feat(sdk): add conditional output lifts with external data sources

[yazcaleb]

This PR adds conditional lifts to output rules via unless clauses, custom context passthrough, and external condition sources with caching.

Output rule lifts

• Added unless clause on OutputRule that suppresses actions when all conditions evaluate true
• OutputValidator now returns liftedRuleIds and liftTrace in results for auditability
• Supports all condition operators (equals, matches, etc.) within unless clauses
• Lifts work with redact, block, and log actions for comprehensive conditional control

Custom context passthrough

• validateOutput and validateOutputAsync now accept OutputValidationContext with optional custom field
• Custom context flows into evaluation context as context.* for unless conditions
• condition-evaluato.ts resolves context.custom values for context.field references

External condition sources

• Added ConditionSourceConfig types for webhook, custom_context, and placeholder types
• Webhook sources POST JSON { source, params } and cache responses per TTL
• Custom context sources read from ValidationContext.custom with optional dot-path resolution
• LRU cache with cache_ttl and stale-while-revalidate for async lookups
• Webhook sources support environment variable expansion in url and auth headers

Schema changes

• RuleSet.condition_sources maps names to ConditionSourceConfig
• RuleCondition now has optional source and params fields
• Policy IR v1 schema updated with ConditionSource definition and new condition properties

Tests

• Test verifies lift on custom context match (context.nda_signed: true)
• Test verifies webhook resolution, caching, and fail-closed behavior on 503
• Webhook fetch mock validates POST body, auth header, and single-call caching

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[capy-ai]

Added 1 comment