Policy Linter

This tool decodes a Base64-encoded policy payload, parses the resulting JSON or text, and analyzes it for critical security invariants such as Atomicity (window <= 300s), Passive TTL (expiry presence), and Memory Safety (length prefixes). It accepts a single required input parameter policy_payload, which is a Base64 string that the worker must decode to raw policy content before analysis. The tool then produces a structured security risk and lint report describing findings, severities, and relevant metadata. The output must strictly validate against the system-provided structured output schema defined for this tool; do not add undocumented fields or deviate from the schema.