Skip to content

RFC-001: Policy Conversion Envelope (PCE)

RFC-001: Policy Conversion Envelope (PCE)

PRIVATE AND PROPRIETARY — NOT A PUBLIC RFC. Owned by Kanjani AI Research & Causum. See NOTICE.md.

1. Purpose

The Policy Conversion Envelope (PCE) defines a standardized, auditable container for converting policies between heterogeneous cloud security platforms, including but not limited to:

  • Palo Alto Networks Prisma Cloud
  • Wiz Wiz

The PCE SHALL ensure:

  • deterministic processing
  • explainability
  • traceability
  • governance enforcement

2. Core Principles

  1. No Silent Inference

    • The system MUST NOT invent mappings without evidence.
  2. Placeholders as First-Class Objects

    • Unknown mappings MUST be represented explicitly.
  3. Evidence-Based Conversion

    • Every transformation MUST include supporting evidence.
  4. Human Override

    • All conversions SHALL support human review and correction.

3. PCE Structure

| {

“pce_version”: “1.0”,

“job_id”: “string”,

“timestamp”: “ISO8601”,

“source”: {

"platform": "string",
"policy": {},
"context": {}

},

“target”: {

"platform": "string",
"context": {},
"generation\_prompt": "string"

},

“rules”: {

"allow\_placeholders": true,
"require\_evidence": true,
"require\_confidence": true,
"never\_invent\_fields": true

}

}

4. Mandatory Fields

Field Requirement
job_id MUST be unique
source.policy MUST exist
source.context MUST include help/schema
target.context MUST include help/schema
rules MUST be enforced

5. Processing Lifecycle

INGEST PARSE NORMALIZE TRANSLATE VALIDATE OUTPUT