Evaluation

At tool-call time evaluateToolCallAndAudit:

1. Chooses policy rows (agent-wide vs member-scoped) per agent type.
2. Compiles them to Cedar (compileAllPolicies).
3. Invokes evaluate with principal (NAMESPACE::User::"…"), action (NAMESPACE::Action::"toolName"), resource entity, context (arguments + time facets + session attributes).

@cedar-policy/cedar-wasm performs authorization decisions. GitHub-related calls may enrich resource attributes using installation metadata and harvested entity caches.

Audit rows capture allow/deny, timing, and policy identity for dashboard and export consumers.