RFC-001: Policy Conversion Envelope (PCE)
RFC-001: Policy Conversion Envelope (PCE)
PRIVATE AND PROPRIETARY — NOT A PUBLIC RFC. Owned by Kanjani AI Research & Causum. See NOTICE.md.
1. Purpose
The Policy Conversion Envelope (PCE) defines a standardized, auditable container for converting policies between heterogeneous cloud security platforms, including but not limited to:
- Palo Alto Networks Prisma Cloud
- Wiz Wiz
The PCE SHALL ensure:
- deterministic processing
- explainability
- traceability
- governance enforcement
2. Core Principles
-
No Silent Inference
- The system MUST NOT invent mappings without evidence.
-
Placeholders as First-Class Objects
- Unknown mappings MUST be represented explicitly.
-
Evidence-Based Conversion
- Every transformation MUST include supporting evidence.
-
Human Override
- All conversions SHALL support human review and correction.
3. PCE Structure
| {
“pce_version”: “1.0”,
“job_id”: “string”,
“timestamp”: “ISO8601”,
“source”: {
"platform": "string",
"policy": {},
"context": {}},
“target”: {
"platform": "string",
"context": {},
"generation\_prompt": "string"},
“rules”: {
"allow\_placeholders": true,
"require\_evidence": true,
"require\_confidence": true,
"never\_invent\_fields": true}
| } |
|---|
4. Mandatory Fields
| Field | Requirement |
|---|---|
| job_id | MUST be unique |
| source.policy | MUST exist |
| source.context | MUST include help/schema |
| target.context | MUST include help/schema |
| rules | MUST be enforced |
5. Processing Lifecycle
INGEST PARSE NORMALIZE TRANSLATE VALIDATE OUTPUT