Update trust_cascading policy

Author: l46kok

tools/src/test/java/dev/cel/tools/ai/AgenticPolicyCompilerTest.java

@@ -21,11 +21,13 @@
 import dev.cel.common.types.SimpleType;
 import dev.cel.common.types.StructTypeReference;
 import dev.cel.expr.ai.Agent;
+import dev.cel.expr.ai.AgentContext; // New Import
 import dev.cel.expr.ai.AgentMessage;
 import dev.cel.expr.ai.Finding;
 import dev.cel.expr.ai.Tool;
 import dev.cel.expr.ai.ToolAnnotations;
 import dev.cel.expr.ai.ToolCall;
+import dev.cel.expr.ai.TrustLevel; // New Import
 import dev.cel.parser.CelStandardMacro;
 import dev.cel.policy.testing.PolicyTestSuiteHelper;
 import dev.cel.policy.testing.PolicyTestSuiteHelper.PolicyTestSuite;
@@ -49,15 +51,20 @@ public class AgenticPolicyCompilerTest {
       .setContainer(CelContainer.ofName("cel.expr.ai"))
       .setStandardMacros(CelStandardMacro.STANDARD_MACROS)
       .addMessageTypes(Agent.getDescriptor())
+      .addMessageTypes(AgentContext.getDescriptor())
+      .addMessageTypes(TrustLevel.getDescriptor())
       .addMessageTypes(ToolCall.getDescriptor())
       .addMessageTypes(Tool.getDescriptor())
       .addMessageTypes(ToolAnnotations.getDescriptor())
       .addMessageTypes(AgentMessage.getDescriptor())
       .addMessageTypes(Finding.getDescriptor())
+
       .addVar("agent.input", StructTypeReference.create("cel.expr.ai.AgentMessage"))
+      .addVar("agent.context", StructTypeReference.create("cel.expr.ai.AgentContext"))
       .addVar("tool.name", SimpleType.STRING)
       .addVar("tool.annotations", StructTypeReference.create("cel.expr.ai.ToolAnnotations"))
       .addVar("tool.call", StructTypeReference.create("cel.expr.ai.ToolCall"))
+
       .addFunctionDeclarations(
           newFunctionDeclaration(
               "ai.finding",
@@ -177,6 +184,10 @@ private enum AgenticPolicyTestCase {
     OPEN_WORLD_TOOL_REPLAY(
         "open_world_tool_replay.celpolicy",
         "open_world_tool_replay_tests.yaml"
+    ),
+    TRUST_CASCADING(
+        "trust_cascading.celpolicy",
+        "trust_cascading_tests.yaml"
     );
 
     private final String policyFilePath;
@@ -217,4 +228,4 @@ private void runTests(Cel cel, CelAbstractSyntaxTree ast, PolicyTestSuite testSu
       }
     }
   }
-}
+}

tools/src/test/resources/trust_cascading.celpolicy

@@ -2,20 +2,34 @@ name: "policy.trust.cascading"
 default: allow
 
 variables:
-  - trust_decision: >
-      security.cascade_trust(agent.history())
+  # Critical security threats
+  - is_compromised: >
+      agent.context.trust.findings.contains([ai.finding("compromised_session", 0.9)])
+
+  # Compliance and/or hygiene issues with the source
+  - is_unverified: >
+      agent.context.trust.findings.contains([ai.finding("unverified_source", 0.8)])
 
 rules:
-  - description: "Elevate trust and replay model call if required"
-    condition: variables.trust_decision.action == 'REPLAY'
+  - description: "Block sessions with high-confidence compromise indicators"
+    condition: variables.is_compromised
+    effect: deny
+    message: "Critical Trust Failure: Session is potentially compromised."
+
+  - description: "Replay to request source verification"
+    condition: variables.is_unverified
     effect: replay
     output_expr: |
       {
-        'append_attributes': variables.trust_decision.new_attributes,
-        'reason': 'Trust elevation required for proper answer.'
+        'reason': 'Data source is unverified.',
+        'action': 'verify_provenance'
       }
 
-  - description: "Trust sufficient, allow execution"
-    condition: variables.trust_decision.action == 'ALLOW'
-    effect: allow
-    message: "Trust level sufficient."
+  - description: "Replay generic untrusted contexts"
+    condition: agent.context.trust.level == 'untrusted'
+    effect: replay
+    output_expr: |
+      {
+        'reason': 'Context trust is insufficient.',
+        'required_level': 'trusted_3p'
+      }

tools/src/test/resources/trust_cascading_tests.yaml

@@ -1,34 +1,56 @@
 description: "Trust Cascading Policy Tests"
 
 section:
-- name: "Cascading Logic"
+- name: "Trust Finding Scenarios"
   tests:
-  - name: "Elevation Required (Replay)"
+  - name: "Critical Compromise (Deny)"
     input:
-      agent:
-        # Note: description is important below. It's used to fetch mocked history content.
+      agent.context:
         expr: >
-          Agent{ 
-            description: "trust_cascading_low" 
+          AgentContext{
+            trust: TrustLevel{
+              level: "untrusted",
+              findings: [
+                Finding{ value: "compromised_session", confidence: 0.95 }
+              ]
+            }
+          }
+    output: >
+      {
+        "effect": "deny",
+        "message": "Critical Trust Failure: Session is potentially compromised."
+      }
+
+  - name: "Unverified Source (Replay)"
+    input:
+      agent.context:
+        expr: >
+          AgentContext{
+            trust: TrustLevel{
+              level: "untrusted",
+              findings: [
+                Finding{ value: "unverified_source", confidence: 0.85 }
+              ]
+            }
           }
     output: >
       {
         "effect": "replay",
         "details": {
-           "append_attributes": { "trust_score": "MEDIUM" },
-           "reason": "Trust elevation required for proper answer."
+           "reason": "Data source is unverified.",
+           "action": "verify_provenance"
         }
       }
 
-  - name: "Trust Sufficient (Allow)"
+  - name: "Trusted Context (Allow)"
     input:
-      agent:
+      agent.context:
         expr: >
-          Agent{ 
-             description: "trust_cascading_medium" 
+          AgentContext{
+             trust: TrustLevel{ level: "trusted" }
           }
     output: >
       {
         "effect": "allow",
-        "message": "Trust level sufficient."
+        "message": ""
       }