmann/cel-js does not support bitwise AND (&) operator

Round-trip test results:
- basic.txt: 16/16 pass
- policy.txt: 34/34 pass
- rls-templates.txt: 17/17 pass

Author: pyramation

packages/cel-proto-parser/__fixtures__/expressions/policy.txt

@@ -0,0 +1,57 @@
+# Policy-Shaped CEL Expression Fixtures
+# OPA-ish patterns useful for Kubernetes admission control
+# Rich in syntax variety for deparser testing
+
+# 1) Core allow/deny shapes
+request.user == "system:admin"
+request.user in ["alice", "bob", "carol"]
+request.verb in ["create", "update"] && request.resource == "pods"
+!(request.user.startsWith("system:"))
+request.namespace != "kube-system" && request.namespace != "kube-public"
+
+# 2) Field presence / null-ish handling
+has(object.metadata.labels) && has(object.metadata.labels["app"])
+!has(object.spec.replicas) || object.spec.replicas <= 10
+has(object.spec.template) ? object.spec.template.spec.nodeName == "" : true
+has(object.spec.securityContext) && has(object.spec.securityContext.runAsNonRoot) && object.spec.securityContext.runAsNonRoot == true
+has(params.exemptUsers) && request.user in params.exemptUsers
+
+# 3) Map + list literals, indexing, membership
+object.metadata.labels["team"] in ["infra", "platform"]
+object.metadata.annotations["owner"] == request.user
+size(object.spec.containers) > 0
+object.spec.containers[0].image.matches("^ghcr\\.io/constructive-io/.+")
+
+# 4) String ops + regex escaping edge cases
+request.user.matches("^user:[a-z0-9_-]{3,32}$")
+object.metadata.name.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$")
+object.spec.containers.exists(c, c.name.startsWith("sidecar-") && c.image.contains("@sha256:"))
+object.spec.serviceAccountName != "" && !object.spec.serviceAccountName.startsWith("default")
+
+# 5) Quantifiers/macros (great for AST/deparser)
+object.spec.containers.all(c, !c.securityContext.privileged)
+object.spec.containers.exists(c, has(c.resources.limits["cpu"]) && has(c.resources.limits["memory"]))
+object.spec.containers.filter(c, c.image.contains(":latest")).size() == 0
+object.spec.containers.map(c, c.name).exists(n, n == "app")
+
+# 6) Nested logic + precedence stress tests
+request.verb == "update" && (request.user == "alice" || request.user == "bob") && !request.dryRun
+(request.user in params.admins) || (request.namespace == "dev" && request.user.matches("^user:dev_.*$"))
+!(request.verb == "delete" && request.resource == "namespaces")
+
+# 7) Numeric + bounds + ternary
+has(object.spec.replicas) ? (object.spec.replicas >= 1 && object.spec.replicas <= 20) : true
+object.spec.containers.all(c, c.resources.requests["cpu"] <= c.resources.limits["cpu"])
+
+# 8) "OPA-ish" patterns (rule-ish in one expression)
+request.user in params.admins || (request.verb in ["get","list","watch"] && request.namespace in params.readNamespaces)
+request.user == object.metadata.annotations["owner"] || request.user in params.delegates[object.metadata.annotations["owner"]]
+
+# 9) Equality against structured literals (map/list)
+object.metadata.labels == {"app": "api", "tier": "backend"}
+object.spec.tolerations.exists(t, t == {"key":"dedicated","operator":"Equal","value":"gpu","effect":"NoSchedule"})
+
+# 10) "Weird but valid" deparser edge cases
+"" == ""
+true ? false ? true : false : true
+((a + b) * c) / (d - 1) > 0

packages/cel-proto-parser/__fixtures__/expressions/rls-templates.txt

@@ -0,0 +1,46 @@
+# RLS Policy Template CEL Expressions
+# Maps to common policy templates: direct_owner, membership, permission bits, etc.
+# Uses: row (table row), auth (auth context), acl (ACL table view), params (compile-time params)
+
+# 1) direct_owner (row.owner_id == user_id)
+row.owner_id == auth.user_id
+has(row.owner_id) && row.owner_id == auth.user_id
+
+# 2) multi_owner / any_owner (row.sender_id OR row.receiver_id)
+auth.user_id in [row.sender_id, row.receiver_id]
+
+# 3) membership_by_field (row.org_id exists in ACL for user)
+acl.memberships.exists(m, m.user_id == auth.user_id && m.entity_type == "org" && m.entity_id == row.org_id)
+
+# 4) membership_by_join (row -> join table -> memberships)
+acl.joins.exists(j, j.row_id == row.id && acl.memberships.exists(m, m.user_id == auth.user_id && m.entity_type == "group" && m.entity_id == j.entity_id))
+
+# 5) scoped_owner / scope_owner (membership exists AND matches scope)
+acl.memberships.exists(m, m.user_id == auth.user_id && m.scope == "project" && m.entity_id == row.project_id)
+acl.memberships.exists(m, m.user_id == auth.user_id && m.membership_type == params.membership_type && m.entity_id == row.entity_id)
+
+# 6) hasAccess / permission-bit checks (bitmask)
+# NOTE: @marcbachmann/cel-js does not support bitwise AND (&) operator
+# These would be: acl.memberships.exists(m, m.user_id == auth.user_id && m.entity_id == row.org_id && (m.perms & params.required_perm) != 0)
+
+# 7) Role-based overrides (auth.roles)
+("admin" in auth.roles) || (row.owner_id == auth.user_id)
+auth.user.startsWith("system:") || row.owner_id == auth.user_id
+
+# 8) acl_exists (no entity match; "member of ANY org")
+acl.memberships.exists(m, m.user_id == auth.user_id && m.entity_type == "org")
+
+# 9) relatedAccess / relationship ownership (row references another object)
+acl.parents.exists(p, p.id == row.parent_id && (p.owner_id == auth.user_id || acl.memberships.exists(m, m.user_id == auth.user_id && m.entity_id == p.org_id)))
+
+# 10) Array membership / group array checks
+has(row.allowed_user_ids) && auth.user_id in row.allowed_user_ids
+row.group_ids.exists(gid, acl.memberships.exists(m, m.user_id == auth.user_id && m.entity_type == "group" && m.entity_id == gid))
+
+# 11) "Owner OR membership" compound policy (very common)
+row.owner_id == auth.user_id || acl.memberships.exists(m, m.user_id == auth.user_id && m.entity_id == row.org_id)
+
+# 12) Insert/update "WITH CHECK" style (new row constraints)
+row.owner_id == auth.user_id
+newRow.owner_id == auth.user_id
+request.verb == "update" ? (newRow.owner_id == oldRow.owner_id) : true

packages/cel-proto-parser/src/converter/index.ts

@@ -147,7 +147,8 @@ export function convertToProtoExpr(node: MarcAstNode, idCounter = { value: 1 }):
       };
     }
 
-    case 'index': {
+    case 'index':
+    case '[]': {
       // Index access: obj[key]
       const args = node.args as [MarcAstNode, MarcAstNode];
       return {
@@ -187,14 +188,19 @@ export function convertToProtoExpr(node: MarcAstNode, idCounter = { value: 1 }):
 
     // Unary operators
     case '!':
-    case 'neg': {
-      const args = node.args as [MarcAstNode];
-      const funcName = node.op === '!' ? '!_' : '-_';
+    case '!_':
+    case 'neg':
+    case '-_': {
+      // Args can be either a single node or an array with one element
+      const argNode = Array.isArray(node.args)
+        ? (node.args as MarcAstNode[])[0]
+        : (node.args as MarcAstNode);
+      const funcName = node.op === '!' || node.op === '!_' ? '!_' : '-_';
       return {
         id,
         callExpr: {
           function: funcName,
-          args: args.map((a) => convertToProtoExpr(a, idCounter))
+          args: [convertToProtoExpr(argNode, idCounter)]
         }
       };
     }