Policy Linter

This tool performs static analysis on a Base64-encoded policy string to identify violations of critical security invariants such as Atomicity, Passive TTL, and Memory Safety. It accepts a single required input, policy_payload, which is a Base64-encoded string containing the full policy or schema text; the worker must decode this payload to obtain the raw policy before analyzing it. The tool produces a structured security risk assessment, including findings and severity where applicable, and the output must strictly validate against the system-provided structured output schema for this tool, with no extra fields or deviations.